• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 242
  • Last Modified:

Access lists on cisco soho 77

I am trying to apply access lists on my cisco soho77. i wanted to apply something simple like:

access-list 101 permit tcp 63.36.9.0 0.0.0.255 any eq 80

which i can do but i cannot apply it to any interface.
i have tried:

access-group 101out while logged in to the dialer1 interface but it doesn't work.

Is NAT the problem?

The current config is:

no logging console
!
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname xxxxxxxx
!
logging rate-limit console 10 except errors
enable secret password xxxxxxxx
!
clock timezone EST 10
ip subnet-zero
no ip finger
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx
!
no ip dhcp-client network-discovery
ip dhcp pool mypool
network 192.168.24.0 /24
dns-server 203.50.2.71 139.130.4.4
default-router 192.168.24.10
lease 4

!
!
interface Ethernet0
ip address 192.168.24.10 255.255.255.0
ip nat inside
no shutdown
!
interface ATM0
no shutdown
no ip address
no ip directed-broadcast
no ip mroute-cache
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
bundle-enable
dsl operating-mode auto
!
interface Dialer1
ip address negotiated
no ip directed-broadcast
ip nat outside
encapsulation ppp
dialer pool 1
ppp chap hostname xxx@xxx.xxx
ppp chap password xxxx
ppp pap sent-username xxx@xxx.xxx password xxx
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
!
!
ip nat inside source list 1 interface Dialer1 overload
access-list 1 permit 192.168.24.0 0.0.0.255
!
!
line con 0
exec-timeout 120 0
transport input none
stopbits 1
line vty 0 4
login
password xxxx
access-class 1 in
exec-timeout 0 0

length 0
!
scheduler max-task-time 5000
logging console
end
0
nealerocks
Asked:
nealerocks
  • 7
  • 4
  • 3
2 Solutions
 
Jan SpringerCommented:
Under the dialer interface, the command is:

  ip access-group 101 out
0
 
rsivanandanCommented:
>>63.36.9.0

The above ip address is incorrect since you're using private ip addresses inside your network and ISP is assigning one ip address to you dynamically (DHCP).

So as I understand your intention is to allow *only* browsing from internal machines and nothing else.

For that you need to make an access-list like this;

access-list 101 permit tcp 192.168.24.0 0.0.0.255 any eq 80

int eth0
ip access-group 101 in

Now alone with this nothing will work. If you look at the access-list carefully it is only allowing http traffic. Now in the first place a http traffic to work you need to allow for DNS and also some sites are based on ssl (https). So the complete config would be;

access-list 101 permit tcp 192.168.24.0 0.0.0.255 any eq 80
access-list 101 permit tcp 192.168.24.0 0.0.0.255 any eq 443
access-list 101 permit udp 192.168.24.0 0.0.0.255 any eq 53

int eth0
ip access-group 101 in

Cheers,
Rajesh
0
 
Jan SpringerCommented:
According to Cisco's order of operations, NAT occurs prior to ACL output processing.

If he's being translated to that IP or that network block, the outbound ACL that he has should work.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
rsivanandanCommented:
Jesper,

  Sorry but you're missing out 2 things. It has nothing to do with ACL output processing.

1. He is on a dynamic ip, if he configures based on this ip then if the ip changes in the next lease, the acl won't work.

2. Just alone with that acl, without allowing dns and https, won't be working as he wants.

Cheers,
Rajesh
0
 
rsivanandanCommented:
Also there is an advantage of doing it on the internal interface - performance.

1. If an acl is applied on the outside interface, the router will have to *nat* no matter if the traffic is allowed or not.

2. If an acl is applied on the internal interface, the router can discard the traffic even before doing *nat*.

Cheers,
Rajesh
0
 
Jan SpringerCommented:
That's why I indicated "network block".  

I don't disagree that catching it on the input works or is the way to go.

I'm just saying that on the outbound side it can work.  I'm just not second guessing his preference to put it on the inside vs the outside.
0
 
rsivanandanCommented:
Well, we can talk on this for hours but I typed in what deemed to be efficient and mostly preferred way of blocking traffic along with what else he needs to allow to make this work.

Cheers,
Rajesh
0
 
nealerocksAuthor Commented:
Thank you both for your advice.
The ACL i included was an example and i should have mentioned that i have created an access list with the correct addresses which is:

access-list 101 permit tcp 192.168.24.0 0.0.0.255 any eq 80
access-list 101 permit tcp 192.168.24.0 0.0.0.255 any eq 443

The problem is that i can't apply it to any interfaces. i have tried "access-group 101 in" while in configuration mode on the e0 and the dialer1 interfaces but it won't work.

any further advice?

0
 
Jan SpringerCommented:
The command to apply an ACL to an interface is:

ip access-group 101 in
^^
0
 
rsivanandanCommented:
nealerocks,

  I would atleast expect a split of points since in my very first post I have given where to apply the access-list;

>>int eth0
ip access-group 101 in

Cheers,
Rajesh
0
 
nealerocksAuthor Commented:
i read all 5 responses at the same time and didn't actually notice that sorry. How do you split points?
0
 
rsivanandanCommented:
Open up a question in community support area to unlock the question. They'd do it for you.

Cheers,
Rajesh
0
 
rsivanandanCommented:
Nearlocks,

  You still haven't accepted the answer.

Cheers,
Rajesh
0
 
nealerocksAuthor Commented:
Didn't realise that was how it worked. Doing it now.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 7
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now