Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Cisco minimum acl list

Posted on 2010-11-23
9
297 Views
Last Modified: 2012-05-10
I am working on setting up an access list to block private ip ranges and other special use addresses but am uncertain about the access-list for the WAN side.  I am also trying to get ssh to work from a remote location, but when I enable the WAN 'ip access-group 100 in' to block the private IP ranges, and cannot access the router using ssh (everything is working ok with just the LAN ip access-group enabled).  

1.  What is wrong with my access-lists / access-groups ?
2.  What else should I include to block for private/special IP ranges?  Is there a good list somewhere?

interface FastEthernet0/0
 description internal network
 ip address 192.168.1.2 255.255.255.0
 ip access-group 101 in
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet1/0
 description internet
 ip address 173.x.x.13 255.255.255.248
 ip access-group 100 in
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto

ip route 0.0.0.0 0.0.0.0 173.x.x.14
!
ip nat inside source list mylist interface FastEthernet1/0 overload
!
ip access-list extended mylist
 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit tcp any 192.168.1.2 0.0.0.0 eq 22
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
access-list 100 deny ip 172.16.0.0 0.15.255.255 any
access-list 100 deny ip 224.0.0.0 31.255.255.255 any
access-list 100 deny ip 169.254.0.0 0.0.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 deny ip 0.0.0.0 0.255.255.255 any

access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq www
access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 443
access-list 101 permit icmp 192.168.1.0 0.0.0.255 any echo
access-list 101 permit icmp 192.168.1.0 0.0.0.255 any echo-reply
access-list 101 permit udp 192.168.1.0 0.0.0.255 any eq domain
access-list 101 permit tcp host 192.168.1.2 any eq 22
0
Comment
Question by:B1izzard
  • 4
  • 3
  • 2
9 Comments
 
LVL 6

Accepted Solution

by:
wpharaon earned 300 total points
ID: 34194624
add line
access-list 100 permit tcp any 173.x.x.13 eq 22
and ssh to your router
also
access-list 100 permit ip any any
should be added on the end of your list
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 34194652
did you gerenrated RSA key for ssh?
0
 
LVL 6

Expert Comment

by:wpharaon
ID: 34194662
He mentioned that it is working when he only enable the LAN ip access-group

That's what i understood
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 34

Assisted Solution

by:Istvan Kalmar
Istvan Kalmar earned 200 total points
ID: 34194724
but it is wrong:

access-list 100 permit tcp any 192.168.1.2 0.0.0.0 eq 22

he need:

access-list 100 permit tcp any host 173.x.x.13  eq 22
0
 
LVL 6

Expert Comment

by:wpharaon
ID: 34195544
I already had this line on my comment, in addition, he blocks block and the default action on the end of the ACL is block he needs to allow other IPs (internet to patted)
0
 

Author Comment

by:B1izzard
ID: 34202467
Thanks for the acl.  It is working now.  One strange thing I noticed.  When I didn't have any acl's for the access-list 100 in the config, I was allowed through from the internet to ssh into the router.  I thought there was supposed to be an implicit deny, so if I didn't have any entries, nothing should have made it through, which is why I put the acl 'access-list 100 deny ip any any' at the end of the list.  If I did put in just one entry for 'access-list 100 permit tcp any host 173.x.x.13 eq 23, then the port 22 would be blocked.  It almost seemed like since there was no acl (the ip access-group 100 was still on the interface) it was ignoring the implicit deny which should have been at the end.  Have you seen this before?  

Is there anything that either of you see missing in my deny acl's for private/special IP ranges?  Thanks!

Core(config)#access-list 100 permit tcp any host 173.x.x.13 eq 22
Core(config)#access-list 100 deny icmp any host 173.x.x.13 echo
Core(config)#access-list 100 deny ip 192.168.0.0 0.0.255.255 any
Core(config)#access-list 100 deny ip 172.16.0.0 0.15.255.255 any
Core(config)#access-list 100 deny ip 224.0.0.0 31.255.255.255 any
Core(config)#access-list 100 deny ip 169.254.0.0 0.0.255.255 any
Core(config)#access-list 100 deny ip 127.0.0.0 0.255.255.255 any
Core(config)#access-list 100 deny ip 0.0.0.0 0.255.255.255 any
Core(config)#access-list 100 deny ip any any
0
 
LVL 6

Expert Comment

by:wpharaon
ID: 34202628
By default when you apply an ACL to an interface it only allows what is stated as permit, so if you have one specific block in the ACL, and no permits then you apply this acl to the Interface, it will block all the traffic.. have a nice day
0
 

Author Comment

by:B1izzard
ID: 34206256
Is there anything I should add as far as blocking special ip ranges on the WAN side, or does it look good?
0
 

Author Closing Comment

by:B1izzard
ID: 34401682
Thanks!
0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question