micross
asked on
Cisco router acess list help
I have a Cisco router with 2 LAN and 1 ADSL interface. I need the LAN interfaces to see all traffic between them, but the ADSL interface is only to allow web traffic out for the 2nd LAN port. Current config as below, any access list syntax would be much appreciated....
version 12.4
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname ROUTER1
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 errors
no logging console
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
ip name-server 62.241.162.200
ip name-server 62.241.163.200
!
!
!
interface FastEthernet0/0
description Private Lan 1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description Private LAN 2
ip address 172.16.8.1 255.255.248.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface ATM0/0/0
description ADSL interface
bandwidth 576
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer0
description ADSL link
bandwidth 576
ip address 11.11.11.11 255.255.255.248
ip access-group 101 out
no ip unreachables
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxx
ppp chap password yyy
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
no ip http secure-server
ip nat pool overld 22.22.22.22 22.22.22.22 prefix-length 29
ip nat inside source list 10 pool overld overload
!
access-list 10 permit 172.16.8.0 0.0.7.255
access-list 10 permit 192.168.1.0 0.255.255.255
access-list 101 permit tcp any any eq www
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
access-class 10 in
exec-timeout 0 0
login local
!
end
version 12.4
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname ROUTER1
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 errors
no logging console
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
ip name-server 62.241.162.200
ip name-server 62.241.163.200
!
!
!
interface FastEthernet0/0
description Private Lan 1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description Private LAN 2
ip address 172.16.8.1 255.255.248.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface ATM0/0/0
description ADSL interface
bandwidth 576
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer0
description ADSL link
bandwidth 576
ip address 11.11.11.11 255.255.255.248
ip access-group 101 out
no ip unreachables
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxx
ppp chap password yyy
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
no ip http secure-server
ip nat pool overld 22.22.22.22 22.22.22.22 prefix-length 29
ip nat inside source list 10 pool overld overload
!
access-list 10 permit 172.16.8.0 0.0.7.255
access-list 10 permit 192.168.1.0 0.255.255.255
access-list 101 permit tcp any any eq www
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
access-class 10 in
exec-timeout 0 0
login local
!
end
ASKER
Phreonx,
I am using the host 172.16.8.100 as my test unit. With my original config, I could get web access out (but not restrict to the 172.16.8.0 network). I have made the changes that you suggested and now cannot access the web form that PC at all.
I am using the host 172.16.8.100 as my test unit. With my original config, I could get web access out (but not restrict to the 172.16.8.0 network). I have made the changes that you suggested and now cannot access the web form that PC at all.
Hello again,
please try this fix:
conf t
no access-list 101 permit tcp any any eq www
int Dialer0
no ip access-group 101 out
exit [Back to Global Configuration]
access-list 101 permit tcp 172.16.8.0 0.0.7.255 any eq 80
int Dialer0
ip access-group 101 out
notice the change in access-list 101 permit tcp 172.16.8.0 0.0.7.255 any eq 80. From access-list 101 permit tcp 172.16.8.1 0.0.7.255 any eq 80 to access-list 101 permit tcp 172.16.8.0 0.0.7.255 any eq 80.
please try this fix:
conf t
no access-list 101 permit tcp any any eq www
int Dialer0
no ip access-group 101 out
exit [Back to Global Configuration]
access-list 101 permit tcp 172.16.8.0 0.0.7.255 any eq 80
int Dialer0
ip access-group 101 out
notice the change in access-list 101 permit tcp 172.16.8.0 0.0.7.255 any eq 80. From access-list 101 permit tcp 172.16.8.1 0.0.7.255 any eq 80 to access-list 101 permit tcp 172.16.8.0 0.0.7.255 any eq 80.
ASKER
Sorry, I should have picked that up myself earlier (duh!). I have made the change again, as per your last comment and get the same results. Access lists now look like this :
ROUTER1#sh access-list
Standard IP access list 10
10 permit 172.16.8.0, wildcard bits 0.0.7.255 (35 matches)
20 permit 192.168.1.0, wildcard bits 0.255.255.255 (12 matches)
Extended IP access list 101
10 permit tcp 172.16.8.0 0.0.7.255 any eq www
ROUTER1#sh access-list
Standard IP access list 10
10 permit 172.16.8.0, wildcard bits 0.0.7.255 (35 matches)
20 permit 192.168.1.0, wildcard bits 0.255.255.255 (12 matches)
Extended IP access list 101
10 permit tcp 172.16.8.0 0.0.7.255 any eq www
Glad it works ;)
ASKER
When I say that I get the same results, I meant that I still have noe web access from my test unit. The above access-lists do not seem to allow www traffic from the 172.16.8.0/21 network.
