cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
651
Views
0
Helpful
4
Replies

Problem with my ACL

Joe
Level 1
Level 1

Hi All,

I'm working with a client who has a Cisco 891W router.  I'm trying to  establish a simple ACL that will permit connections only to certain  ports from the WAN, simple things like 3389, 25, 110, 80, etc.  I  created what I thought was a correct ACL, but when applied to the  Inbound WAN, it blocks all traffic, and renders the internet connection  useless.  I've attached the Running Config file in the hopes someone can  take a look and correct me.  ACL's 100-109 were auto created apparently  by the Cisco Configuration Professional software I was using.  ACL 150  was created by me, but will not be used.  ACL 155 is the one Ive created  and am trying to use to block incoming connections.  Please let me know  if any more detail is needed.  Thanks so much for the help.

Joe

Edit:  Removed the actual WAN IP, and replaced with 333.333.333.x instead.

2 Accepted Solutions

Accepted Solutions

bmcginn
Level 3
Level 3

Hi there,

As far as the ACL goes, I'm assuming you will be putting this inbound on the WAN side?  If that's the case it certainly won't work.

The main reason for it not working is because you have RFC1918 addresses as the destination, where these are on the inside of the router.

Try changing the 192.168.16.xx addresses with the correct 333.333.333.xxx address.

Also, I'd advise putting an explicit "deny ip any any log" at the end of the ACL so you can see stats for dropped packets.

Good luck with it!

Brad

View solution in original post

Hi Joe,

What I understand is that you want restrict your incoming connections from internet on your WAN interface.

In your config the ACL's are configured for private IP's only but how anyone from internet can know your private IP range.

So I hope you want allow incoming connections from only particular networks or on few ports. Then it is simple just define access-lists like below and appliy on your WAN interface.

ip access-list extended Outside_access
permit ip tcp 206.206.206.0 0.0.0.15 host 333.333.333.444 eq 3389
permit ip tcp 195.195.195.0 0.0.0.255 host 333.333.333.333 eq 22
permit ip tcp 145.145.145.0 host 333.333.333.333 eq 80
deny ip any host 333.333.333.444
deny ip any host 333.333.333.333
deny ip any host 333.333.333.555
deny ip any host 333.333.333.666
permit ip any any


interface GigabitEthernet0
ip access-group Outside_access in

Hope the above will helps you.

Please click on the correct answer if this answered your question.
Regards,
Naidu.

View solution in original post

4 Replies 4

bmcginn
Level 3
Level 3

Hi there,

As far as the ACL goes, I'm assuming you will be putting this inbound on the WAN side?  If that's the case it certainly won't work.

The main reason for it not working is because you have RFC1918 addresses as the destination, where these are on the inside of the router.

Try changing the 192.168.16.xx addresses with the correct 333.333.333.xxx address.

Also, I'd advise putting an explicit "deny ip any any log" at the end of the ACL so you can see stats for dropped packets.

Good luck with it!

Brad

Hi Joe,

What I understand is that you want restrict your incoming connections from internet on your WAN interface.

In your config the ACL's are configured for private IP's only but how anyone from internet can know your private IP range.

So I hope you want allow incoming connections from only particular networks or on few ports. Then it is simple just define access-lists like below and appliy on your WAN interface.

ip access-list extended Outside_access
permit ip tcp 206.206.206.0 0.0.0.15 host 333.333.333.444 eq 3389
permit ip tcp 195.195.195.0 0.0.0.255 host 333.333.333.333 eq 22
permit ip tcp 145.145.145.0 host 333.333.333.333 eq 80
deny ip any host 333.333.333.444
deny ip any host 333.333.333.333
deny ip any host 333.333.333.555
deny ip any host 333.333.333.666
permit ip any any


interface GigabitEthernet0
ip access-group Outside_access in

Hope the above will helps you.

Please click on the correct answer if this answered your question.
Regards,
Naidu.

Thanks for the responses.  You were both correct, in that I needed to use the public addresses and not the private addresses in my ACL.  Ive applied it and it works as I need it to, but with one downside that I now have to correct.  Once applied, this ACL kills all DNS resolution.  I can ping by ip address, but not by name.  I added a line to the ACL, permit tcp any any established, but this didn't help.  I'm tinkering with other permit lines to allow DNS, but haven't quite got it right yet.  Any thoughts?

Edit:  I was able to figure it out.  Thanks so much guys

Hi,

Do you have your DNS address in the below access-list which we applied under the WAN interface? (GigabitEthernet0)
I think you must have permit the DNS server on the particular port so that it is stoping dns resolutions from outside.

ip access-list extended Outside_access
permit ip tcp 206.206.206.0 0.0.0.15 host 333.333.333.444 eq 3389
permit ip tcp 195.195.195.0 0.0.0.255 host 333.333.333.333 eq 22
permit ip tcp 145.145.145.0 host 333.333.333.333 eq 80
deny ip any host 333.333.333.444
deny ip any host 333.333.333.333
deny ip any host 333.333.333.555
deny ip any host 333.333.333.666
permit ip any any


please click on the correct answer on all posts if they answered your question.
Regards,
Naidu.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: