Solved

Stop IP from surfing in Cisco 2620

Posted on 2004-09-04
18
366 Views
Last Modified: 2010-04-17
Need step by step instruction to prevent an IP address from surfing past the local server.

The perevious programmer was never able to get it working.

They have in our router

access-list 101 deny     ip host  65.169.223.181 any

Butthen after this they have

access-list 101 permit   ip 65.169.223.0  0.0.1.255 any

Shouldn't the deny be afterthe permit?

Can anyone help me fix this. To eran the points you must be able to instruct me to work.

Thanks
Bob Ross
0
Comment
Question by:bross073097
  • 7
  • 6
  • 5
18 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 11981675
The construct is correct.
The Deny should come first, then the permit.
Access-lists are processed top-down. To deny this one host from getting out, it must come first, else the permit the whole subnet will be processed first, and nothing will reach the deny statement.

I would have to see more of your config.
Are you using public IP addresses on the inside of your network?
How is the access-list applied? Which interface and which direction - in or out?
0
 

Author Comment

by:bross073097
ID: 11981897
We have public IPs. What we have is a temporary user that can log in but not surf that will allow them to sign up for the service. We assign the user signup the IP address of 65.169.223.181

If you have another easier way to do this, I open for any sugjextions or help to get it done.

Here is my cisco conf. I have deleted all entries of passwords to be safe.

Thanks for your help.

KingmanAZ#show conf
Using 2793 out of 29688 bytes
!
version 11.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname KingmanAZ
!
enable secret 5 (Deleted)
enable password 7 (Deleted)
!
memory-size iomem 20
ip subnet-zero
ip name-server 204.117.214.10
ip name-server 204.97.212.10
ip name-server 199.2.252.10
!
!
process-max-time 200
!
interface Ethernet0/0
 ip address 65.172.18.1 255.255.255.128 secondary
  ip address 65.172.18.1 255.255.255.128 secondary
 ip address 65.169.223.1 255.255.255.0
 no ip directed-broadcast
!
interface Serial0/0
 ip address 144.228.77.174 255.255.255.252
 ip access-group 104 in
 no ip redirects
 no ip directed-broadcast
 no ip route-cache
 no ip mroute-cache
 service-module t1 timeslots 1-24
!
interface Serial0/0.1
 no ip route-cache
 no ip mroute-cache
!
interface Serial0/1
 no ip address
 encapsulation ppp
 shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
ip route 0.0.0.0 0.0.0.0 Serial0/0
ip route 65.172.19.0 255.255.255.0 65.169.223.171
!
no logging console
access-list 10 permit 65.192.90.195
access-list 10 permit 64.113.39.210
access-list 10 permit 64.113.39.211
access-list 101 deny   ip host 65.169.223.181 any
access-list 101 permit ip 65.172.18.0 0.0.1.255 any
access-list 101 permit ip 65.169.223.0 0.0.0.255 any
access-list 101 permit ip 65.172.19.0 0.0.0.255 any
access-list 102 deny   ip any host 65.172.18.0
access-list 102 deny   ip any host 65.172.18.127
access-list 102 deny   ip any host 65.172.18.128
access-list 102 deny   ip any host 65.172.18.255
access-list 102 deny   ip any host 65.172.19.0
access-list 102 deny   ip any host 65.172.19.255
access-list 102 deny   ip any host 65.169.223.0
access-list 102 deny   ip any host 65.169.223.255
access-list 102 deny   tcp any any eq 137
access-list 102 deny   tcp any any eq 138
access-list 102 deny   tcp any any eq 139
access-list 102 deny   udp any any eq netbios-ns
access-list 102 deny   udp any any eq netbios-dgm
access-list 102 deny   udp any any eq netbios-dgm
access-list 102 deny   udp any any eq netbios-ss
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 permit ip any any
access-list 103 deny   ip host 65.169.223.181 any
access-list 103 deny   tcp any any range 135 139
access-list 103 deny   udp any any range 135 netbios-ss
access-list 103 permit ip 65.172.18.0 0.0.1.255 any
access-list 103 permit ip 65.169.223.0 0.0.0.255 any
access-list 103 permit ip 65.172.19.0 0.0.0.255 any
access-list 104 deny   icmp any any echo
access-list 104 permit ip any any
access-list 104 permit tcp any any
access-list 104 permit udp any any
snmp-server community eagles RO 10
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 password 7 (Deleted)
 login
!
no scheduler allocate
end  

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11981965
Access-list 102 is full of bogus entries, and it is not applied anywhere, so get rid of it:
Access-list 103 is not applied anywhere, so you can get rid of it, too.

no access-list 102
no access-list 103

Access-list 101 is your control acl, but it is not applied anywhere. You should apply it to the Ethernet interface:

interface Ethernet0/0
 ip access-group 101 in

Are you trying to prevent pings, or what is the purpose of this acl entry?
>access-list 104 deny   icmp any any echo

0
 
LVL 11

Expert Comment

by:billwharton
ID: 11981979
Your access list is perfect. You just need this command

interface Ethernet0/0
ip access-group 101 in
0
 
LVL 11

Expert Comment

by:billwharton
ID: 11981991
To help you understand Access lists just a bit further, there is always an implicit deny at the end of each access list. Hence, there is an imaginary last line in the access list which states 'deny ip any any'.

