Solved

Cisco minimum acl list

Posted on 2010-11-23
9
302 Views
Last Modified: 2012-05-10
I am working on setting up an access list to block private ip ranges and other special use addresses but am uncertain about the access-list for the WAN side.  I am also trying to get ssh to work from a remote location, but when I enable the WAN 'ip access-group 100 in' to block the private IP ranges, and cannot access the router using ssh (everything is working ok with just the LAN ip access-group enabled).  

1.  What is wrong with my access-lists / access-groups ?
2.  What else should I include to block for private/special IP ranges?  Is there a good list somewhere?

interface FastEthernet0/0
 description internal network
 ip address 192.168.1.2 255.255.255.0
 ip access-group 101 in
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet1/0
 description internet
 ip address 173.x.x.13 255.255.255.248
 ip access-group 100 in
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto

ip route 0.0.0.0 0.0.0.0 173.x.x.14
!
ip nat inside source list mylist interface FastEthernet1/0 overload
!
ip access-list extended mylist
 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit tcp any 192.168.1.2 0.0.0.0 eq 22
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
access-list 100 deny ip 172.16.0.0 0.15.255.255 any
access-list 100 deny ip 224.0.0.0 31.255.255.255 any
access-list 100 deny ip 169.254.0.0 0.0.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 deny ip 0.0.0.0 0.255.255.255 any

access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq www
access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 443
access-list 101 permit icmp 192.168.1.0 0.0.0.255 any echo
access-list 101 permit icmp 192.168.1.0 0.0.0.255 any echo-reply
access-list 101 permit udp 192.168.1.0 0.0.0.255 any eq domain
access-list 101 permit tcp host 192.168.1.2 any eq 22
0
Comment
Question by:B1izzard
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 6

Accepted Solution

by:
wpharaon earned 300 total points
ID: 34194624
add line
access-list 100 permit tcp any 173.x.x.13 eq 22
and ssh to your router
also
access-list 100 permit ip any any
should be added on the end of your list
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 34194652
did you gerenrated RSA key for ssh?
0
 
LVL 6

Expert Comment

by:wpharaon
ID: 34194662
He mentioned that it is working when he only enable the LAN ip access-group

That's what i understood
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 34

Assisted Solution

by:Istvan Kalmar
Istvan Kalmar earned 200 total points
ID: 34194724
but it is wrong:

access-list 100 permit tcp any 192.168.1.2 0.0.0.0 eq 22

he need:

access-list 100 permit tcp any host 173.x.x.13  eq 22
0
 
LVL 6

Expert Comment

by:wpharaon
ID: 34195544
I already had this line on my comment, in addition, he blocks block and the default action on the end of the ACL is block he needs to allow other IPs (internet to patted)
0
 

Author Comment

by:B1izzard
ID: 34202467
Thanks for the acl.  It is working now.  One strange thing I noticed.  When I didn't have any acl's for the access-list 100 in the config, I was allowed through from the internet to ssh into the router.  I thought there was supposed to be an implicit deny, so if I didn't have any entries, nothing should have made it through, which is why I put the acl 'access-list 100 deny ip any any' at the end of the list.  If I did put in just one entry for 'access-list 100 permit tcp any host 173.x.x.13 eq 23, then the port 22 would be blocked.  It almost seemed like since there was no acl (the ip access-group 100 was still on the interface) it was ignoring the implicit deny which should have been at the end.  Have you seen this before?  

Is there anything that either of you see missing in my deny acl's for private/special IP ranges?  Thanks!

Core(config)#access-list 100 permit tcp any host 173.x.x.13 eq 22
Core(config)#access-list 100 deny icmp any host 173.x.x.13 echo
Core(config)#access-list 100 deny ip 192.168.0.0 0.0.255.255 any
Core(config)#access-list 100 deny ip 172.16.0.0 0.15.255.255 any
Core(config)#access-list 100 deny ip 224.0.0.0 31.255.255.255 any
Core(config)#access-list 100 deny ip 169.254.0.0 0.0.255.255 any
Core(config)#access-list 100 deny ip 127.0.0.0 0.255.255.255 any
Core(config)#access-list 100 deny ip 0.0.0.0 0.255.255.255 any
Core(config)#access-list 100 deny ip any any
0
 
LVL 6

Expert Comment

by:wpharaon
ID: 34202628
By default when you apply an ACL to an interface it only allows what is stated as permit, so if you have one specific block in the ACL, and no permits then you apply this acl to the Interface, it will block all the traffic.. have a nice day
0
 

Author Comment

by:B1izzard
ID: 34206256
Is there anything I should add as far as blocking special ip ranges on the WAN side, or does it look good?
0
 

Author Closing Comment

by:B1izzard
ID: 34401682
Thanks!
0

Featured Post

Turn your laptop into a mobile console!

The CV211 Laptop USB Console Adapter provides a direct Laptop-to-Computer connection for fast and easy remote desktop access with no software to install.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month5 days, 18 hours left to enroll

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question