[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 380
  • Last Modified:

Stop IP from surfing in Cisco 2620

Need step by step instruction to prevent an IP address from surfing past the local server.

The perevious programmer was never able to get it working.

They have in our router

access-list 101 deny     ip host  65.169.223.181 any

Butthen after this they have

access-list 101 permit   ip 65.169.223.0  0.0.1.255 any

Shouldn't the deny be afterthe permit?

Can anyone help me fix this. To eran the points you must be able to instruct me to work.

Thanks
Bob Ross
0
bross073097
Asked:
bross073097
  • 7
  • 6
  • 5
1 Solution
 
lrmooreCommented:
The construct is correct.
The Deny should come first, then the permit.
Access-lists are processed top-down. To deny this one host from getting out, it must come first, else the permit the whole subnet will be processed first, and nothing will reach the deny statement.

I would have to see more of your config.
Are you using public IP addresses on the inside of your network?
How is the access-list applied? Which interface and which direction - in or out?
0
 
bross073097Author Commented:
We have public IPs. What we have is a temporary user that can log in but not surf that will allow them to sign up for the service. We assign the user signup the IP address of 65.169.223.181

If you have another easier way to do this, I open for any sugjextions or help to get it done.

Here is my cisco conf. I have deleted all entries of passwords to be safe.

Thanks for your help.

KingmanAZ#show conf
Using 2793 out of 29688 bytes
!
version 11.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname KingmanAZ
!
enable secret 5 (Deleted)
enable password 7 (Deleted)
!
memory-size iomem 20
ip subnet-zero
ip name-server 204.117.214.10
ip name-server 204.97.212.10
ip name-server 199.2.252.10
!
!
process-max-time 200
!
interface Ethernet0/0
 ip address 65.172.18.1 255.255.255.128 secondary
  ip address 65.172.18.1 255.255.255.128 secondary
 ip address 65.169.223.1 255.255.255.0
 no ip directed-broadcast
!
interface Serial0/0
 ip address 144.228.77.174 255.255.255.252
 ip access-group 104 in
 no ip redirects
 no ip directed-broadcast
 no ip route-cache
 no ip mroute-cache
 service-module t1 timeslots 1-24
!
interface Serial0/0.1
 no ip route-cache
 no ip mroute-cache
!
interface Serial0/1
 no ip address
 encapsulation ppp
 shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
ip route 0.0.0.0 0.0.0.0 Serial0/0
ip route 65.172.19.0 255.255.255.0 65.169.223.171
!
no logging console
access-list 10 permit 65.192.90.195
access-list 10 permit 64.113.39.210
access-list 10 permit 64.113.39.211
access-list 101 deny   ip host 65.169.223.181 any
access-list 101 permit ip 65.172.18.0 0.0.1.255 any
access-list 101 permit ip 65.169.223.0 0.0.0.255 any
access-list 101 permit ip 65.172.19.0 0.0.0.255 any
access-list 102 deny   ip any host 65.172.18.0
access-list 102 deny   ip any host 65.172.18.127
access-list 102 deny   ip any host 65.172.18.128
access-list 102 deny   ip any host 65.172.18.255
access-list 102 deny   ip any host 65.172.19.0
access-list 102 deny   ip any host 65.172.19.255
access-list 102 deny   ip any host 65.169.223.0
access-list 102 deny   ip any host 65.169.223.255
access-list 102 deny   tcp any any eq 137
access-list 102 deny   tcp any any eq 138
access-list 102 deny   tcp any any eq 139
access-list 102 deny   udp any any eq netbios-ns
access-list 102 deny   udp any any eq netbios-dgm
access-list 102 deny   udp any any eq netbios-dgm
access-list 102 deny   udp any any eq netbios-ss
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 permit ip any any
access-list 103 deny   ip host 65.169.223.181 any
access-list 103 deny   tcp any any range 135 139
access-list 103 deny   udp any any range 135 netbios-ss
access-list 103 permit ip 65.172.18.0 0.0.1.255 any
access-list 103 permit ip 65.169.223.0 0.0.0.255 any
access-list 103 permit ip 65.172.19.0 0.0.0.255 any
access-list 104 deny   icmp any any echo
access-list 104 permit ip any any
access-list 104 permit tcp any any
access-list 104 permit udp any any
snmp-server community eagles RO 10
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 password 7 (Deleted)
 login
!
no scheduler allocate
end  

0
 
lrmooreCommented:
Access-list 102 is full of bogus entries, and it is not applied anywhere, so get rid of it:
Access-list 103 is not applied anywhere, so you can get rid of it, too.

no access-list 102
no access-list 103

Access-list 101 is your control acl, but it is not applied anywhere. You should apply it to the Ethernet interface:

interface Ethernet0/0
 ip access-group 101 in

Are you trying to prevent pings, or what is the purpose of this acl entry?
>access-list 104 deny   icmp any any echo

0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
billwhartonCommented:
Your access list is perfect. You just need this command

interface Ethernet0/0
ip access-group 101 in
0
 
billwhartonCommented:
To help you understand Access lists just a bit further, there is always an implicit deny at the end of each access list. Hence, there is an imaginary last line in the access list which states 'deny ip any any'.

