Solved

Access-List Help

Posted on 2004-09-23
15
770 Views
Last Modified: 2009-12-16
Hi
I Have a cisco 837H Router which has 1 ATM and 1 Ethernet

Currently configured the router for ADSL, it has a Static WAN IP of (eg.) 1.1.1.1 and a subnet of (eg.) 192.168.0.8/29 ok so that gives me host ips of 192.168.0.9-14 bacially i want to create a accesslist to allow all traffic on every subnet ip except only only certain ports on a one of the ips

OK so using the example i want to make 192.168.0.10 have ports 25,110,80 open and thats it and the rest of the ips all open. What therface does this go on, i current have a dialer1, atm0, e0 interface and in what direction

Thanks
0
Comment
Question by:markgrinceri
  • 7
  • 6
  • 2
15 Comments
 
LVL 4

Expert Comment

by:svindler
ID: 12141239
access-list 100 permit tcp any host 192.168.0.10 eq 25
access-list 100 permit tcp any host 192.168.0.10 eq 110
access-list 100 permit tcp any host 192.168.0.10 eq 80
access-list 100 deny ip any host 192.168.0.10
access-list 100 deny ip any 1.1.1.1
access-list 100 permit ip any any

I assume that the ip 1.1.1.1 is set on dialer1, so I would suggest you put it on dialer1 inbound. This will protect the router itself as well, as I believe no one needs to access the router itself from the outside?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12142252
Are you wanting to restrict outbound from your internal hosts?
Let everyone do anything, except for one IP can only do certain things? What ports do you want to block from use by that IP address?
0
 
LVL 2

Author Comment

by:markgrinceri
ID: 12142372
No im trying to secure a server by blocking all incomming ports except the ones needed for a server.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12142472
Do you have static nat set up already?

Start with everything that you need to permit, keeping in mind the unseen 'deny all' at the end

access-list 100 permit tcp any any established
access-list 100 permit tcp any host 1.1.1.x eq <port> <- inbound to server x
access-list 100 permit tcp any host 1.1.1.x eq <port> <- inbound to server x
access-list 100 permit udp any eq 53 any
access-list 100 permit icmp any any

interface dialer 1
  ip access-group 100 in

0
 
LVL 2

Author Comment

by:markgrinceri
ID: 12144408
the servers are on a public dmz, all ips are public, i just used the 192 range as an example, so no nat is needed
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12144729
The syntax is just like I've demonstrated. Change 1.1.1.x to your public IP, <port> to the required service port, and just don't forget about the "established" line and the udp for dns permit before you get to the end of the acl where the implicit deny all will take care of the rest.
The placement is on the dialer "in"
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12144753
You can do this:

access-list 100 permit tcp any host 1.1.1.1 eq 80
access-list 100 permit tcp any host 1.1.1.1 eq 443
access-list 100 deny ip any host 1.1.1.1
access-list 100 permt ip any any

Placement is the same, on dialer "in"
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 2

Author Comment

by:markgrinceri
ID: 12145022
Wat do the established line do in the ACL and

access-list 100 permit tcp any host 192.168.0.10 eq 53             (the ip is a public one)
access-list 100 permit udp any host 192.168.0.10 eq 53            (the ip is a public one)
access-list 100 permit tcp any host 192.168.0.10 eq 25             (the ip is a public one)
access-list 100 permit tcp any host 192.168.0.10 eq 110           (the ip is a public one)
access-list 100 permit tcp any host 192.168.0.10 eq 80             (the ip is a public one)
access-list 100 deny ip any host 192.168.0.10                          (the ip is a public one)
access-list 100 deny ip any 1.1.1.1                                          (the ip is a public one)
access-list 100 permit ip any any

and its on the dialer1 interface, but the problem i have is that no traffic is passing from that server to the internet, eg cant view web site, doesn't forward email nothing, but recieves emails. do i need another access list on the out dilaer1 interface for traffic to pass from the server to the internet. Basically the server is web, email and dns and thats it. Its seem to work if the ACL is not applied.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12145161
>traffic is passing from that server to the internet, eg cant view web site, doesn't forward email nothing,
This is exactly what the "established" command does for you. You have to be careful what you ask for. You want to block everything except certain ports, then you have to live with the result.

You can use this, making sure the established is at the top:

access-list 100 permit tcp any host 192.168.0.10 established <= allow you to browse the web
access-list 100 permit udp any eq 53 host 192.168.0.10  <== allow DNS querries to come back
access-list 100 permit udp any host 192.168.0.10 eq 53  <== allow your DNS server to be querried
access-list 100 permit tcp any host 192.168.0.10 eq 25
access-list 100 permit tcp any host 192.168.0.10 eq 110
access-list 100 permit tcp any host 192.168.0.10 eq 80
access-list 100 permit icmp any host 192.168.0.10 unreachable <== allow some icmp for email
access-list 100 permit udp any host 192.168.0.10 eq 113  <== allow ident for email
access-list 100 permit udp any eq 113 host 192.168.0.10
access-list 100 deny ip any host 192.168.0.10
access-list 100 deny ip any host 1.1.1.1  <== optional to deny traffic to your router interface
access-list 100 permit ip any any
0
 
LVL 2

Author Comment

by:markgrinceri
ID: 12145291
access-list 100 permit udp any host 192.168.0.10 eq 53  <== allow your DNS server to be querried

Its saying that i can't put the eq 53 in that place, do i need it, is it the same as the next line
0
 
LVL 2

Author Comment

by:markgrinceri
ID: 12145474
WERE GETTING CLOSE!!

I can view a web page by IP just not DNS, does any know know how to configure access list for DNS. Current config allows every to querry me but i can querry any one.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12145576
You need both lines: One line has remote source port of 53 so that you can receive responses from them..

access-list 100 permit udp any eq 53 host 192.168.0.10  <-- this allows you to querry outside DNS
access-list 100 permit udp any host 192.168.0.10 eq 53  <-- this allows your DNS server to service requests from the internet.

Here's a true example of acl creation:

C3640(config)#access-list 100 permit udp any host 10.10.10.2 eq 53
C3640(config)#access-list 100 permit udp any eq 53 host 10.10.10.2
C3640(config)#access-list 100 permit tcp any host 10.10.10.2 established
C3640(config)#<etc>

Don't forget that you have to re-apply the acl to the interface after making changes to it!
0
 
LVL 4

Expert Comment

by:svindler
ID: 12148586
If your internal dns server uses a specific dns server on the outside, then only allow that external server to reply from port 53. Otherwise you open up for some crafted packets to any udp based service on your own dns server.
"access-list 100 permit udp any eq 53 host 10.10.10.2"
should be changed to
access-list 100 permit udp host a.b.c.d eq 53 host 10.10.10.2
where a.b.c.d is replaced with the dns server of your isp.
You can repeat the line with a number of dns servers at your isp, if you so wish.
0
 
LVL 2

Author Comment

by:markgrinceri
ID: 12148685
what does port udp 113 do
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12150336
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now