Solved

Access-List Help

Posted on 2004-09-23
15
801 Views
Last Modified: 2009-12-16
Hi
I Have a cisco 837H Router which has 1 ATM and 1 Ethernet

Currently configured the router for ADSL, it has a Static WAN IP of (eg.) 1.1.1.1 and a subnet of (eg.) 192.168.0.8/29 ok so that gives me host ips of 192.168.0.9-14 bacially i want to create a accesslist to allow all traffic on every subnet ip except only only certain ports on a one of the ips

OK so using the example i want to make 192.168.0.10 have ports 25,110,80 open and thats it and the rest of the ips all open. What therface does this go on, i current have a dialer1, atm0, e0 interface and in what direction

Thanks
0
Comment
Question by:markgrinceri
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
  • 2
15 Comments
 
LVL 4

Expert Comment

by:svindler
ID: 12141239
access-list 100 permit tcp any host 192.168.0.10 eq 25
access-list 100 permit tcp any host 192.168.0.10 eq 110
access-list 100 permit tcp any host 192.168.0.10 eq 80
access-list 100 deny ip any host 192.168.0.10
access-list 100 deny ip any 1.1.1.1
access-list 100 permit ip any any

I assume that the ip 1.1.1.1 is set on dialer1, so I would suggest you put it on dialer1 inbound. This will protect the router itself as well, as I believe no one needs to access the router itself from the outside?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12142252
Are you wanting to restrict outbound from your internal hosts?
Let everyone do anything, except for one IP can only do certain things? What ports do you want to block from use by that IP address?
0
 
LVL 2

Author Comment

by:markgrinceri
ID: 12142372
No im trying to secure a server by blocking all incomming ports except the ones needed for a server.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 79

Expert Comment

by:lrmoore
ID: 12142472
Do you have static nat set up already?

Start with everything that you need to permit, keeping in mind the unseen 'deny all' at the end

access-list 100 permit tcp any any established
access-list 100 permit tcp any host 1.1.1.x eq <port> <- inbound to server x
access-list 100 permit tcp any host 1.1.1.x eq <port> <- inbound to server x
access-list 100 permit udp any eq 53 any
access-list 100 permit icmp any any

interface dialer 1
  ip access-group 100 in

0
 
LVL 2

Author Comment

by:markgrinceri
ID: 12144408
the servers are on a public dmz, all ips are public, i just used the 192 range as an example, so no nat is needed
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12144729
The syntax is just like I've demonstrated. Change 1.1.1.x to your public IP, <port> to the required service port, and just don't forget about the "established" line and the udp for dns permit before you get to the end of the acl where the implicit deny all will take care of the rest.
The placement is on the dialer "in"
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12144753
You can do this:

access-list 100 permit tcp any host 1.1.1.1 eq 80
access-list 100 permit tcp any host 1.1.1.1 eq 443
access-list 100 deny ip any host 1.1.1.1
access-list 100 permt ip any any

Placement is the same, on dialer "in"
0
 
LVL 2

Author Comment

by:markgrinceri
ID: 12145022
Wat do the established line do in the ACL and

access-list 100 permit tcp any host 192.168.0.10 eq 53             (the ip is a public one)
access-list 100 permit udp any host 192.168.0.10 eq 53            (the ip is a public one)
access-list 100 permit tcp any host 192.168.0.10 eq 25             (the ip is a public one)
access-list 100 permit tcp any host 192.168.0.10 eq 110           (the ip is a public one)
access-list 100 permit tcp any host 192.168.0.10 eq 80             (the ip is a public one)
access-list 100 deny ip any host 192.168.0.10                          (the ip is a public one)
access-list 100 deny ip any 1.1.1.1                                          (the ip is a public one)
access-list 100 permit ip any any

and its on the dialer1 interface, but the problem i have is that no traffic is passing from that server to the internet, eg cant view web site, doesn't forward email nothing, but recieves emails. do i need another access list on the out dilaer1 interface for traffic to pass from the server to the internet. Basically the server is web, email and dns and thats it. Its seem to work if the ACL is not applied.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12145161
>traffic is passing from that server to the internet, eg cant view web site, doesn't forward email nothing,
This is exactly what the "established" command does for you. You have to be careful what you ask for. You want to block everything except certain ports, then you have to live with the result.

You can use this, making sure the established is at the top:

access-list 100 permit tcp any host 192.168.0.10 established <= allow you to browse the web
access-list 100 permit udp any eq 53 host 192.168.0.10  <== allow DNS querries to come back
access-list 100 permit udp any host 192.168.0.10 eq 53  <== allow your DNS server to be querried
access-list 100 permit tcp any host 192.168.0.10 eq 25
access-list 100 permit tcp any host 192.168.0.10 eq 110
access-list 100 permit tcp any host 192.168.0.10 eq 80
access-list 100 permit icmp any host 192.168.0.10 unreachable <== allow some icmp for email
access-list 100 permit udp any host 192.168.0.10 eq 113  <== allow ident for email
access-list 100 permit udp any eq 113 host 192.168.0.10
access-list 100 deny ip any host 192.168.0.10
access-list 100 deny ip any host 1.1.1.1  <== optional to deny traffic to your router interface
access-list 100 permit ip any any
0
 
LVL 2

Author Comment

by:markgrinceri
ID: 12145291
access-list 100 permit udp any host 192.168.0.10 eq 53  <== allow your DNS server to be querried

Its saying that i can't put the eq 53 in that place, do i need it, is it the same as the next line
0
 
LVL 2

Author Comment

by:markgrinceri
ID: 12145474
WERE GETTING CLOSE!!

I can view a web page by IP just not DNS, does any know know how to configure access list for DNS. Current config allows every to querry me but i can querry any one.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12145576
You need both lines: One line has remote source port of 53 so that you can receive responses from them..

access-list 100 permit udp any eq 53 host 192.168.0.10  <-- this allows you to querry outside DNS
access-list 100 permit udp any host 192.168.0.10 eq 53  <-- this allows your DNS server to service requests from the internet.

Here's a true example of acl creation:

C3640(config)#access-list 100 permit udp any host 10.10.10.2 eq 53
C3640(config)#access-list 100 permit udp any eq 53 host 10.10.10.2
C3640(config)#access-list 100 permit tcp any host 10.10.10.2 established
C3640(config)#<etc>

Don't forget that you have to re-apply the acl to the interface after making changes to it!
0
 
LVL 4

Expert Comment

by:svindler
ID: 12148586
If your internal dns server uses a specific dns server on the outside, then only allow that external server to reply from port 53. Otherwise you open up for some crafted packets to any udp based service on your own dns server.
"access-list 100 permit udp any eq 53 host 10.10.10.2"
should be changed to
access-list 100 permit udp host a.b.c.d eq 53 host 10.10.10.2
where a.b.c.d is replaced with the dns server of your isp.
You can repeat the line with a number of dns servers at your isp, if you so wish.
0
 
LVL 2

Author Comment

by:markgrinceri
ID: 12148685
what does port udp 113 do
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12150336
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question