Solved: Problem with my ACL

Joe · ‎05-02-2011

Hi All,

I'm working with a client who has a Cisco 891W router. I'm trying to establish a simple ACL that will permit connections only to certain ports from the WAN, simple things like 3389, 25, 110, 80, etc. I created what I thought was a correct ACL, but when applied to the Inbound WAN, it blocks all traffic, and renders the internet connection useless. I've attached the Running Config file in the hopes someone can take a look and correct me. ACL's 100-109 were auto created apparently by the Cisco Configuration Professional software I was using. ACL 150 was created by me, but will not be used. ACL 155 is the one Ive created and am trying to use to block incoming connections. Please let me know if any more detail is needed. Thanks so much for the help.

Joe

Edit: Removed the actual WAN IP, and replaced with 333.333.333.x instead.

bmcginn · ‎05-02-2011

Hi there,

As far as the ACL goes, I'm assuming you will be putting this inbound on the WAN side? If that's the case it certainly won't work.

The main reason for it not working is because you have RFC1918 addresses as the destination, where these are on the inside of the router.

Try changing the 192.168.16.xx addresses with the correct 333.333.333.xxx address.

Also, I'd advise putting an explicit "deny ip any any log" at the end of the ACL so you can see stats for dropped packets.

Good luck with it!

Brad

View solution in original post

Latchum Naidu · ‎05-02-2011

Hi Joe,

What I understand is that you want restrict your incoming connections from internet on your WAN interface.

In your config the ACL's are configured for private IP's only but how anyone from internet can know your private IP range.

So I hope you want allow incoming connections from only particular networks or on few ports. Then it is simple just define access-lists like below and appliy on your WAN interface.

ip access-list extended Outside_access
permit ip tcp 206.206.206.0 0.0.0.15 host 333.333.333.444 eq 3389
permit ip tcp 195.195.195.0 0.0.0.255 host 333.333.333.333 eq 22
permit ip tcp 145.145.145.0 host 333.333.333.333 eq 80
deny ip any host 333.333.333.444
deny ip any host 333.333.333.333
deny ip any host 333.333.333.555
deny ip any host 333.333.333.666
permit ip any any

interface GigabitEthernet0
ip access-group Outside_access in

Hope the above will helps you.

Please click on the correct answer if this answered your question.
Regards,
Naidu.

View solution in original post

bmcginn · ‎05-02-2011

Hi there,

As far as the ACL goes, I'm assuming you will be putting this inbound on the WAN side? If that's the case it certainly won't work.

The main reason for it not working is because you have RFC1918 addresses as the destination, where these are on the inside of the router.

Try changing the 192.168.16.xx addresses with the correct 333.333.333.xxx address.

Also, I'd advise putting an explicit "deny ip any any log" at the end of the ACL so you can see stats for dropped packets.

Good luck with it!

Brad

Latchum Naidu · ‎05-02-2011

Hi Joe,

What I understand is that you want restrict your incoming connections from internet on your WAN interface.

In your config the ACL's are configured for private IP's only but how anyone from internet can know your private IP range.

So I hope you want allow incoming connections from only particular networks or on few ports. Then it is simple just define access-lists like below and appliy on your WAN interface.

ip access-list extended Outside_access
permit ip tcp 206.206.206.0 0.0.0.15 host 333.333.333.444 eq 3389
permit ip tcp 195.195.195.0 0.0.0.255 host 333.333.333.333 eq 22
permit ip tcp 145.145.145.0 host 333.333.333.333 eq 80
deny ip any host 333.333.333.444
deny ip any host 333.333.333.333
deny ip any host 333.333.333.555
deny ip any host 333.333.333.666
permit ip any any

interface GigabitEthernet0
ip access-group Outside_access in

Hope the above will helps you.

Please click on the correct answer if this answered your question.
Regards,
Naidu.

Joe · ‎05-03-2011

Thanks for the responses. You were both correct, in that I needed to use the public addresses and not the private addresses in my ACL. Ive applied it and it works as I need it to, but with one downside that I now have to correct. Once applied, this ACL kills all DNS resolution. I can ping by ip address, but not by name. I added a line to the ACL, permit tcp any any established, but this didn't help. I'm tinkering with other permit lines to allow DNS, but haven't quite got it right yet. Any thoughts?

Edit: I was able to figure it out. Thanks so much guys

Latchum Naidu · ‎05-03-2011

Hi,

Do you have your DNS address in the below access-list which we applied under the WAN interface? (GigabitEthernet0)
I think you must have permit the DNS server on the particular port so that it is stoping dns resolutions from outside.

ip access-list extended Outside_access
permit ip tcp 206.206.206.0 0.0.0.15 host 333.333.333.444 eq 3389
permit ip tcp 195.195.195.0 0.0.0.255 host 333.333.333.333 eq 22
permit ip tcp 145.145.145.0 host 333.333.333.333 eq 80
deny ip any host 333.333.333.444
deny ip any host 333.333.333.333
deny ip any host 333.333.333.555
deny ip any host 333.333.333.666
permit ip any any

please click on the correct answer on all posts if they answered your question.
Regards,
Naidu.