Solved

Access list Cisco Router 2811

Posted on 2006-10-26
5
554 Views
Last Modified: 2013-11-29
Hi all
I am tryiing to establish a vpn connection.  I have mapped an internal ip address to an external ip address already on my router like this:
ip nat inside source static 10.10.11.1 64.XXX.XX.124
Please help me with the access list commands to enable gre and port 1723 on this external address:

The version of ios is
*********
 Version 12.3(14)T7, RELEASE SOFTWARE (fc2)
***************

To make things easier here is my access-list example.  There is no explicit deny statement at the end, also each line has a number what is it by the way?.  Will it work if I simply put in the new lines?  whats the best way to edit to allow port 1723 and gre to one of my external IPs:

Name_2811#show access-list 101
Extended IP access list 101
    10 deny ip 10.0.0.0 0.255.255.255 any (946 matches)
    20 permit icmp any any echo (163424 matches)
    30 permit icmp any any unreachable (44506 matches)
    40 permit icmp any any traceroute
    50 permit icmp any any echo-reply
    60 permit icmp any any ttl-exceeded (3309 matches)
    70 permit icmp any any time-exceeded
    80 permit icmp any any source-quench (15 matches)
    90 permit icmp any any packet-too-big
    100 permit ip any host 64.xxx.xx.xxx (68050984 matches)
    110 permit ip any host 64.xxx.xx.xxx (164980 matches)
    120 permit tcp any host 64.xxx.xx.xxx eq www (13860 matches)
    130 permit tcp any host 64.xxx.xx.xxx eq www (269199 matches)
    140 permit tcp any host 64.xxx.xx.xxx eq www (279144 matches)
    150 permit tcp any host 64.xxx.xx.xxx eq www (517 matches)
    160 permit tcp any host 64.xxx.xx.xxx eq www (330 matches)
    170 permit tcp any host 64.xxx.xx.xxx eq 82
    180 permit tcp any host 64.xxx.xx.xxx eq 5336
    190 permit tcp any host 64.xxx.xx.xxx eq 5336
    200 permit tcp any host 64.xxx.xx.xxx eq smtp (2917953 matches)
    210 permit tcp any host 64.xxx.xx.xxx eq smtp (384706 matches)
    220 permit tcp any host 64.xxx.xx.xxx eq pop3 (29127 matches)
    230 permit tcp any host 64.xxx.xx.xxx eq pop3 (3 matches)
    240 permit tcp any host 64.xxx.xx.xxx eq 443 (107 matches)
    250 permit esp any host 64.xxx.xx.xxx
    260 permit esp any host 64.xxx.xx.xxx
    270 permit ahp any host 64.xxx.xx.xxx
    280 permit ahp any host 64.xxx.xx.xxx
    290 permit udp any host 64.xxx.xx.xxx eq isakmp
    300 permit udp any host 64.xxx.xx.xxx eq isakmp (46 matches)
    310 permit gre any host 64.xxx.xx.xxx (127905 matches)
    320 permit tcp any host 64.xxx.xx.xxx eq 1723 (2952 matches)
    330 permit tcp any host 64.xxx.xx.xxx eq 8098
    340 permit tcp any host 64.xxx.xx.xxx eq 8099
    350 permit tcp any host 64.xxx.xx.xxx eq 8080 (130588 matches)
    360 permit tcp any host 64.xxx.xx.xxx eq 8383
    370 permit tcp any host 64.xxx.xx.xxx eq 8181
    380 permit tcp any host 64.xxx.xx.xxx eq 19815
    390 permit tcp any host 64.xxx.xx.xxx eq 8093
    400 permit tcp any host 64.xxx.xx.xxx eq ftp (69 matches)
    410 permit tcp host 64.xxx.xx.xxx any eq 123
    420 permit tcp host 64.xxx.xx.xxx any eq 123
    430 permit tcp host 64.xxx.xx.xxx host 64.xxx.xx.xxx eq telnet
    440 permit tcp host 64.xxx.xx.xxx host 64.xxx.xx.xxx eq telnet
    450 permit udp host 64.xxx.xx.xxx eq domain host 64.xxx.xx.xxx
    460 permit udp host 64.xxx.xx.xxx eq domain host 64.xxx.xx.xxx

Help plz
0
Comment
Question by:amanzoor
  • 3
  • 2
5 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 17815618
It looks like you already have it or is this another host?

310 permit gre any host 64.xxx.xx.xxx (127905 matches)
320 permit tcp any host 64.xxx.xx.xxx eq 1723 (2952 matches)

If you need to add additional lines for a new host:

access-list 101 permit gre any host 64.xxx.xx.124
access-list 101 permit tcp any host 64.xxx.xx.124 eq 1723

By the way, the numbers are the sequence number so you can insert lines.  Access-lists are searched top down so if you have a deny somewhere, you can insert a permit above it.  The new lines will be added to the bottom of the list by default with a sequence number of 470 and 480 (increments by 10).
0
 
LVL 4

Author Comment

by:amanzoor
ID: 17816287
Thanks JFrederick29
Yes thats another host.  
This is what I did
Name_2811(config)#ip a
Name_2811(config)#ip access
Name_2811(config)#ip access-list ex
Name_2811(config)#ip access-list extended 101
Name_2811(config-ext-nacl)#470 permit gre any host 64.xxx.xx.xxx
Name_2811(config-ext-nacl)#480 permit tcp any host 62.xxx.xx.xxx eq 1723

When I check sh access-list 101 it shows me these lines added at the bottom.  I just want to confirm is it all that I have to do?  My access-list has no deny at hte bottom should I worry about it?
Also please tell me how to remove lines (one line at a time) from the access list.  Help plz
0
 
LVL 4

Author Comment

by:amanzoor
ID: 17816293
Correction please read
Name_2811(config-ext-nacl)#480 permit tcp any host 62.xxx.xx.xxx eq 1723
as
Name_2811(config-ext-nacl)#480 permit tcp any host 64.xxx.xx.xxx eq 1723

0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 17816330
Yes, that's all you need to add.

>>My access-list has no deny at hte bottom should I worry about it?
The access-list has an implicit "hidden" deny all at the end of the list by default so no, no need to worry about it.

>>Also please tell me how to remove lines (one line at a time) from the access list.

You can do the following:

Name_2811(config)#ip access-list extended 101
Name_2811(config-ext-nacl)#no <line number>

or

Name_2811(config)#ip access-list extended 101
Name_2811(config-ext-nacl)#no <entry>

For example:

Name_2811(config)#ip access-list extended 101
Name_2811(config-ext-nacl)#no 470    <---this will remove the line "470 permit gre any host 64.xxx.xx.xxx" from the access-list.

or

Name_2811(config)#ip access-list extended 101
Name_2811(config-ext-nacl)#no permit gre any host 64.xxx.xx.xxx    <---this does the same thing and removes line 470.
0
 
LVL 4

Author Comment

by:amanzoor
ID: 17816640
Thanks JFrederick29:
I really appreciate it.
AM
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now