Solved

Cisco router acess list help

Posted on 2006-06-28
20
505 Views
Last Modified: 2010-03-19
I have a Cisco router with 2 LAN and 1 ADSL interface.  I need the LAN interfaces to see all traffic between them, but the ADSL interface is only to allow web traffic out for the 2nd LAN port. Current config as below, any access list syntax would be much appreciated....

version 12.4
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname ROUTER1
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 errors
no logging console
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
ip name-server 62.241.162.200
ip name-server 62.241.163.200
!
!
!
interface FastEthernet0/0
 description Private Lan 1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description Private LAN 2
 ip address 172.16.8.1 255.255.248.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface ATM0/0/0
 description ADSL interface
 bandwidth 576
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !        
!
interface Dialer0
 description ADSL link
 bandwidth 576
 ip address 11.11.11.11 255.255.255.248
 ip access-group 101 out
 no ip unreachables
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname xxx
 ppp chap password yyy
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
no ip http secure-server
ip nat pool overld 22.22.22.22 22.22.22.22 prefix-length 29
ip nat inside source list 10 pool overld overload
!
access-list 10 permit 172.16.8.0 0.0.7.255
access-list 10 permit 192.168.1.0 0.255.255.255
access-list 101 permit tcp any any eq www
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 access-class 10 in
 exec-timeout 0 0
 login local
!
end
0
Comment
Question by:micross
  • 9
  • 8
  • 3
20 Comments
 
LVL 4

Expert Comment

by:Phreonx
ID: 17000473
Hello,
try the following:

conf t
  no access-list 101 permit tcp any any eq www
int Dialer0
  no ip access-group 101 out
  exit [Back to Global Configuration]
  access-list 101 permit tcp 172.16.8.1 0.0.7.255 any eq 80
int Dialer0
  ip access-group 101 out

What the above snippet does is to allow Web traffic [port 80] originating from 172.16.8.1 with subnet mask 255.255.248.0 to any destination. There's an implicit Deny Any at the end of every ACL so you dont have to worry about that.

Hope that helped ;)
0
 

Author Comment

by:micross
ID: 17000520
Phreonx,

I am using the host 172.16.8.100 as my test unit.  With my original config, I could get web access out (but not restrict to the 172.16.8.0 network).  I have made the changes that you suggested and now cannot access the web form that PC at all.

0
 
LVL 4

Expert Comment

by:Phreonx
ID: 17000570
Hello again,
please try this fix:

conf t
  no access-list 101 permit tcp any any eq www
int Dialer0
  no ip access-group 101 out
  exit [Back to Global Configuration]
  access-list 101 permit tcp 172.16.8.0 0.0.7.255 any eq 80
int Dialer0
  ip access-group 101 out

notice the change in access-list 101 permit tcp 172.16.8.0 0.0.7.255 any eq 80. From access-list 101 permit tcp 172.16.8.1 0.0.7.255 any eq 80 to access-list 101 permit tcp 172.16.8.0 0.0.7.255 any eq 80.
0
 

Author Comment

by:micross
ID: 17000659
Sorry, I should have picked that up myself earlier (duh!).  I have made the change again, as per your last comment and get the same results.  Access lists now look like this :

ROUTER1#sh access-list
Standard IP access list 10
    10 permit 172.16.8.0, wildcard bits 0.0.7.255 (35 matches)
    20 permit 192.168.1.0, wildcard bits 0.255.255.255 (12 matches)
Extended IP access list 101
    10 permit tcp 172.16.8.0 0.0.7.255 any eq www
0
 
LVL 4

Expert Comment

by:Phreonx
ID: 17000669
Glad it works ;)
0
 

Author Comment

by:micross
ID: 17000689
When I say that I get the same results, I meant that I still have noe web access from my test unit.  The above access-lists do not seem to allow www traffic from the 172.16.8.0/21 network.
0
 
LVL 4

Expert Comment

by:Phreonx
ID: 17000858
If you can bare with me, I will get back to you later today with an answer. I got to be somewhere in 30 minutes. I'll have to read your configuration more carefully. Sorry for the inconvenience
0
 

Author Comment

by:micross
ID: 17001149
not a problem
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 300 total points
ID: 17002809
If I understand correctly;

1. You need 172.16.x.x to be able to browse Internet.
2. You need 172.16.x.x and 192.168.1.x to be able to see each other.
3. Block 192.168.1.x from reaching Internet.

If this is the case, you don't need any access-lists at all; just follow this;

1. On the 192.168.1.x interface => Fa0/0

no ip nat inside

2. Remove this entry from the access-list 10

no access-list 10 permit 192.168.1.0 0.255.255.255

Which can be done like this;

no access-list 10
access-list 10 permit 172.16.8.0 0.0.7.255

This should work as you want.

Try out and let me know.

Cheers,
Rajesh
0
 
LVL 4

Assisted Solution

by:Phreonx
Phreonx earned 200 total points
ID: 17004787
Micross,
I should have read your configuration more carefully when I had the chance but at that time unfortunately I was on a great hurry.
Rajesh is absolutely right. Removing access-list 10 completely should take care of your problem. Little background as to why this is the case. Cisco IOS first checks access lists bound to the "in" side of interfaces. Then does the NAT translation and then considers access lists bound to the "out" side of interfaces which in my humble opinion, is not the way it should be done. What your configuration did before I mess it up was, to create 2 access lists that permitted hosts IPs from 2 subnets to be translated to a public IP

access-list 10 permit 172.16.8.0 0.0.7.255
access-list 10 permit 192.168.1.0 0.255.255.255

when, all you needed was only allow 192.168.1.0/24 to be translated. Binding an access-list to the "out" of your Dialer0 interface like I suggested:

access-list 101 permit tcp 172.16.8.0 0.0.7.255 any eq 80

will do you no good as a private IP eg. 172.16.8.100 will first get translated to a Public [NAT Rules] and then it will be checked against the ACL applied on the "out" side of Dialer0. This in conjunction with the implicit Deny ANY at the end of all ACLs resulted in all your traffic being blocked.

