markgrinceri
asked on
Access-List Help
Hi
I Have a cisco 837H Router which has 1 ATM and 1 Ethernet
Currently configured the router for ADSL, it has a Static WAN IP of (eg.) 1.1.1.1 and a subnet of (eg.) 192.168.0.8/29 ok so that gives me host ips of 192.168.0.9-14 bacially i want to create a accesslist to allow all traffic on every subnet ip except only only certain ports on a one of the ips
OK so using the example i want to make 192.168.0.10 have ports 25,110,80 open and thats it and the rest of the ips all open. What therface does this go on, i current have a dialer1, atm0, e0 interface and in what direction
Thanks
I Have a cisco 837H Router which has 1 ATM and 1 Ethernet
Currently configured the router for ADSL, it has a Static WAN IP of (eg.) 1.1.1.1 and a subnet of (eg.) 192.168.0.8/29 ok so that gives me host ips of 192.168.0.9-14 bacially i want to create a accesslist to allow all traffic on every subnet ip except only only certain ports on a one of the ips
OK so using the example i want to make 192.168.0.10 have ports 25,110,80 open and thats it and the rest of the ips all open. What therface does this go on, i current have a dialer1, atm0, e0 interface and in what direction
Thanks
Are you wanting to restrict outbound from your internal hosts?
Let everyone do anything, except for one IP can only do certain things? What ports do you want to block from use by that IP address?
Let everyone do anything, except for one IP can only do certain things? What ports do you want to block from use by that IP address?
ASKER
No im trying to secure a server by blocking all incomming ports except the ones needed for a server.
Do you have static nat set up already?
Start with everything that you need to permit, keeping in mind the unseen 'deny all' at the end
access-list 100 permit tcp any any established
access-list 100 permit tcp any host 1.1.1.x eq <port> <- inbound to server x
access-list 100 permit tcp any host 1.1.1.x eq <port> <- inbound to server x
access-list 100 permit udp any eq 53 any
access-list 100 permit icmp any any
interface dialer 1
ip access-group 100 in
Start with everything that you need to permit, keeping in mind the unseen 'deny all' at the end
access-list 100 permit tcp any any established
access-list 100 permit tcp any host 1.1.1.x eq <port> <- inbound to server x
access-list 100 permit tcp any host 1.1.1.x eq <port> <- inbound to server x
access-list 100 permit udp any eq 53 any
access-list 100 permit icmp any any
interface dialer 1
ip access-group 100 in
ASKER
the servers are on a public dmz, all ips are public, i just used the 192 range as an example, so no nat is needed
The syntax is just like I've demonstrated. Change 1.1.1.x to your public IP, <port> to the required service port, and just don't forget about the "established" line and the udp for dns permit before you get to the end of the acl where the implicit deny all will take care of the rest.
The placement is on the dialer "in"
The placement is on the dialer "in"
You can do this:
access-list 100 permit tcp any host 1.1.1.1 eq 80
access-list 100 permit tcp any host 1.1.1.1 eq 443
access-list 100 deny ip any host 1.1.1.1
access-list 100 permt ip any any
Placement is the same, on dialer "in"
access-list 100 permit tcp any host 1.1.1.1 eq 80
access-list 100 permit tcp any host 1.1.1.1 eq 443
access-list 100 deny ip any host 1.1.1.1
access-list 100 permt ip any any
Placement is the same, on dialer "in"
ASKER
Wat do the established line do in the ACL and
access-list 100 permit tcp any host 192.168.0.10 eq 53 (the ip is a public one)
access-list 100 permit udp any host 192.168.0.10 eq 53 (the ip is a public one)
access-list 100 permit tcp any host 192.168.0.10 eq 25 (the ip is a public one)
access-list 100 permit tcp any host 192.168.0.10 eq 110 (the ip is a public one)
access-list 100 permit tcp any host 192.168.0.10 eq 80 (the ip is a public one)
access-list 100 deny ip any host 192.168.0.10 (the ip is a public one)
access-list 100 deny ip any 1.1.1.1 (the ip is a public one)
access-list 100 permit ip any any
and its on the dialer1 interface, but the problem i have is that no traffic is passing from that server to the internet, eg cant view web site, doesn't forward email nothing, but recieves emails. do i need another access list on the out dilaer1 interface for traffic to pass from the server to the internet. Basically the server is web, email and dns and thats it. Its seem to work if the ACL is not applied.
