Access-List Help

Hi
I Have a cisco 837H Router which has 1 ATM and 1 Ethernet

Currently configured the router for ADSL, it has a Static WAN IP of (eg.) 1.1.1.1 and a subnet of (eg.) 192.168.0.8/29 ok so that gives me host ips of 192.168.0.9-14 bacially i want to create a accesslist to allow all traffic on every subnet ip except only only certain ports on a one of the ips

OK so using the example i want to make 192.168.0.10 have ports 25,110,80 open and thats it and the rest of the ips all open. What therface does this go on, i current have a dialer1, atm0, e0 interface and in what direction

Thanks
LVL 2
markgrinceriAsked:
Who is Participating?
 
lrmooreConnect With a Mentor Commented:
>traffic is passing from that server to the internet, eg cant view web site, doesn't forward email nothing,
This is exactly what the "established" command does for you. You have to be careful what you ask for. You want to block everything except certain ports, then you have to live with the result.

You can use this, making sure the established is at the top:

access-list 100 permit tcp any host 192.168.0.10 established <= allow you to browse the web
access-list 100 permit udp any eq 53 host 192.168.0.10  <== allow DNS querries to come back
access-list 100 permit udp any host 192.168.0.10 eq 53  <== allow your DNS server to be querried
access-list 100 permit tcp any host 192.168.0.10 eq 25
access-list 100 permit tcp any host 192.168.0.10 eq 110
access-list 100 permit tcp any host 192.168.0.10 eq 80
access-list 100 permit icmp any host 192.168.0.10 unreachable <== allow some icmp for email
access-list 100 permit udp any host 192.168.0.10 eq 113  <== allow ident for email
access-list 100 permit udp any eq 113 host 192.168.0.10
access-list 100 deny ip any host 192.168.0.10
access-list 100 deny ip any host 1.1.1.1  <== optional to deny traffic to your router interface
access-list 100 permit ip any any
0
 
svindlerCommented:
access-list 100 permit tcp any host 192.168.0.10 eq 25
access-list 100 permit tcp any host 192.168.0.10 eq 110
access-list 100 permit tcp any host 192.168.0.10 eq 80
access-list 100 deny ip any host 192.168.0.10
access-list 100 deny ip any 1.1.1.1
access-list 100 permit ip any any

I assume that the ip 1.1.1.1 is set on dialer1, so I would suggest you put it on dialer1 inbound. This will protect the router itself as well, as I believe no one needs to access the router itself from the outside?
0
 
lrmooreCommented:
Are you wanting to restrict outbound from your internal hosts?
Let everyone do anything, except for one IP can only do certain things? What ports do you want to block from use by that IP address?
0
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

 
markgrinceriAuthor Commented:
No im trying to secure a server by blocking all incomming ports except the ones needed for a server.
0
 
lrmooreCommented:
Do you have static nat set up already?

Start with everything that you need to permit, keeping in mind the unseen 'deny all' at the end

access-list 100 permit tcp any any established
access-list 100 permit tcp any host 1.1.1.x eq <port> <- inbound to server x
access-list 100 permit tcp any host 1.1.1.x eq <port> <- inbound to server x
access-list 100 permit udp any eq 53 any
access-list 100 permit icmp any any

interface dialer 1
  ip access-group 100 in

0
 
markgrinceriAuthor Commented:
the servers are on a public dmz, all ips are public, i just used the 192 range as an example, so no nat is needed
0
 
lrmooreCommented:
The syntax is just like I've demonstrated. Change 1.1.1.x to your public IP, <port> to the required service port, and just don't forget about the "established" line and the udp for dns permit before you get to the end of the acl where the implicit deny all will take care of the rest.
The placement is on the dialer "in"
0
 
lrmooreCommented:
You can do this:

access-list 100 permit tcp any host 1.1.1.1 eq 80
access-list 100 permit tcp any host 1.1.1.1 eq 443
access-list 100 deny ip any host 1.1.1.1
access-list 100 permt ip any any

Placement is the same, on dialer "in"
0
 
markgrinceriAuthor Commented:
Wat do the established line do in the ACL and

access-list 100 permit tcp any host 192.168.0.10 eq 53             (the ip is a public one)
access-list 100 permit udp any host 192.168.0.10 eq 53            (the ip is a public one)
access-list 100 permit tcp any host 192.168.0.10 eq 25             (the ip is a public one)
access-list 100 permit tcp any host 192.168.0.10 eq 110           (the ip is a public one)
access-list 100 permit tcp any host 192.168.0.10 eq 80             (the ip is a public one)
access-list 100 deny ip any host 192.168.0.10                          (the ip is a public one)
access-list 100 deny ip any 1.1.1.1                                          (the ip is a public one)
access-list 100 permit ip any any

and its on the dialer1 interface, but the problem i have is that no traffic is passing from that server to the internet, eg cant view web site, doesn't forward email nothing, but recieves emails. do i need another access list on the out dilaer1 interface for traffic to pass from the server to the internet. Basically the server is web, email and dns and thats it. Its seem to work if the ACL is not applied.
0
 
markgrinceriAuthor Commented:
access-list 100 permit udp any host 192.168.0.10 eq 53  <== allow your DNS server to be querried

Its saying that i can't put the eq 53 in that place, do i need it, is it the same as the next line
0
 
markgrinceriAuthor Commented:
WERE GETTING CLOSE!!

I can view a web page by IP just not DNS, does any know know how to configure access list for DNS. Current config allows every to querry me but i can querry any one.
0
 
lrmooreCommented:
You need both lines: One line has remote source port of 53 so that you can receive responses from them..

access-list 100 permit udp any eq 53 host 192.168.0.10  <-- this allows you to querry outside DNS
access-list 100 permit udp any host 192.168.0.10 eq 53  <-- this allows your DNS server to service requests from the internet.

Here's a true example of acl creation:

C3640(config)#access-list 100 permit udp any host 10.10.10.2 eq 53
C3640(config)#access-list 100 permit udp any eq 53 host 10.10.10.2
C3640(config)#access-list 100 permit tcp any host 10.10.10.2 established
C3640(config)#<etc>

Don't forget that you have to re-apply the acl to the interface after making changes to it!
0
 
svindlerCommented:
If your internal dns server uses a specific dns server on the outside, then only allow that external server to reply from port 53. Otherwise you open up for some crafted packets to any udp based service on your own dns server.
"access-list 100 permit udp any eq 53 host 10.10.10.2"
should be changed to
access-list 100 permit udp host a.b.c.d eq 53 host 10.10.10.2
where a.b.c.d is replaced with the dns server of your isp.
You can repeat the line with a number of dns servers at your isp, if you so wish.
0
 
markgrinceriAuthor Commented:
what does port udp 113 do
0
 
lrmooreCommented:
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.