Re: ACLs

david foley · ‎03-04-2011

Trying to Set up ACL's

I have 3 Routers with Pcs on Each, On R1 Deny PC1 to PC3, And on R2 for PC2 only allow www permit nothing else

So far i have this,,

on Router 3

ip access-list standard no_access

deny PC1 IP address Wild Card

Permit any

access-list 101 permit tcp PC2 IP address - Wild Card any eq 80

access-list 101 permit ip any any

ip access-group 101 in

This Seems to be Over Writing the Standard ACL,, and the PC2 still can ping by ICMP. and Telnet do i need to block all them or is their a Code which allow me to enter in and all ports are block bar http ?

Collin Clark · ‎03-04-2011

It's not overwriting the standard ACL. You are applying ACL 101 to the interface not the standard ACL. You can only apply one ACL to an interface per direction. You will need to add (and adjust) the standard ACL to ACL 101 to accomplish the filtering you are looking for.

david foley · ‎03-05-2011

I have

Router(config)#access-list 101 deny tcp 172.190.0.64 0.0.0.28 any eq www
Router(config)#access-list 101 deny tcp 172.190.0.64 0.0.0.28 any eq ftp
Router(config)#access-list 101 deny tcp 172.190.0.64 0.0.0.28 any eq telnet
Router(config)#access-list 101 deny tcp 172.190.0.64 0.0.0.28 any eq smtp
Router(config)#access-list 101 deny tcp 172.190.0.32 0.0.0.28 any eq smtp
Router(config)#access-list 101 deny tcp 172.190.0.32 0.0.0.28 any eq telnet
Router(config)#access-list 101 deny tcp 172.190.0.32 0.0.0.28 any eq ftp
Router(config)#access-list 101 permit tcp 172.190.0.32 0.0.0.28 any eq www

Router(config)#access-list 101 permit ip any any
Router(config)#int fa0/0
Router(config-if)#ip access-group 101 in
Router(config-if)#exit

Router#show access-list 101
Extended IP access list 101
    deny tcp 172.190.0.64 0.0.0.28 any eq www
    deny tcp 172.190.0.64 0.0.0.28 any eq 20
    deny tcp 172.190.0.64 0.0.0.28 any eq ftp
    deny tcp 172.190.0.64 0.0.0.28 any eq telnet
    deny tcp 172.190.0.64 0.0.0.28 any eq smtp
    deny tcp 172.190.0.64 0.0.0.28 any eq 465
    deny tcp 172.190.0.32 0.0.0.28 any eq 465
    deny tcp 172.190.0.32 0.0.0.28 any eq 20
    deny tcp 172.190.0.32 0.0.0.28 any eq ftp
    deny tcp 172.190.0.32 0.0.0.28 any eq smtp
    deny tcp 172.190.0.32 0.0.0.28 any eq telnet
    permit tcp 172.190.0.32 0.0.0.28 any eq www
    permit ip any any (7 match(es))

And Still able to ping, from both PC's, could my Wild card be wrong, i have 172.190.0.64/27 so thats 224 taken off 252= 28

172.190.0.32/27 so that again 224 taken off 252 = 28

cadet alain · ‎03-05-2011

Hi,

And Still able to ping, from both PC's, could my Wild card be wrong, i have 172.190.0.64/27 so thats 224 taken off 252= 28

this is 255-224= 31

Regards.

Alain.

Don't forget to rate helpful posts.

david foley · ‎03-06-2011

Router#show access-list
Extended IP access list 102
    deny tcp 172.190.0.64 0.0.0.31 any eq www
    deny tcp 172.190.0.64 0.0.0.31 any eq ftp
    deny tcp 172.190.0.64 0.0.0.31 any eq telnet
    deny tcp 172.190.0.64 0.0.0.31 any eq smtp
    deny tcp 172.190.0.32 0.0.0.31 any eq ftp
    deny tcp 172.190.0.32 0.0.0.31 any eq smtp
    deny tcp 172.190.0.32 0.0.0.31 any eq telnet
    permit tcp 172.190.0.32 0.0.0.31 any eq www
    permit ip any any (11 match(es))
Router#

still pinging.. i cant understand it.... why their able to ping.

manish arora · ‎03-06-2011

Hi David,

all you have in deny statement is different TCP ports , if you need to block ICMP then you need a staement like :-

deny icmp x.x.x.x 0.0.0.31 any

Also, for the access list to work the traffic needs to the go through the that interface, if you are trying to filter traffic inside a vlan then you need diffrent solution.

