Link to home
Start Free TrialLog in
Avatar of MrPrince
MrPrinceFlag for Canada

asked on

Cisco Router Access List Help.

Hi,

Im messing around with Access Lists on an 871 Router. Whenever I apply access list 199 inbound to the outside interface all traffic is stopped by the deny ip any any enrty. Is this because the traffic isnt established? I cant seem to add the established property on to an extended ACL.

The whole idea is to try and tighten down what comes in to my router from the outside world.
Any ideas? Thanks.

access-list 199 remark Allow Inbound ICMP
access-list 199 permit icmp any 172.16.100.0 0.0.0.15 echo-reply log
access-list 199 permit icmp any 172.16.100.0 0.0.0.15 source-quench log
access-list 199 permit icmp any 172.16.100.0 0.0.0.15 unreachable log
access-list 199 permit icmp any 172.16.100.0 0.0.0.15 time-exceeded log
access-list 199 deny ip any any log

access-list 200 remark Allow ICMP
access-list 200 permit icmp 172.16.100.0 0.0.0.15 any echo
access-list 200 permit icmp 172.16.100.0 0.0.0.15any traceroute
access-list 200 remark Allow DNS
access-list 200 permit udp 172.16.100.0 0.0.0.15 64.59.114.18 255.255.255.255 eq domain
access-list 200 permit udp 172.16.100.0 0.0.0.15 64.59.114.18 255.255.255.255 eq domain
access-list 200 remark Allow Web
access-list 200 permit tcp 172.16.100.0 0.0.0.15 any eq www
access-list 200 permit tcp 172.16.100.0 0.0.0.15 any eq 443
access-list 200 deny ip any any log

interfave vlan10 (inside interface)
 ip access-group 200 out

interface FastEthernet4 (outside interface)
 ip access-group 199 in
Avatar of atlas_shuddered
atlas_shuddered
Flag of United States of America image
199 is designed to stop all traffic except for SNMP and a few ICMP ports.  Everything else, including www, smtp, ftp, etc. is being denied as it is built right now.  You'll need to configure a few more lines if you want to allow otherwise.
Avatar of MrPrince
MrPrince
Flag of Canada image

ASKER

From a ASA/Pix point of view, is there any way of allowing established traffic leaving an inside interface to be allowed back in through the oustide interface? My 199 ACL is really for allowing traffic originating from the outside coming in.

Thanks.
Avatar of ged125
ged125
Flag of United States of America image
I recommned adding:

access-list 199 permit tcp any any established

This will allow TCP return traffic back in after it has been established outbound through access list 200 outbound.  Obviously this line will need to go before the deny any any.  When editing the ACL use the "SHOW IP ACCESS" command to see what line numbers have already been created.

For example:

Extended IP access list 199
    10 permit icmp any 172.16.100.0 0.0.0.15 echo-reply log
    20 permit icmp any 172.16.100.0 0.0.0.15 source-quench log
    30 deny ip any any log

Here you can see that the "Deny ip any any log" is step 30 of this access list.  Given that fact, you don't need to delete and recreate the ACL, just insert a step somewhere before 30 like this:

IP ACCESS EXTENDED 199
  29 permit tcp any any established

The way you have it configured now, TCP requests are going out, but the ACK is being blocked by your inbound ACL.  You are going to need to allow return traffic from your DNS servers as well.

Good luck!
ASKER CERTIFIED SOLUTION
Avatar of bkepford
bkepford
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of MrPrince
MrPrince
Flag of Canada image

ASKER

Also 199 isn't actually allowing return ICMP traffic as all traffic is beig blocked by the deny ip any any acess entry.
Avatar of MrPrince
MrPrince
Flag of Canada image

ASKER

Thanks guys, I'll try it out this evening. I prefer the sound of the CBAC solution but i also like the granular control of an extended acl. i suppose i could use both?

access-list 200 remark Allow ICMP
access-list 200 permit icmp 172.16.100.0 0.0.0.15 any echo
access-list 200 permit icmp 172.16.100.0 0.0.0.15any traceroute
access-list 200 remark Allow DNS
access-list 200 permit udp 172.16.100.0 0.0.0.15 64.59.114.18 255.255.255.255 eq domain
access-list 200 permit udp 172.16.100.0 0.0.0.15 64.59.114.18 255.255.255.255 eq domain
access-list 200 remark Allow Web
access-list 200 permit tcp 172.16.100.0 0.0.0.15 any eq www
access-list 200 permit tcp 172.16.100.0 0.0.0.15 any eq 443
access-list 200 deny ip any any log

ip inspect name myfw icmp
ip inspect name myfw tcp
ip inspect name myfw udp

interface vlan10 (inside interface)
 ip access-group 200 out
 ip inspect myfw out
Avatar of bkepford
bkepford
Flag of United States of America image
This configuration is incorrect,

interface vlan10 (inside interface)
 ip access-group 200 out
 ip inspect myfw out

The direction is always in relation to the router so your inspect would be inspecting traffic flowing from the outside to the inside and out to the clients. In most cases you block the traffic as it comes in the router that way no routing has to occur to traffic that is going to be blocked.  I ussually do all blocking and marking of traffic as it enters the router. It is best practice.

It would suggest

interface FastEthernet4 (outside interface)
 ip access-group 199 in

interfave vlan10 (inside interface)
 ip inspect myfw in
Avatar of MrPrince
MrPrince
Flag of Canada image

ASKER

Works a treat, thanks.