dt3itsteam
asked on
Cisco 870 Access lists
Hi
I’m trying to create two access lists, 101 to allow ftp, www, FTP, https out and 102 to allow port 23,222, and https inbound. However when I apply the access lists I loose Internet connectivity, I suspect it’s something simple! But this has me stuck, below is the relevant sections of my router config:-
interface FastEthernet0
switchport access vlan 20
spanning-tree portfast
!
interface FastEthernet1
switchport access vlan 1
spanning-tree portfast
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface Vlan20
description outside interface
ip address x.x.x.x 255.255.255.248
access-group 102 in
ip nat inside
ip virtual-reassembly
!
interface Vlan1
description inside interface
ip address 192.168.1.1 255.255.255.0
access-group 101 in
ip nat inside
ip virtual-reassembly
ip route 0.0.0.0 0.0.0.0 x.x.x.x
Current access lists:-
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 deny ip any any log
access-list 101 remark ** Traffic allowed to enter the router from the Management LAN **
access-list 101 permit ip any host 192.168.1.1
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip any host 255.255.255.255
access-list 101 permit udp any any eq domain
access-list 101 permit tcp any any eq domain
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq 1723
access-list 101 permit gre any any
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq www
access-list 102 remark ** Traffic allowed to enter the router from the Internet **
access-list 102 permit tcp any any eq telnet
access-list 102 permit tcp any any eq 443
access-list 102 deny icmp any any echo
access-list 102 deny ip any any log
access-list 102 permit icmp any any administratively-prohibite
access-list 102 permit icmp any any echo
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any packet-too-big
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any traceroute
access-list 102 permit icmp any any unreachable
dialer-list 1 protocol ip list 1
Many thanks!
Alex
I’m trying to create two access lists, 101 to allow ftp, www, FTP, https out and 102 to allow port 23,222, and https inbound. However when I apply the access lists I loose Internet connectivity, I suspect it’s something simple! But this has me stuck, below is the relevant sections of my router config:-
interface FastEthernet0
switchport access vlan 20
spanning-tree portfast
!
interface FastEthernet1
switchport access vlan 1
spanning-tree portfast
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface Vlan20
description outside interface
ip address x.x.x.x 255.255.255.248
access-group 102 in
ip nat inside
ip virtual-reassembly
!
interface Vlan1
description inside interface
ip address 192.168.1.1 255.255.255.0
access-group 101 in
ip nat inside
ip virtual-reassembly
ip route 0.0.0.0 0.0.0.0 x.x.x.x
Current access lists:-
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 deny ip any any log
access-list 101 remark ** Traffic allowed to enter the router from the Management LAN **
access-list 101 permit ip any host 192.168.1.1
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip any host 255.255.255.255
access-list 101 permit udp any any eq domain
access-list 101 permit tcp any any eq domain
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq 1723
access-list 101 permit gre any any
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq www
access-list 102 remark ** Traffic allowed to enter the router from the Internet **
access-list 102 permit tcp any any eq telnet
access-list 102 permit tcp any any eq 443
access-list 102 deny icmp any any echo
access-list 102 deny ip any any log
access-list 102 permit icmp any any administratively-prohibite
access-list 102 permit icmp any any echo
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any packet-too-big
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any traceroute
access-list 102 permit icmp any any unreachable
dialer-list 1 protocol ip list 1
Many thanks!
Alex
The ACLs work from top to bottom so the first thing you want to do is move your "deny" statements to the bottom of your list. The way you have them today, the router will perfotm "access-list 101 deny ip any any log" first instead of cleaning up after you have allowed the desired traffic.
Second, because ACLs are not stateful, you will need to allow the return traffic back in. So, for "access-list 101 permit tcp any any eq www" you will need any entry "access-list 102 permit tcp any eq www any established" ; for "access-list 101 permit tcp any any eq ftp" you will need "access-list 102 permit tcp any eq ftp any established" and so on.
Second, because ACLs are not stateful, you will need to allow the return traffic back in. So, for "access-list 101 permit tcp any any eq www" you will need any entry "access-list 102 permit tcp any eq www any established" ; for "access-list 101 permit tcp any any eq ftp" you will need "access-list 102 permit tcp any eq ftp any established" and so on.
