eranghooa
asked on
Delete Standard IP Access List 1 prevent outgoing web Access
I configured my office cisco router 877 yesterday to block port 25 just like you said. When I do a show access-lists '' , I get the following :
Standard IP access list 1
10 permit 192.168.1.0 wilodcard bits 0.0.0.255 ( 7453 matches)
Extended IP access list 100
10 permit tcp host 192.168.1.2 any eq smtp (1818926 matches)
20 deny tcp any any eq smtp
30 permit ip any any ( 242699 matches)
I dont see any matches for 20 deny tcp any any eq smtp", the result seems too good to be true. Do you think I have missed out something. ( I have just get our IP delisted for SPAM after one of our PC was infected with rustRock SpamBOT. I have re-formated the PC and then apply the access-list 100 "to the incoming interface fron internal network like so : ip access-group 100 in )
My question is : Why can't I delete the Standart ip access-list 1 ? It seem to be redundant, as Extended ACL is alreday in place. Because when I deleted access-list 1 by using command : no ip access-list 1, our internal PCs internet explorer call of a sudden cant connect to the internet web( http:).
Thanks for your help
Er Ang Hooa
eranghooa@gmail.com
Standard IP access list 1
10 permit 192.168.1.0 wilodcard bits 0.0.0.255 ( 7453 matches)
Extended IP access list 100
10 permit tcp host 192.168.1.2 any eq smtp (1818926 matches)
20 deny tcp any any eq smtp
30 permit ip any any ( 242699 matches)
I dont see any matches for 20 deny tcp any any eq smtp", the result seems too good to be true. Do you think I have missed out something. ( I have just get our IP delisted for SPAM after one of our PC was infected with rustRock SpamBOT. I have re-formated the PC and then apply the access-list 100 "to the incoming interface fron internal network like so : ip access-group 100 in )
My question is : Why can't I delete the Standart ip access-list 1 ? It seem to be redundant, as Extended ACL is alreday in place. Because when I deleted access-list 1 by using command : no ip access-list 1, our internal PCs internet explorer call of a sudden cant connect to the internet web( http:).
Thanks for your help
Er Ang Hooa
eranghooa@gmail.com
ASKER
Mr Greg,
Thanks for yr help. I am appending the config file below . Grateful if you highlight areas I have done it incorrrectly.
ErAng Hooa
Exch01#show running-config
Building configuration...
Current configuration : 3982 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Exch01
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
ip subnet-zero
no ip source-route
ip cef
!
!
no ip bootp server
ip domain name keonghong.com
ip name-server 192.168.1.2
ip name-server 165.21.83.88
!
!
crypto pki trustpoint TP-self-signed-1757292515
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-1757292515
!
!
crypto pki certificate chain TP-self-signed-1757292515
certificate self-signed 01
quit
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
ip address 203.125.87.122 255.255.255.252
ip nat outside
ip virtual-reassembly
pvc 8/35
protocol ip 203.125.87.121 broadcast
encapsulation aal5snap
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description ip address 192.168.1.99 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 ATM0.1
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface ATM0.1 overload
ip nat inside source static tcp 192.168.1.2 25 interface ATM0.1 25
ip nat inside source static tcp 192.168.1.2 443 interface ATM0.1 443
ip nat inside source static tcp 192.168.1.2 3389 interface ATM0.1 3389
ip nat inside source static tcp 192.168.1.2 987 interface ATM0.1 987
ip nat inside source static tcp 192.168.1.2 1723 interface ATM0.1 1723
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 permit tcp host 192.168.1.2 any eq smtp
access-list 100 deny tcp any any eq smtp
access-list 100 permit ip any any
no cdp run
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
ip nat inside source list 1 interface ATM0.1 overload
list 1 is using your access-list 1 permit 192.168.1.0 0.0.0.255
Greg
list 1 is using your access-list 1 permit 192.168.1.0 0.0.0.255
Greg
ASKER
Mr Greg
hanks, I am beginning to see the logic for access list 1. Not quite sure the term overload ? My cisco 877 router is configured to have only 2 active interfaces, ie. 1 internal Vlan1 and 1 external ATM0.1, does overload mean access list 1 is applied to both Vlan1 in and ATM0.1 out ?
Incidentally, I noticed this evening ' 20 deny tcp any any eq smtp" has 72 matches. See latest show acces list :
Exch01#show access-list
Standard IP access list 1
10 permit 192.168.1.0, wildcard bits 0.0.0.255 (18650 matches)
Extended IP access list 100
10 permit tcp host 192.168.1.2 any eq smtp (3231540 matches)
20 deny tcp any any eq smtp (72 matches)
30 permit ip any any (455787 matches)
May be the access list 100 is working after all. But I am not quite certain. Appreciate you can cast further light.
Thanks for enlightening me.
Er Ang Hooa
eranghooa@gmail.com
hanks, I am beginning to see the logic for access list 1. Not quite sure the term overload ? My cisco 877 router is configured to have only 2 active interfaces, ie. 1 internal Vlan1 and 1 external ATM0.1, does overload mean access list 1 is applied to both Vlan1 in and ATM0.1 out ?
Incidentally, I noticed this evening ' 20 deny tcp any any eq smtp" has 72 matches. See latest show acces list :
Exch01#show access-list
Standard IP access list 1
10 permit 192.168.1.0, wildcard bits 0.0.0.255 (18650 matches)
Extended IP access list 100
10 permit tcp host 192.168.1.2 any eq smtp (3231540 matches)
20 deny tcp any any eq smtp (72 matches)
30 permit ip any any (455787 matches)
May be the access list 100 is working after all. But I am not quite certain. Appreciate you can cast further light.
Thanks for enlightening me.
Er Ang Hooa
eranghooa@gmail.com
overload means that all your users can use the WAN IP as their NAT IP. if u remove the overload statement only one user may be able to access the Internet.
your access-list 100 is probably working fine!
your access-list 100 is probably working fine!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Mr Greg,
I tried show ip nat translations. The result is truely awesome. I am thoroughly convinced access list 100 is working. Thank you so much.
ER Ang Hooa
I tried show ip nat translations. The result is truely awesome. I am thoroughly convinced access list 100 is working. Thank you so much.
ER Ang Hooa
Please post your config with passwords removed.
Greg