Solved

Cisco Access List

Posted on 2009-04-13
7
1,074 Views
Last Modified: 2012-06-21

Each time I apply the underlisted access-list to my router. I lose connectivity to the internet and I'm not able to ping my ISP. When the range is less than 40000 it works OK. What can be wrong

no access-list 109 deny   udp any any range 3072 65535 log

access-list 109 deny   tcp any any eq 445

access-list 109 deny   tcp any any eq 135

access-list 109 deny   tcp any any eq 139

access-list 109 deny   tcp any any eq smtp

access-list 109 deny   udp any any eq 25

no access-list 109 deny   udp any any range 3072 65535 log

access-list 109 permit ip any any

Open in new window

0
Comment
Question by:it_gsr
  • 4
  • 2
7 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24134205
Probably because it is denying the DNS replies.

Use this list instead:

access-list 109 permit udp any eq 53 any   <--allow DNS
access-list 109 deny   tcp any any eq 445
access-list 109 deny   tcp any any eq 135
access-list 109 deny   tcp any any eq 139
access-list 109 deny   tcp any any eq smtp
access-list 109 deny   udp any any eq 25
access-list 109 deny   udp any any range 3072 65535 log
access-list 109 permit ip any any
0
 
LVL 2

Expert Comment

by:Deoji
ID: 24140555
You are probibly doing Overloaded NAT Translation to get to the internet and maybe your firewall rule is being applied after the NAT translation and is blocking the ports that it needs to do the Overloaded NATing.

Maybe you need to apply your access-list to the inside interface instead of the outside one...
I may be wrong about this but it seems likely to me.
0
 

Author Comment

by:it_gsr
ID: 24143162
Hi Jfrederick,
Is there any reason why the details below would not alllow users to log onto their free web based mails like msn,yahoo, etc. Since MSN works on port 1863 and yahoo messenger on 80 and 5050.

With the details below applied , I still see some connections on port within the blocked range




access-list 109 permit udp any eq domain any
access-list 109 permit tcp any eq www any
access-list 109 permit tcp any any range ftp telnet
access-list 109 permit tcp any any range 5000 5060
access-list 109 deny   tcp any any eq 445
access-list 109 deny   tcp any any eq 135
access-list 109 deny   tcp any any eq 139
access-list 109 deny   tcp any any eq smtp
access-list 109 deny   udp any any eq 25
access-list 109 deny   udp any any range 2048 65535 log
access-list 109 deny   tcp any any range 2048 65535 log
access-list 109 permit ip any any
access-list 109 permit tcp any eq 443 any
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 43

Expert Comment

by:JFrederick29
ID: 24144071
These rules are most likely blocking it.  What are you trying to accomplish with these two rules?

access-list 109 deny   udp any any range 2048 65535 log
access-list 109 deny   tcp any any range 2048 65535 log

If you are okay with allowing return traffic from the inside initiated connections, add this:

ip access-list ext 109
1 permit tcp any any established
0
 

Author Comment

by:it_gsr
ID: 24145498
I can see some funny connections on the router interface to ports as below. So the intention is to block all those ports.