For Internet access you also need to permit UDP 53 (DNS) outbound and inbound.
ASKER
Hi these is my current access lists:-
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 remark ** Traffic allowed to enter the router from the Management LAN **
access-list 101 permit ip any host 192.168.1.1
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip any host 255.255.255.255
access-list 101 permit udp any any eq domain
access-list 101 permit tcp any any eq domain
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq 1723
access-list 101 permit gre any any
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq www
access-list 101 deny ip any any log
access-list 102 remark ** Traffic allowed to enter the router from the Internet **
access-list 102 permit udp any any eq domain
access-list 102 permit tcp any any eq domain
access-list 102 permit tcp any any eq telnet
access-list 102 permit tcp any eq www any established
access-list 102 permit tcp any eq 443 any established
access-list 102 permit tcp any eq 1723 any established
access-list 102 permit tcp any eq ftp any established
access-list 102 permit tcp any any eq 443
access-list 102 deny icmp any any echo
access-list 102 deny ip any any log
But stil no joy
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 remark ** Traffic allowed to enter the router from the Management LAN **
access-list 101 permit ip any host 192.168.1.1
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip any host 255.255.255.255
access-list 101 permit udp any any eq domain
access-list 101 permit tcp any any eq domain
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq 1723
access-list 101 permit gre any any
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq www
access-list 101 deny ip any any log
access-list 102 remark ** Traffic allowed to enter the router from the Internet **
access-list 102 permit udp any any eq domain
access-list 102 permit tcp any any eq domain
access-list 102 permit tcp any any eq telnet
access-list 102 permit tcp any eq www any established
access-list 102 permit tcp any eq 443 any established
access-list 102 permit tcp any eq 1723 any established
access-list 102 permit tcp any eq ftp any established
access-list 102 permit tcp any any eq 443
access-list 102 deny icmp any any echo
access-list 102 deny ip any any log
But stil no joy
ASKER
interface configuration:-
interface FastEthernet0
description ***Outside Interface***
switchport access vlan 20
spanning-tree portfast
!
interface FastEthernet1
description ***inside Interface***
spanning-tree portfast
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface Vlan1
description ***inside Interface***
ip address 192.168.1.1 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly
!
interface Vlan20
description ***outside interface***
ip address x.x.x.x 255.255.255.248
ip access-group 102 in
ip nat outside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 x.x.x.x
interface FastEthernet0
description ***Outside Interface***
switchport access vlan 20
spanning-tree portfast
!
interface FastEthernet1
description ***inside Interface***
spanning-tree portfast
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface Vlan1
description ***inside Interface***
ip address 192.168.1.1 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly
!
interface Vlan20
description ***outside interface***
ip address x.x.x.x 255.255.255.248
ip access-group 102 in
ip nat outside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 x.x.x.x
Your ACL arent mirrored correctly for DNS at least, so you wont get DNS responses
As you have already done for other on inbound you need at least
access-list 102 permit udp any eq domain any
As you have already done for other on inbound you need at least
access-list 102 permit udp any eq domain any
ASKER
Thanks that worked!
How do I tun off the echo ie.:-
1 19:42:37.105: %SEC-6-IPACCESSLOGSP: list 101 denied igmp 0.0.0.0 -> 224.0.0.22 (34), 1 packet
Thanks in advance
How do I tun off the echo ie.:-
1 19:42:37.105: %SEC-6-IPACCESSLOGSP: list 101 denied igmp 0.0.0.0 -> 224.0.0.22 (34), 1 packet
Thanks in advance
Thats Great! you can turn this off by removing "log" keyword on your ACL statements or by removing the last statements as a whole.
ASKER
Thanks!
On acl 101 can I trim this down at all? i.e.:-
Do I need :-
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip any host 255.255.255.255
On acl 101 can I trim this down at all? i.e.:-
Do I need :-
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip any host 255.255.255.255
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
access-list 101 deny ip any any log
Will this not deny all ip traffic before any permit statements are evaluated, as it is at the top of the list?
Shaun