If you can bare with me, I will get back to you later today with an answer. I got to be somewhere in 30 minutes. I'll have to read your configuration more carefully. Sorry for the inconvenience
ASKER
not a problem
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks guys,
I have it working for all users on the 172.16.8.x/21 network now and all is well. As a final question, how do I restrict access to only host 172.16.8.100/21 ?
I have it working for all users on the 172.16.8.x/21 network now and all is well. As a final question, how do I restrict access to only host 172.16.8.100/21 ?
Hello again micross,
conf t
no access-list 101 permit tcp any any eq www
int Dialer0
no ip access-group 101 out
exit [Back to Global Configuration]
access-list 101 permit tcp host 172.16.8.100 any eq www
int Dialer0
ip access-group 101 out
The implicit Deny Any at the end should take care of the rest of your /21 subnet.
Hope that helped [for a change...] ;)
conf t
no access-list 101 permit tcp any any eq www
int Dialer0
no ip access-group 101 out
exit [Back to Global Configuration]
access-list 101 permit tcp host 172.16.8.100 any eq www
int Dialer0
ip access-group 101 out
The implicit Deny Any at the end should take care of the rest of your /21 subnet.
Hope that helped [for a change...] ;)
ASKER
Hi phreonx,
I tried the above myself earlier this morning, and it didn't work ! It seems that if I use the following:
access-list 101 permit tcp any any eq www
then all hosts on the network can browse the web.
If I use anything else then it bars web access from 172.16.8.100.
I am stumped !
I tried the above myself earlier this morning, and it didn't work ! It seems that if I use the following:
access-list 101 permit tcp any any eq www
then all hosts on the network can browse the web.
If I use anything else then it bars web access from 172.16.8.100.
I am stumped !
Let me remind you what I posted earlier:
access-list 101 permit tcp any any eq www IS NOT responsible for letting all your hosts from 172.16.8.0/21 network pass through to the Internet. As I told you, NAT translation takes place first and then the ACL that is bound on the "out" side of your Dialer0 is taken into consideration by the IOS. Therefore, access-list 10 permit 172.16.8.0 0.0.7.255 [as you already have] suffices to enable Web connectivity for the hosts at 172.16.8.0/21 network. That's why we suggested you remove the access-list 10 permit 192.168.1.0 0.255.255.255 from your NAT, so that it won't get translated. Now, in order to enable only a single IP from 172.16.8.0/21 to have Internet connectivity try the following:
conf t
access-list 1 permit 172.16.8.100 0.0.0.0
interface FastEthernet0/1
ip access-group 1 in
exit
access-list 101 permit tcp any any eq www IS NOT responsible for letting all your hosts from 172.16.8.0/21 network pass through to the Internet. As I told you, NAT translation takes place first and then the ACL that is bound on the "out" side of your Dialer0 is taken into consideration by the IOS. Therefore, access-list 10 permit 172.16.8.0 0.0.7.255 [as you already have] suffices to enable Web connectivity for the hosts at 172.16.8.0/21 network. That's why we suggested you remove the access-list 10 permit 192.168.1.0 0.255.255.255 from your NAT, so that it won't get translated. Now, in order to enable only a single IP from 172.16.8.0/21 to have Internet connectivity try the following:
conf t
access-list 1 permit 172.16.8.100 0.0.0.0
interface FastEthernet0/1
ip access-group 1 in
exit
ASKER
OK - I understand what you are saying here. If I create the new ACL and apply it to FA0/1, then I bar all traffic between 172.16.8.0 to 192.168.1.0.
I need to have a full connectivity between 192.168.1.0 and 172.16.8.0, while also allowing only 172.16.8.100 to have Internet connectivity.
Thanks
I need to have a full connectivity between 192.168.1.0 and 172.16.8.0, while also allowing only 172.16.8.100 to have Internet connectivity.
Thanks
Could you please post your running-configuration?
ASKER
version 12.4
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname ROUTER1
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 errors
no logging console
enable secret
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
ip name-server 62.241.162.200
ip name-server 62.241.163.200
!
!