access-list 100 permit tcp any host 192.168.0.10 eq 53 (the ip is a public one)
access-list 100 permit udp any host 192.168.0.10 eq 53 (the ip is a public one)
access-list 100 permit tcp any host 192.168.0.10 eq 25 (the ip is a public one)
access-list 100 permit tcp any host 192.168.0.10 eq 110 (the ip is a public one)
access-list 100 permit tcp any host 192.168.0.10 eq 80 (the ip is a public one)
access-list 100 deny ip any host 192.168.0.10 (the ip is a public one)
access-list 100 deny ip any 1.1.1.1 (the ip is a public one)
access-list 100 permit ip any any
and its on the dialer1 interface, but the problem i have is that no traffic is passing from that server to the internet, eg cant view web site, doesn't forward email nothing, but recieves emails. do i need another access list on the out dilaer1 interface for traffic to pass from the server to the internet. Basically the server is web, email and dns and thats it. Its seem to work if the ACL is not applied.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
access-list 100 permit udp any host 192.168.0.10 eq 53 <== allow your DNS server to be querried
Its saying that i can't put the eq 53 in that place, do i need it, is it the same as the next line
Its saying that i can't put the eq 53 in that place, do i need it, is it the same as the next line
ASKER
WERE GETTING CLOSE!!
I can view a web page by IP just not DNS, does any know know how to configure access list for DNS. Current config allows every to querry me but i can querry any one.
I can view a web page by IP just not DNS, does any know know how to configure access list for DNS. Current config allows every to querry me but i can querry any one.
You need both lines: One line has remote source port of 53 so that you can receive responses from them..
access-list 100 permit udp any eq 53 host 192.168.0.10 <-- this allows you to querry outside DNS
access-list 100 permit udp any host 192.168.0.10 eq 53 <-- this allows your DNS server to service requests from the internet.
Here's a true example of acl creation:
C3640(config)#access-list 100 permit udp any host 10.10.10.2 eq 53
C3640(config)#access-list 100 permit udp any eq 53 host 10.10.10.2
C3640(config)#access-list 100 permit tcp any host 10.10.10.2 established
C3640(config)#<etc>
Don't forget that you have to re-apply the acl to the interface after making changes to it!
access-list 100 permit udp any eq 53 host 192.168.0.10 <-- this allows you to querry outside DNS
access-list 100 permit udp any host 192.168.0.10 eq 53 <-- this allows your DNS server to service requests from the internet.
Here's a true example of acl creation:
C3640(config)#access-list 100 permit udp any host 10.10.10.2 eq 53
C3640(config)#access-list 100 permit udp any eq 53 host 10.10.10.2
C3640(config)#access-list 100 permit tcp any host 10.10.10.2 established
C3640(config)#<etc>
Don't forget that you have to re-apply the acl to the interface after making changes to it!
If your internal dns server uses a specific dns server on the outside, then only allow that external server to reply from port 53. Otherwise you open up for some crafted packets to any udp based service on your own dns server.
"access-list 100 permit udp any eq 53 host 10.10.10.2"
should be changed to
access-list 100 permit udp host a.b.c.d eq 53 host 10.10.10.2
where a.b.c.d is replaced with the dns server of your isp.
You can repeat the line with a number of dns servers at your isp, if you so wish.
"access-list 100 permit udp any eq 53 host 10.10.10.2"
should be changed to
access-list 100 permit udp host a.b.c.d eq 53 host 10.10.10.2
where a.b.c.d is replaced with the dns server of your isp.
You can repeat the line with a number of dns servers at your isp, if you so wish.
ASKER
what does port udp 113 do
access-list 100 permit tcp any host 192.168.0.10 eq 110
access-list 100 permit tcp any host 192.168.0.10 eq 80
access-list 100 deny ip any host 192.168.0.10
access-list 100 deny ip any 1.1.1.1
access-list 100 permit ip any any
I assume that the ip 1.1.1.1 is set on dialer1, so I would suggest you put it on dialer1 inbound. This will protect the router itself as well, as I believe no one needs to access the router itself from the outside?