• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 310
  • Last Modified:

Cisco minimum acl list

I am working on setting up an access list to block private ip ranges and other special use addresses but am uncertain about the access-list for the WAN side.  I am also trying to get ssh to work from a remote location, but when I enable the WAN 'ip access-group 100 in' to block the private IP ranges, and cannot access the router using ssh (everything is working ok with just the LAN ip access-group enabled).  

1.  What is wrong with my access-lists / access-groups ?
2.  What else should I include to block for private/special IP ranges?  Is there a good list somewhere?

interface FastEthernet0/0
 description internal network
 ip address 192.168.1.2 255.255.255.0
 ip access-group 101 in
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet1/0
 description internet
 ip address 173.x.x.13 255.255.255.248
 ip access-group 100 in
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto

ip route 0.0.0.0 0.0.0.0 173.x.x.14
!
ip nat inside source list mylist interface FastEthernet1/0 overload
!
ip access-list extended mylist
 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit tcp any 192.168.1.2 0.0.0.0 eq 22
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
access-list 100 deny ip 172.16.0.0 0.15.255.255 any
access-list 100 deny ip 224.0.0.0 31.255.255.255 any
access-list 100 deny ip 169.254.0.0 0.0.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 deny ip 0.0.0.0 0.255.255.255 any

access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq www
access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 443
access-list 101 permit icmp 192.168.1.0 0.0.0.255 any echo
access-list 101 permit icmp 192.168.1.0 0.0.0.255 any echo-reply
access-list 101 permit udp 192.168.1.0 0.0.0.255 any eq domain
access-list 101 permit tcp host 192.168.1.2 any eq 22
0
B1izzard
Asked:
B1izzard
  • 4
  • 3
  • 2
2 Solutions
 
WissamSenior Network EngineerCommented:
add line
access-list 100 permit tcp any 173.x.x.13 eq 22
and ssh to your router
also
access-list 100 permit ip any any
should be added on the end of your list
0
 
Istvan KalmarHead of IT Security Division Commented:
did you gerenrated RSA key for ssh?
0
 
WissamSenior Network EngineerCommented:
He mentioned that it is working when he only enable the LAN ip access-group

That's what i understood
0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
Istvan KalmarHead of IT Security Division Commented:
but it is wrong:

access-list 100 permit tcp any 192.168.1.2 0.0.0.0 eq 22

he need:

access-list 100 permit tcp any host 173.x.x.13  eq 22
0
 
WissamSenior Network EngineerCommented:
I already had this line on my comment, in addition, he blocks block and the default action on the end of the ACL is block he needs to allow other IPs (internet to patted)
0
 
B1izzardAuthor Commented:
Thanks for the acl.  It is working now.  One strange thing I noticed.  When I didn't have any acl's for the access-list 100 in the config, I was allowed through from the internet to ssh into the router.  I thought there was supposed to be an implicit deny, so if I didn't have any entries, nothing should have made it through, which is why I put the acl 'access-list 100 deny ip any any' at the end of the list.  If I did put in just one entry for 'access-list 100 permit tcp any host 173.x.x.13 eq 23, then the port 22 would be blocked.  It almost seemed like since there was no acl (the ip access-group 100 was still on the interface) it was ignoring the implicit deny which should have been at the end.  Have you seen this before?  

Is there anything that either of you see missing in my deny acl's for private/special IP ranges?  Thanks!

Core(config)#access-list 100 permit tcp any host 173.x.x.13 eq 22
Core(config)#access-list 100 deny icmp any host 173.x.x.13 echo
Core(config)#access-list 100 deny ip 192.168.0.0 0.0.255.255 any
Core(config)#access-list 100 deny ip 172.16.0.0 0.15.255.255 any
Core(config)#access-list 100 deny ip 224.0.0.0 31.255.255.255 any
Core(config)#access-list 100 deny ip 169.254.0.0 0.0.255.255 any
Core(config)#access-list 100 deny ip 127.0.0.0 0.255.255.255 any
Core(config)#access-list 100 deny ip 0.0.0.0 0.255.255.255 any
Core(config)#access-list 100 deny ip any any
0
 
WissamSenior Network EngineerCommented:
By default when you apply an ACL to an interface it only allows what is stated as permit, so if you have one specific block in the ACL, and no permits then you apply this acl to the Interface, it will block all the traffic.. have a nice day
0
 
B1izzardAuthor Commented:
Is there anything I should add as far as blocking special ip ranges on the WAN side, or does it look good?
0
 
B1izzardAuthor Commented:
Thanks!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Windows 7 Basic

This introductory course to Windows 7 environment will teach you about working with the Windows operating system. You will learn about basic functions including start menu; the desktop; managing files, folders, and libraries.

  • 4
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now