Solution:
Do what Rajesh suggested and recreate your original ACL:

access-list 101 permit tcp any any eq www

This is probably the quickest way to get your problem sorted.

Hope our suggestions helped ;)
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:micross
ID: 17008057
Thanks guys,

I have it working for all users on the 172.16.8.x/21 network now and all is well.  As a final question, how do I restrict access to only host 172.16.8.100/21 ?
0
 
LVL 4

Expert Comment

by:Phreonx
ID: 17008114
Hello again micross,

conf t
  no access-list 101 permit tcp any any eq www
int Dialer0
  no ip access-group 101 out
  exit [Back to Global Configuration]
  access-list 101 permit tcp host 172.16.8.100 any eq www
int Dialer0
  ip access-group 101 out

The implicit Deny Any at the end should take care of the rest of your /21 subnet.

Hope that helped [for a change...] ;)
0
 

Author Comment

by:micross
ID: 17008194
Hi phreonx,

I tried the above myself earlier this morning, and it didn't work !  It seems that if I use the following:

access-list 101 permit tcp any any eq www

then all hosts on the network can browse the web.

If I use anything else then it bars web access from 172.16.8.100.

I am stumped !
0
 
LVL 4

Expert Comment

by:Phreonx
ID: 17008294
Let me remind you what I posted earlier:

access-list 101 permit tcp any any eq www IS NOT responsible for letting all your hosts from 172.16.8.0/21 network pass through to the Internet. As I told you, NAT translation takes place first and then the ACL that is bound on the "out" side of your Dialer0 is taken into consideration by the IOS. Therefore, access-list 10 permit 172.16.8.0 0.0.7.255 [as you already have] suffices to enable Web connectivity for the hosts at 172.16.8.0/21 network. That's why we suggested you remove the access-list 10 permit 192.168.1.0 0.255.255.255 from your NAT, so that it won't get translated. Now, in order to enable only a single IP from 172.16.8.0/21 to have Internet connectivity try the following:

conf t
  access-list 1 permit 172.16.8.100 0.0.0.0
interface FastEthernet0/1
  ip access-group 1 in
  exit

0
 

Author Comment

by:micross
ID: 17008356
OK - I understand what you are saying here.  If I create the new ACL and apply it to FA0/1, then I bar all traffic between 172.16.8.0 to 192.168.1.0.

I need to have a full connectivity between 192.168.1.0 and 172.16.8.0, while also allowing only 172.16.8.100 to have Internet connectivity.

Thanks
0
 
LVL 4

Expert Comment

by:Phreonx
ID: 17008463
Could you please post your running-configuration?
0
 

Author Comment

by:micross
ID: 17008493
version 12.4
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname ROUTER1
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 errors
no logging console
enable secret
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
ip name-server 62.241.162.200
ip name-server 62.241.163.200
!
!
!
interface FastEthernet0/0
 description Private Lan
 ip address 192.168.1.1 255.255.255.0
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 172.16.8.1 255.255.248.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface ATM0/0/0
 description ADSL interface
 bandwidth 576
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!        
interface Dialer0
 description ADSL link
 bandwidth 576
 ip address 11.11.11.11 255.255.255.248
 ip access-group 101 out
 no ip unreachables
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname xxx
 ppp chap password yyy
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
no ip http secure-server
ip nat pool overld 22.22.22.222 22.22.22.22 prefix-length 29
ip nat inside source list 10 pool overld overload
!
access-list 10 permit 172.16.8.0 0.0.7.255
access-list 20 permit 192.168.1.0
access-list 20 permit 172.16.8.0 0.0.7.255
access-list 101 permit tcp any any eq www
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 access-class 20 in
 exec-timeout 0 0
 login local
!
end
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17008599
Do this;

no access-list 101

access-list 101 permit ip host 172.16.8.100 any

int Dialer0
ip access-group 101 out

This will make sure only that particular host has internet access.

By the way, what is access-list '20' doing there ?

Cheers,
Rajesh
0
 

Author Comment

by:micross
ID: 17009071
Rajesh,

Thanks for the reply - before I do this, won;t this ACL give all access to the host ?  I just want it to have www access.

FYI - access-list 20 has appeared to give telnet access to both LAN prts - I though that I needed this to have some control ?

0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17009932
No. you don't need to have that access-lists if you have enabled routing on that box. Simple way to find out is to do 'show ip route' and you'll be able to see the routes. In this case you don't even need to do that since the internet is working now and was working before as well.

About the acl;

It is always good to start with the basic access-list and then tighten it as per your requirement. I always found it efficient. If you just had done like below;

access-list 101 permit ip host 172.16.8.100 any eq www

It wouldn't work :-) Why ? because before web browsing can occur, you need to first let the DNS resolution to happen right ? But the above access-list will block it and allow only www.

Another instance, is how about https?? if you say www, all the https connections will be blocked.

So you have to be careful about what all you want when we say 'Web'.

Anyways if you want it to be specific, just do it this way;

access-list 101 permit ip host 172.16.8.100 any eq dns
access-list 101 permit ip host 172.16.8.100 any eq www
access-list 101 permit ip host 172.16.8.100 any eq https

and you should be good. But keep testing and see if you need to allow any more...

Hope I helped.

Cheers,
Rajesh
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
Let’s list some of the technologies that enable smooth teleworking. 
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now