Just to illustrate what your access list 101 does:
access-list 101 deny   ip host 65.169.223.181 any
access-list 101 permit ip 65.172.18.0 0.0.1.255 any
access-list 101 permit ip 65.169.223.0 0.0.0.255 any
access-list 101 permit ip 65.172.19.0 0.0.0.255 any

The first line denies host 65.169.223.181 access to anything. The next 3 lines allow those particular networks access to everything. That's the end of your access list and if any other networks excepting these three try accessing resources through your router, they wouldn't get through as they would be blocked by the implicit deny at the end as I previously stated.

Let me know if you need any further information.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11982022
At least we agree on the solution. Thanks for the backup, bill...
0
 

Author Comment

by:bross073097
ID: 11982219
I wasn't able to post for a little while. It kept asking me to join to read the rest.

Yes, we are stopping pings. All these lines were added almost 2 years ago, and the opnly thing that stopped working was the stoppong that IP from surfing.

When I enter in
interface Ethernet0/0
^
I get an invalid marker at '^'

Is there another way to enter this command?

Thanks
Bob Ross
0
 

Author Comment

by:bross073097
ID: 11982248
Cisco verified these that they are suppose to be blocking netbios, and shows a lot of count denies under the command that shows the counts. I don't remember how to get the counts any more.

I'm not a cisco person, but can follow commands. But as I mentioned, these have been put here by someone else almost 2 years ago.

access-list 102 deny   tcp any any eq 137
access-list 102 deny   tcp any any eq 138
access-list 102 deny   tcp any any eq 139
access-list 102 deny   udp any any eq netbios-ns
access-list 102 deny   udp any any eq netbios-dgm
access-list 102 deny   udp any any eq netbios-dgm
access-list 102 deny   udp any any eq netbios-ss

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11982382
router>interface Ethernet0/0

you must be in enable, config mode:

router#config t
router(config)#interface Ethernet0/0
router(config-if)#access-group 101 in

Access-list 102 does define Nebios traffic, but it is not applied anywhere. There is no reason to apply it because this traffic is blocked by default anyway (udp broadcasts), unless you have something like ip helper-address configured on an Ethernet interface... Then you just close them down, without the overhead of an acl:
no ip forward-protocol udp 137
no ip forward-protocol udp 138
<etc>

0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 11982390
>Yes, we are stopping pings.

Sort of. You can still ping from inside the network, do traceroutes, etc. You are only blocking inbound pings from outside.. You can ping out, can't be pinged...
Works for me, but you might want to think about blocking icmp going out. This was the #1 source of problems with MSBlast and Welchia type worms...
Simply add "deny icmp any any echo" to the top of acl 101


0
 

Author Comment

by:bross073097
ID: 11982398
I'm not sure how to add that. Someone did that for us.

I'm working on the other now.
0
 

Author Comment

by:bross073097
ID: 11982401
It did not like group it gave the error invalid input detected at marker

access-group 101 in
            ^

0
 
LVL 11

Expert Comment

by:billwharton
ID: 11982487
the command is 'ip access-group 101 in'

lrmoore - it seems both of us work at solving something at the same time; didn't realise you had already answered it when I clicked my 'submit' button :) Just curious, but you seem to be logged on 24 X 7. Are you trying to reach a personal goal of total points?
0
 

Author Comment

by:bross073097
ID: 11982621
Yes lrmoore did answer first.

Then I end with wr correct.

Thanks
Bob Ross
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11982920
I got it right in my first post, just slipped up on it the second time...

Bill, I don't mind working problems with others. Sometimes I slip up and somebody mops up behind me, and sometimes I get the mop.
No personal goals. I'm only here for the challenge of helping others. I've seen more real-world issues to be solved than anyone could ever get out of books..
0
 
LVL 11

Expert Comment

by:billwharton
ID: 11982943
sure. Are you pursuing any certs by any chance? I'm doing a cisco one at the moment.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11983833
Passed my written CCIE-Security, looking for time to study to take the practical..
May go after CISSP next..
0
 
LVL 11

Expert Comment

by:billwharton
ID: 11984086
lol

we are in the same boat. I've gotten my cissp done in the past, it was an easy exam and am about to take the written. I'm just in two minds whether to build my own lab or rent lab time.
If you are interested in communicating on a one-to-one basis, I'm at bill_wharton AT mailhost.cjb.net
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now