Just to illustrate what your access list 101 does:
access-list 101 deny   ip host 65.169.223.181 any
access-list 101 permit ip 65.172.18.0 0.0.1.255 any
access-list 101 permit ip 65.169.223.0 0.0.0.255 any
access-list 101 permit ip 65.172.19.0 0.0.0.255 any

The first line denies host 65.169.223.181 access to anything. The next 3 lines allow those particular networks access to everything. That's the end of your access list and if any other networks excepting these three try accessing resources through your router, they wouldn't get through as they would be blocked by the implicit deny at the end as I previously stated.

Let me know if you need any further information.
0
 
lrmooreCommented:
At least we agree on the solution. Thanks for the backup, bill...
0
 
bross073097Author Commented:
I wasn't able to post for a little while. It kept asking me to join to read the rest.

Yes, we are stopping pings. All these lines were added almost 2 years ago, and the opnly thing that stopped working was the stoppong that IP from surfing.

When I enter in
interface Ethernet0/0
^
I get an invalid marker at '^'

Is there another way to enter this command?

Thanks
Bob Ross
0
 
bross073097Author Commented:
Cisco verified these that they are suppose to be blocking netbios, and shows a lot of count denies under the command that shows the counts. I don't remember how to get the counts any more.

I'm not a cisco person, but can follow commands. But as I mentioned, these have been put here by someone else almost 2 years ago.

access-list 102 deny   tcp any any eq 137
access-list 102 deny   tcp any any eq 138
access-list 102 deny   tcp any any eq 139
access-list 102 deny   udp any any eq netbios-ns
access-list 102 deny   udp any any eq netbios-dgm
access-list 102 deny   udp any any eq netbios-dgm
access-list 102 deny   udp any any eq netbios-ss

0
 
lrmooreCommented:
router>interface Ethernet0/0

you must be in enable, config mode:

router#config t
router(config)#interface Ethernet0/0
router(config-if)#access-group 101 in

Access-list 102 does define Nebios traffic, but it is not applied anywhere. There is no reason to apply it because this traffic is blocked by default anyway (udp broadcasts), unless you have something like ip helper-address configured on an Ethernet interface... Then you just close them down, without the overhead of an acl:
no ip forward-protocol udp 137
no ip forward-protocol udp 138
<etc>

0
 
lrmooreCommented:
>Yes, we are stopping pings.

Sort of. You can still ping from inside the network, do traceroutes, etc. You are only blocking inbound pings from outside.. You can ping out, can't be pinged...
Works for me, but you might want to think about blocking icmp going out. This was the #1 source of problems with MSBlast and Welchia type worms...
Simply add "deny icmp any any echo" to the top of acl 101


0
 
bross073097Author Commented:
I'm not sure how to add that. Someone did that for us.

I'm working on the other now.
0
 
bross073097Author Commented:
It did not like group it gave the error invalid input detected at marker

access-group 101 in
            ^

0
 
billwhartonCommented:
the command is 'ip access-group 101 in'

lrmoore - it seems both of us work at solving something at the same time; didn't realise you had already answered it when I clicked my 'submit' button :) Just curious, but you seem to be logged on 24 X 7. Are you trying to reach a personal goal of total points?
0
 
bross073097Author Commented:
Yes lrmoore did answer first.

Then I end with wr correct.

Thanks
Bob Ross
0
 
lrmooreCommented:
I got it right in my first post, just slipped up on it the second time...

Bill, I don't mind working problems with others. Sometimes I slip up and somebody mops up behind me, and sometimes I get the mop.
No personal goals. I'm only here for the challenge of helping others. I've seen more real-world issues to be solved than anyone could ever get out of books..
0
 
billwhartonCommented:
sure. Are you pursuing any certs by any chance? I'm doing a cisco one at the moment.
0
 
lrmooreCommented:
Passed my written CCIE-Security, looking for time to study to take the practical..
May go after CISSP next..
0
 
billwhartonCommented:
lol

we are in the same boat. I've gotten my cissp done in the past, it was an easy exam and am about to take the written. I'm just in two minds whether to build my own lab or rent lab time.
If you are interested in communicating on a one-to-one basis, I'm at bill_wharton AT mailhost.cjb.net
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 7
  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now