Solved

Configure ingress & egress ACL's on cisco 2811

Posted on 2009-07-09
6
1,007 Views
Last Modified: 2012-05-07
Hello, I've configured a cisco 2811 for a 56k frame-relay circuit on a private network. One of the security requirements is to setup ingress & egress ACL for inbound/outbound traffic. Can't say i've attempted this yet. I'll have to do all the configuration changes via telnet since the router is at another location. I'll post the configuration I have below (its pretty basic). Any help would be most appreciated. Thanks!




!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname <!>
!
boot-start-marker
boot-end-marker
!
enable password <!>
!
no aaa new-model
!
!
ip cef
!
!
multilink bundle-name authenticated
!
!
!
archive
 log config
  hidekeys
!
!
!
!
!
interface FastEthernet0/0
 ip address <!> 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0/0
 no ip address
 encapsulation frame-relay IETF
 no fair-queue
!
interface Serial0/0/0.777 point-to-point
 ip address 192.168.<!> 255.255.255.252
 snmp trap link-status
 frame-relay interface-dlci 777
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.<!>
!
!
ip http server
!
!
!
control-plane
!
!
line con 0
 password <!>
 login
line aux 0
line vty 0 4
 password <!>
 login
!
scheduler allocate 20000 1000
!
end
0
Comment
Question by:MikeG299
  • 3
  • 3
6 Comments
 
LVL 10

Expert Comment

by:atlas_shuddered
ID: 24817740
Have you got a TFTP server on the customer's side?
0
 

Author Comment

by:MikeG299
ID: 24818004
No, I do not. I only need to control inbound/outbound ports from 56kwic to fe/0.
0
 
LVL 10

Expert Comment

by:atlas_shuddered
ID: 24824899
Okay.  Before you start with the ACL I would secure your vty session with ssh and dump telnet.  (Before you disable telnet, confirm that ssh is working and you can connect successully).  Another thing that I would recommend is, starting any changes on a remote router, be sure to issue the command:

#reload 005

This instructs the router to perform a reload in 5 minutes, this way, if you make a change and lose connectivity to the router, the change will be dropped at reload, allowing access again.  Once you are done with your configs, issue the command:

#reload cancel

if more time is needed, follow the above with #reload 005 again.

Finally, try to do as much as you can in notepad and then upload.  Otherwise, you will have to keep saving your work to flash and resetting the reload command if more time is needed.

After you have set up ssh, open notepad and configure your ACLs (if you have ideas of what exactly you want the ACL to filter, post that and I will try to work up an example.)  Build them from the perspective of:

Traffic coming to the LAN from your FR link should be filtered on serial 0/0/0.777 in
Traffic leaving the LAN destined for another network should be filtered on eth 0/0 in

Doing this limits the traffic that is actually processed for routing to only that traffic which is going to be allowed across the circuit to begin with.

Once your ACLs are built, copy and paste them into the router (don't apply them).
Next, apply the ACL that is limiting traffic to the WAN first and tweak it as needed.
Following this, issue the #reload 005 command and apply the second ACL to the serial 0/0/0.777 link.  

Perform a #show run.  If output is returned, breathe a sigh of relief, save to flash and start your review and tweaking.  If not, go get a coke and become scarce for the next 5 minutes.  Upon return, review the ACL for what is locking your remote access and repeat.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:MikeG299
ID: 24825703
Hi,
Thanks so much for responding.
I've never setup SSH, could you please post an example or some sort of instruction?

The router is on a private network managed by AT&T. There is no WAN or exposure to the WWW.

ON the ACL: I want to allow only sessions over port 3389 in/out, PING in/out, 502 in/out

Thats a great idea on the reload 005. Look forward to your reply.
0
 
LVL 10

Accepted Solution

by:
atlas_shuddered earned 500 total points
ID: 24828822
To set up ssh:

http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml

For your ACLs:
#config t
#ip access-list extended LAN_TO_WAN
#permit tcp any any eq 3389
#permit tcp any any eq 502
#permit tcp any any eq echo
#permit tcp any any eq echo-reply
#deny ip any any log
#exit
#interface eth 0/0
#ip access-group LAN_TO_WAN in
#exit
#ip access-list extended WAN_TO_LAN
#permit tcp (your IP/mask) (router IP/mask) eq telnet
#permit tcp any any eq 3389
#permit tcp any any eq 502
#permit tcp any any eq echo
#permit tcp any any eq echo-reply
#deny ip any any log
#exit
#interface serial 0/0/0.777
#ip access group WAN_TO_LAN in
#end
#copy run start
#exit

Open in new window

0
 

Author Closing Comment

by:MikeG299
ID: 31601612
Got it working. Thanks so much; very appreciated.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Is this QoS Correct on this  CISCO 3825 Router 1 75
Can 16Mbps internet speed work on this line ? 4 78
ACL Logging Optimization 7 42
2 Gateways (bandwidth) - One domain 7 75
New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question