Cisco 870 Access lists

Hi

I’m trying to create two access lists, 101 to allow ftp, www, FTP, https out and 102 to allow port 23,222, and https inbound.  However when I apply the access lists I loose Internet connectivity, I suspect it’s something simple!  But this has me stuck, below is the relevant sections of my router config:-

interface FastEthernet0
 switchport access vlan 20
 spanning-tree portfast
!
interface FastEthernet1
 switchport access vlan 1
 spanning-tree portfast
!
interface FastEthernet2
 shutdown
!
interface FastEthernet3
 shutdown
!
interface Vlan20
  description outside interface
 ip address x.x.x.x 255.255.255.248
access-group 102 in
 ip nat inside
 ip virtual-reassembly
!
interface Vlan1
 description inside interface
 ip address 192.168.1.1 255.255.255.0
 access-group 101 in
 ip nat inside
 ip virtual-reassembly

ip route 0.0.0.0 0.0.0.0 x.x.x.x

Current access lists:-

access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 deny   ip any any log
access-list 101 remark ** Traffic allowed to enter the router from the Management LAN **
access-list 101 permit ip any host 192.168.1.1
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip any host 255.255.255.255
access-list 101 permit udp any any eq domain
access-list 101 permit tcp any any eq domain
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq 1723
access-list 101 permit gre any any
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq www
access-list 102 remark ** Traffic allowed to enter the router from the Internet **
access-list 102 permit tcp any any eq telnet
access-list 102 permit tcp any any eq 443
access-list 102 deny   icmp any any echo
access-list 102 deny   ip any any log
access-list 102 permit icmp any any administratively-prohibited
access-list 102 permit icmp any any echo
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any packet-too-big
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any traceroute
access-list 102 permit icmp any any unreachable
dialer-list 1 protocol ip list 1

Many thanks!
Alex
LVL 1
dt3itsteamAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

shauncroucherCommented:
Your first entry is :

access-list 101 deny   ip any any log

Will this not deny all ip traffic before any permit statements are evaluated, as it is at the top of the list?

Shaun
mediavisiondsCommented:
The ACLs work from top to bottom so the first thing you want to do is move your "deny" statements to the bottom of your list.  The way you have them today, the router will perfotm "access-list 101 deny   ip any any log" first instead of cleaning up after you have allowed the desired traffic.  

Second, because ACLs are not stateful, you will need to allow the return traffic back in. So, for "access-list 101 permit tcp any any eq www"  you will need any entry "access-list 102 permit tcp any eq www any established" ;  for "access-list 101 permit tcp any any eq ftp" you will need "access-list 102 permit tcp any eq ftp any established"   and so on.
Nayyar HH (CCIE RS)Network ArchitectCommented:
For Internet access you also need to permit UDP 53 (DNS) outbound and inbound.
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

dt3itsteamAuthor Commented:
Hi these is my current access lists:-

access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 remark ** Traffic allowed to enter the router from the Management LAN **
access-list 101 permit ip any host 192.168.1.1
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip any host 255.255.255.255
access-list 101 permit udp any any eq domain
access-list 101 permit tcp any any eq domain
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq 1723
access-list 101 permit gre any any
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq www
access-list 101 deny   ip any any log

access-list 102 remark ** Traffic allowed to enter the router from the Internet **
access-list 102 permit udp any any eq domain
access-list 102 permit tcp any any eq domain
access-list 102 permit tcp any any eq telnet
access-list 102 permit tcp any eq www any established
access-list 102 permit tcp any eq 443 any established
access-list 102 permit tcp any eq 1723 any established
access-list 102 permit tcp any eq ftp any established
access-list 102 permit tcp any any eq 443
access-list 102 deny   icmp any any echo
access-list 102 deny   ip any any log

But stil no joy
dt3itsteamAuthor Commented:
interface configuration:-

interface FastEthernet0
 description ***Outside Interface***
 switchport access vlan 20
 spanning-tree portfast
!
interface FastEthernet1
 description ***inside Interface***
 spanning-tree portfast
!
interface FastEthernet2
 shutdown
!
interface FastEthernet3
 shutdown
!
interface Vlan1
 description ***inside Interface***
 ip address 192.168.1.1 255.255.255.0
 ip access-group 101 in
 ip nat inside
 ip virtual-reassembly
!
interface Vlan20
 description ***outside interface***
 ip address x.x.x.x 255.255.255.248
 ip access-group 102 in
 ip nat outside
 ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 x.x.x.x
Nayyar HH (CCIE RS)Network ArchitectCommented:
Your ACL arent mirrored correctly for DNS at least, so you wont get DNS responses

As you have already done for other on inbound you need at least
access-list 102 permit udp any eq domain any
dt3itsteamAuthor Commented:
Thanks that worked!

How do I tun off the echo ie.:-

1 19:42:37.105: %SEC-6-IPACCESSLOGSP: list 101 denied igmp 0.0.0.0 -> 224.0.0.22 (34), 1 packet

Thanks in advance
Nayyar HH (CCIE RS)Network ArchitectCommented:
Thats Great! you can turn this off by removing "log" keyword on your ACL statements or by removing the last statements as a whole.
dt3itsteamAuthor Commented:
Thanks!

On acl 101 can I trim this down at all?  i.e.:-

Do I need :-
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip any host 255.255.255.255
Nayyar HH (CCIE RS)Network ArchitectCommented:
I think you would be the best judge but here's something to think about.

Removing the 1st statement would be safe if there no local routing going on in your network

2nd statement would be good to go IF you've captured all your traffic entering the interface

3rd statement would all would only prevent Broadcast which isnt routed anyway

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.