tcp X.X.X.X:54828  172.16.13.222:54828 71.235.120.94:12990 71.235.120.94:190
tcp X.X.X.X:54167  172.16.13.222:54167 24.8.53.186:63449 24.8.53.186:63449
tcp X.X.X.X:53611  172.16.13.222:53611 24.82.242.133:46320 24.82.242.133:420
udp X.X.X.X:35153  172.16.8.178:35153 90.45.145.182:1024 90.45.145.182:102
tcp X.X.X.X:25260  172.16.2.225:2270  91.78.171.215:40803 91.78.171.215:403
tcp X.X.X.X:64640  172.16.13.222:64640 80.44.203.114:37141 80.44.203.114:341
tcp X.X.X.X:6203   172.16.2.126:4477  91.191.138.2:6969  91.191.138.2:6969
tcp X.X.X.X:6009   172.16.2.126:4228  41.251.115.22:15531 41.251.115.22:151
tcp X.X.X.X:5027   172.16.2.126:2279  90.14.2.20:41328   90.14.2.20:41328
tcp X.X.X.X:61715  172.16.13.222:61715 74.213.85.112:16348 74.213.85.112:148
tcp X.X.X.X:60770  172.16.13.222:60770 74.13.99.152:26157 74.13.99.152:261
tcp X.X.X.X:55054  172.16.13.222:55054 81.220.152.105:55264 81.220.152.1055264
tcp X.X.X.X:1180   172.16.8.135:2062  192.1.1.12:9100    192.1.1.12:9100
tcp X.X.X.X:63171  172.16.13.222:63171 68.39.32.83:52727 68.39.32.83:52727
tcp X.X.X.X:5289   172.16.2.142:53990 203.58.57.3:80     203.58.57.3:80
tcp X.X.X.X:2262   172.16.2.126:2262  62.16.252.45:13858 62.16.252.45:1385
tcp X.X.X.X:52008  172.16.13.222:52008 67.173.100.157:13763 67.173.100.1573763
tcp X.X.X.X:28912  172.16.2.85:1833   66.196.85.51:80    66.196.85.51:80
tcp X.X.X.X:19249  172.16.2.42:2585   96.244.13.213:30524 96.244.13.213:304
tcp X.X.X.X:17175  172.16.2.179:1111  68.175.50.239:1666 68.175.50.239:166
tcp X.X.X.X:65220  172.16.13.222:65220 68.39.32.83:52727 68.39.32.83:52727
tcp X.X.X.X:5720   172.16.2.126:3780  60.234.166.46:12230 60.234.166.46:120
tcp X.X.X.X:59764  172.16.13.222:59764 62.16.229.165:50188 62.16.229.165:588
tcp X.X.X.X:59408  172.16.13.222:59408 24.215.105.182:38552 24.215.105.1828552
tcp X.X.X.X:2749   172.16.2.126:2749  24.232.254.201:46792 24.232.254.201:792
tcp X.X.X.X:52398  172.16.13.222:52398 79.117.29.175:8036 79.117.29.175:80
tcp X.X.X.X:1182   172.16.8.135:2184  192.1.1.12:9100    192.1.1.12:9100
tcp X.X.X.X:53506  172.16.2.100:53506 68.35.67.133:57483 68.35.67.133:5748
tcp X.X.X.X:49914  172.16.13.222:49914 24.2.161.53:46341 24.2.161.53:46341
tcp X.X.X.X:9870   172.16.2.54:1851   218.145.160.136:8080 218.145.160.136080
tcp X.X.X.X:13185  172.16.2.54:3417   X.X.X.X:24298  X.X.X.X:24298
tcp X.X.X.X:6219   172.16.2.126:4767  81.158.3.183:25496 81.158.3.183:2549
tcp X.X.X.X:53655  172.16.2.3:53655   72.246.94.90:80    72.246.94.90:80
tcp X.X.X.X:5594   172.16.9.20:3735   76.120.147.153:35660 76.120.147.153:660
tcp X.X.X.X:59512  172.16.13.222:59512 67.87.38.31:26441 67.87.38.31:26441
tcp X.X.X.X:1625   172.16.2.126:3139  60.234.166.46:12230 60.234.166.46:120
tcp X.X.X.X:27516  172.16.2.126:3473  58.69.66.225:16534 58.69.66.225:1653
tcp X.X.X.X:5280   172.16.8.135:3282  192.1.1.12:9100    192.1.1.12:9100
 --
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24147151
Probably peer to peer software on your network.

I would use the following access-list inbound on the WAN interface:

ip access-list ext 109
permit tcp any any established
permit udp any eq 53 any
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any time-exceeded

int <wan interface>
ip access-group 109 in

Then apply the list inbound on the LAN interface to restrict outbound traffic:

ip access-list ext 110
permit tcp any any eq www
permit tcp any any eq https
permit udp any any eq 53
permit tcp any any range ftp telnet
permit tcp any any range 5000 5060
permit tcp any any eq 1863
....   <--add other permit statements for traffic you want to explicitly allow
deny ip any any   <--all other traffic will be denied (including p2p).
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 24147158
Revised:

Probably peer to peer software on your network.

I would use the following access-list inbound on the WAN interface:

ip access-list ext 109
permit tcp any any established
permit udp any eq 53 any
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any time-exceeded
deny ip any any

int <wan interface>
ip access-group 109 in

Then apply the list inbound on the LAN interface to restrict outbound traffic:

ip access-list ext 110
permit tcp any any eq www
permit tcp any any eq https
permit udp any any eq 53
permit tcp any any range ftp telnet
permit tcp any any range 5000 5060
permit tcp any any eq 1863
....   <--add other permit statements for traffic you want to explicitly allow
deny ip any any   <--all other traffic will be denied (including p2p).

int <lan interface>
ip access-group 110 in
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now