Manish

david foley · ‎03-06-2011

hi manisharora111

I have no vlans

just a 3 Routers and 2 Pcs and a Server, i have all the Commands on the Server Router,

trying to Stop the packets going in on FA0/0

manish arora · ‎03-06-2011

K , then you need to add DENY icmp to block Ping :-

Router#show access-list
Extended IP access list 102
    deny tcp 172.190.0.64 0.0.0.31 any eq www
    deny tcp 172.190.0.64 0.0.0.31 any eq ftp
    deny tcp 172.190.0.64 0.0.0.31 any eq telnet
    deny tcp 172.190.0.64 0.0.0.31 any eq smtp
    deny tcp 172.190.0.32 0.0.0.31 any eq ftp
    deny tcp 172.190.0.32 0.0.0.31 any eq smtp
    deny tcp 172.190.0.32 0.0.0.31 any eq telnet

    deny icmp 172.190.0.32 0.0.0.31 any
    permit tcp 172.190.0.32 0.0.0.31 any eq www
    permit ip any any (11 match(es))
Router#

Please make sure the deny statement is before the permit any any statement, use line no.'s for that purpose.

Manish

david foley · ‎03-06-2011

ok, thanks man got it working,

but nothing can ping it now... At lest its a start

manish arora · ‎03-06-2011

Well yes it will block all ping unless you use deny icmp 172.190.0.32 0.0.0.31 network subnetmask instead of any. With any it will block ping to all destinations.

Manish

Sent from Cisco Technical Support iPhone App

david foley · ‎03-07-2011

Extended IP access list 102
    deny tcp 172.190.0.64 0.0.0.31 any eq www
    deny tcp 172.190.0.64 0.0.0.31 any eq ftp
    deny tcp 172.190.0.64 0.0.0.31 any eq telnet
    deny tcp 172.190.0.64 0.0.0.31 any eq smtp
    deny tcp 172.190.0.32 0.0.0.31 any eq smtp
    deny tcp 172.190.0.32 0.0.0.31 any eq telnet
    deny tcp 172.190.0.32 0.0.0.31 any eq ftp
    deny icmp 172.190.0.32 0.0.0.31 host 172.190.0.78
    deny icmp 172.190.0.64 0.0.0.31 host 172.190.0.78
    permit tcp 172.190.0.32 0.0.0.31 any eq www
    permit ip any any
Router#

is this right ?

david foley · ‎03-14-2011

OK, I got the ACLS working but wanted to check the port 80 on ISP working for Router 2 i blocked every other port.

I added a Server on the ISP, gave it the 172.190.1.2 ip address with gate way 172.190.1.1 i check the all devices can ping it but and they can.

PC2 cant which is right. but it give me Time out when i open Web Browser and enter the servers ip address Which it should allow me to ping the Server by means of Http..

R2#show access-list
Extended IP access list sl_def_acl
     deny tcp any any eq telnet
     deny tcp any any eq www
     deny tcp any any eq 22
     permit tcp any any eq 22
Extended IP access list EXTEND-1
     deny ip 172.190.0.32 0.0.0.31 any
     deny ip 172.190.0.32 0.0.0.31 host 199.1.1.37
     permit ip any any
     permit tcp 172.190.0.32 0.0.0.31 eq www host 199.1.1.37
     deny tcp 172.190.0.32 0.0.0.31 eq ftp host 199.1.1.37
     deny tcp 172.190.0.32 0.0.0.31 eq pop3 host 199.1.1.37
     deny tcp 172.190.0.32 0.0.0.31 eq smtp host 199.1.1.37
     deny icmp 172.190.0.32 0.0.0.31 host 199.1.1.37
Extended IP access list 102
     deny tcp 172.190.0.32 0.0.0.31 eq ftp host 199.1.1.37
     deny tcp 172.190.0.32 0.0.0.31 eq smtp host 199.1.1.37
     deny tcp 172.190.0.32 0.0.0.31 eq pop3 host 199.1.1.37
     deny icmp 172.190.0.32 0.0.0.31 host 199.1.1.37
     deny tcp 172.190.0.32 0.0.0.31 eq telnet host 199.1.1.37
     permit tcp 172.190.0.32 0.0.0.31 eq www host 199.1.1.37
     permit ip 172.190.0.0 0.0.0.3 any
     permit ip 172.190.0.12 0.0.0.3 any (1 match(es))
     permit ip 172.190.0.4 0.0.0.3 any
     permit ip 172.190.0.16 0.0.0.3 any
     permit ip 172.190.0.20 0.0.0.3 any
     permit ip 172.190.0.80 0.0.0.7 any
     permit ip 172.190.0.72 0.0.0.7 any (22 match(es))
     permit ip 172.190.0.64 0.0.0.31 any (1 match(es))
    permit tcp 172.190.0.32 0.0.0.31 eq www host 172.190.1.2