!
interface FastEthernet0/0
description Private Lan
ip address 192.168.1.1 255.255.255.0
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.16.8.1 255.255.248.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface ATM0/0/0
description ADSL interface
bandwidth 576
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer0
description ADSL link
bandwidth 576
ip address 11.11.11.11 255.255.255.248
ip access-group 101 out
no ip unreachables
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxx
ppp chap password yyy
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
no ip http secure-server
ip nat pool overld 22.22.22.222 22.22.22.22 prefix-length 29
ip nat inside source list 10 pool overld overload
!
access-list 10 permit 172.16.8.0 0.0.7.255
access-list 20 permit 192.168.1.0
access-list 20 permit 172.16.8.0 0.0.7.255
access-list 101 permit tcp any any eq www
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
access-class 20 in
exec-timeout 0 0
login local
!
end
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname ROUTER1
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 errors
no logging console
enable secret
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
ip name-server 62.241.162.200
ip name-server 62.241.163.200
!
!
!
interface FastEthernet0/0
description Private Lan
ip address 192.168.1.1 255.255.255.0
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.16.8.1 255.255.248.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface ATM0/0/0
description ADSL interface
bandwidth 576
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer0
description ADSL link
bandwidth 576
ip address 11.11.11.11 255.255.255.248
ip access-group 101 out
no ip unreachables
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxx
ppp chap password yyy
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
no ip http secure-server
ip nat pool overld 22.22.22.222 22.22.22.22 prefix-length 29
ip nat inside source list 10 pool overld overload
!
access-list 10 permit 172.16.8.0 0.0.7.255
access-list 20 permit 192.168.1.0
access-list 20 permit 172.16.8.0 0.0.7.255
access-list 101 permit tcp any any eq www
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
access-class 20 in
exec-timeout 0 0
login local
!
end
Do this;
no access-list 101
access-list 101 permit ip host 172.16.8.100 any
int Dialer0
ip access-group 101 out
This will make sure only that particular host has internet access.
By the way, what is access-list '20' doing there ?
Cheers,
Rajesh
no access-list 101
access-list 101 permit ip host 172.16.8.100 any
int Dialer0
ip access-group 101 out
This will make sure only that particular host has internet access.
By the way, what is access-list '20' doing there ?
Cheers,
Rajesh
ASKER
Rajesh,
Thanks for the reply - before I do this, won;t this ACL give all access to the host ? I just want it to have www access.
FYI - access-list 20 has appeared to give telnet access to both LAN prts - I though that I needed this to have some control ?
Thanks for the reply - before I do this, won;t this ACL give all access to the host ? I just want it to have www access.
FYI - access-list 20 has appeared to give telnet access to both LAN prts - I though that I needed this to have some control ?
No. you don't need to have that access-lists if you have enabled routing on that box. Simple way to find out is to do 'show ip route' and you'll be able to see the routes. In this case you don't even need to do that since the internet is working now and was working before as well.
About the acl;
It is always good to start with the basic access-list and then tighten it as per your requirement. I always found it efficient. If you just had done like below;
access-list 101 permit ip host 172.16.8.100 any eq www
It wouldn't work :-) Why ? because before web browsing can occur, you need to first let the DNS resolution to happen right ? But the above access-list will block it and allow only www.
Another instance, is how about https?? if you say www, all the https connections will be blocked.
So you have to be careful about what all you want when we say 'Web'.
Anyways if you want it to be specific, just do it this way;
access-list 101 permit ip host 172.16.8.100 any eq dns
access-list 101 permit ip host 172.16.8.100 any eq www
access-list 101 permit ip host 172.16.8.100 any eq https
and you should be good. But keep testing and see if you need to allow any more...
Hope I helped.
Cheers,
Rajesh
About the acl;
It is always good to start with the basic access-list and then tighten it as per your requirement. I always found it efficient. If you just had done like below;
access-list 101 permit ip host 172.16.8.100 any eq www
It wouldn't work :-) Why ? because before web browsing can occur, you need to first let the DNS resolution to happen right ? But the above access-list will block it and allow only www.
Another instance, is how about https?? if you say www, all the https connections will be blocked.
So you have to be careful about what all you want when we say 'Web'.
Anyways if you want it to be specific, just do it this way;
access-list 101 permit ip host 172.16.8.100 any eq dns
access-list 101 permit ip host 172.16.8.100 any eq www
access-list 101 permit ip host 172.16.8.100 any eq https
and you should be good. But keep testing and see if you need to allow any more...
Hope I helped.
Cheers,
Rajesh
try the following:
conf t
no access-list 101 permit tcp any any eq www
int Dialer0
no ip access-group 101 out
exit [Back to Global Configuration]
access-list 101 permit tcp 172.16.8.1 0.0.7.255 any eq 80
int Dialer0
ip access-group 101 out
What the above snippet does is to allow Web traffic [port 80] originating from 172.16.8.1 with subnet mask 255.255.248.0 to any destination. There's an implicit Deny Any at the end of every ACL so you dont have to worry about that.
Hope that helped ;)