Solved

Cisco minimum acl list

Posted on 2010-11-23
9
294 Views
Last Modified: 2012-05-10
I am working on setting up an access list to block private ip ranges and other special use addresses but am uncertain about the access-list for the WAN side.  I am also trying to get ssh to work from a remote location, but when I enable the WAN 'ip access-group 100 in' to block the private IP ranges, and cannot access the router using ssh (everything is working ok with just the LAN ip access-group enabled).  

1.  What is wrong with my access-lists / access-groups ?
2.  What else should I include to block for private/special IP ranges?  Is there a good list somewhere?

interface FastEthernet0/0
 description internal network
 ip address 192.168.1.2 255.255.255.0
 ip access-group 101 in
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet1/0
 description internet
 ip address 173.x.x.13 255.255.255.248
 ip access-group 100 in
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto

ip route 0.0.0.0 0.0.0.0 173.x.x.14
!
ip nat inside source list mylist interface FastEthernet1/0 overload
!
ip access-list extended mylist
 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit tcp any 192.168.1.2 0.0.0.0 eq 22
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
access-list 100 deny ip 172.16.0.0 0.15.255.255 any
access-list 100 deny ip 224.0.0.0 31.255.255.255 any
access-list 100 deny ip 169.254.0.0 0.0.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 deny ip 0.0.0.0 0.255.255.255 any

access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq www
access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 443
access-list 101 permit icmp 192.168.1.0 0.0.0.255 any echo
access-list 101 permit icmp 192.168.1.0 0.0.0.255 any echo-reply
access-list 101 permit udp 192.168.1.0 0.0.0.255 any eq domain
access-list 101 permit tcp host 192.168.1.2 any eq 22
0
Comment
Question by:B1izzard
  • 4
  • 3
  • 2
9 Comments
 
LVL 6

Accepted Solution

by:
wpharaon earned 300 total points
Comment Utility
add line
access-list 100 permit tcp any 173.x.x.13 eq 22
and ssh to your router
also
access-list 100 permit ip any any
should be added on the end of your list
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
Comment Utility
did you gerenrated RSA key for ssh?
0
 
LVL 6

Expert Comment

by:wpharaon
Comment Utility
He mentioned that it is working when he only enable the LAN ip access-group

That's what i understood
0
 
LVL 34

Assisted Solution

by:Istvan Kalmar
Istvan Kalmar earned 200 total points
Comment Utility
but it is wrong:

access-list 100 permit tcp any 192.168.1.2 0.0.0.0 eq 22

he need:

access-list 100 permit tcp any host 173.x.x.13  eq 22
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 6

Expert Comment

by:wpharaon
Comment Utility
I already had this line on my comment, in addition, he blocks block and the default action on the end of the ACL is block he needs to allow other IPs (internet to patted)
0
 

Author Comment

by:B1izzard
Comment Utility
Thanks for the acl.  It is working now.  One strange thing I noticed.  When I didn't have any acl's for the access-list 100 in the config, I was allowed through from the internet to ssh into the router.  I thought there was supposed to be an implicit deny, so if I didn't have any entries, nothing should have made it through, which is why I put the acl 'access-list 100 deny ip any any' at the end of the list.  If I did put in just one entry for 'access-list 100 permit tcp any host 173.x.x.13 eq 23, then the port 22 would be blocked.  It almost seemed like since there was no acl (the ip access-group 100 was still on the interface) it was ignoring the implicit deny which should have been at the end.  Have you seen this before?  

Is there anything that either of you see missing in my deny acl's for private/special IP ranges?  Thanks!

Core(config)#access-list 100 permit tcp any host 173.x.x.13 eq 22
Core(config)#access-list 100 deny icmp any host 173.x.x.13 echo
Core(config)#access-list 100 deny ip 192.168.0.0 0.0.255.255 any
Core(config)#access-list 100 deny ip 172.16.0.0 0.15.255.255 any
Core(config)#access-list 100 deny ip 224.0.0.0 31.255.255.255 any
Core(config)#access-list 100 deny ip 169.254.0.0 0.0.255.255 any
Core(config)#access-list 100 deny ip 127.0.0.0 0.255.255.255 any
Core(config)#access-list 100 deny ip 0.0.0.0 0.255.255.255 any
Core(config)#access-list 100 deny ip any any
0
 
LVL 6

Expert Comment

by:wpharaon
Comment Utility
By default when you apply an ACL to an interface it only allows what is stated as permit, so if you have one specific block in the ACL, and no permits then you apply this acl to the Interface, it will block all the traffic.. have a nice day
0
 

Author Comment

by:B1izzard
Comment Utility
Is there anything I should add as far as blocking special ip ranges on the WAN side, or does it look good?
0
 

Author Closing Comment

by:B1izzard
Comment Utility
Thanks!
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now