Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 307
  • Last Modified:

Cisco minimum acl list

I am working on setting up an access list to block private ip ranges and other special use addresses but am uncertain about the access-list for the WAN side.  I am also trying to get ssh to work from a remote location, but when I enable the WAN 'ip access-group 100 in' to block the private IP ranges, and cannot access the router using ssh (everything is working ok with just the LAN ip access-group enabled).  

1.  What is wrong with my access-lists / access-groups ?
2.  What else should I include to block for private/special IP ranges?  Is there a good list somewhere?

interface FastEthernet0/0
 description internal network
 ip address 192.168.1.2 255.255.255.0
 ip access-group 101 in
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet1/0
 description internet
 ip address 173.x.x.13 255.255.255.248
 ip access-group 100 in
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto

ip route 0.0.0.0 0.0.0.0 173.x.x.14
!
ip nat inside source list mylist interface FastEthernet1/0 overload
!
ip access-list extended mylist
 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit tcp any 192.168.1.2 0.0.0.0 eq 22
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
access-list 100 deny ip 172.16.0.0 0.15.255.255 any
access-list 100 deny ip 224.0.0.0 31.255.255.255 any
access-list 100 deny ip 169.254.0.0 0.0.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 deny ip 0.0.0.0 0.255.255.255 any

access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq www
access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 443
access-list 101 permit icmp 192.168.1.0 0.0.0.255 any echo
access-list 101 permit icmp 192.168.1.0 0.0.0.255 any echo-reply
access-list 101 permit udp 192.168.1.0 0.0.0.255 any eq domain
access-list 101 permit tcp host 192.168.1.2 any eq 22
0
B1izzard
Asked:
B1izzard
  • 4
  • 3
  • 2
2 Solutions
 
WissamSenior Network EngineerCommented:
add line
access-list 100 permit tcp any 173.x.x.13 eq 22
and ssh to your router
also
access-list 100 permit ip any any
should be added on the end of your list
0
 
Istvan KalmarSenior Network EngineerCommented:
did you gerenrated RSA key for ssh?
0
 
WissamSenior Network EngineerCommented:
He mentioned that it is working when he only enable the LAN ip access-group

That's what i understood
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Istvan KalmarSenior Network EngineerCommented:
but it is wrong:

access-list 100 permit tcp any 192.168.1.2 0.0.0.0 eq 22

he need:

access-list 100 permit tcp any host 173.x.x.13  eq 22
0
 
WissamSenior Network EngineerCommented:
I already had this line on my comment, in addition, he blocks block and the default action on the end of the ACL is block he needs to allow other IPs (internet to patted)
0
 
B1izzardAuthor Commented:
Thanks for the acl.  It is working now.  One strange thing I noticed.  When I didn't have any acl's for the access-list 100 in the config, I was allowed through from the internet to ssh into the router.  I thought there was supposed to be an implicit deny, so if I didn't have any entries, nothing should have made it through, which is why I put the acl 'access-list 100 deny ip any any' at the end of the list.  If I did put in just one entry for 'access-list 100 permit tcp any host 173.x.x.13 eq 23, then the port 22 would be blocked.  It almost seemed like since there was no acl (the ip access-group 100 was still on the interface) it was ignoring the implicit deny which should have been at the end.  Have you seen this before?  

Is there anything that either of you see missing in my deny acl's for private/special IP ranges?  Thanks!

Core(config)#access-list 100 permit tcp any host 173.x.x.13 eq 22
Core(config)#access-list 100 deny icmp any host 173.x.x.13 echo
Core(config)#access-list 100 deny ip 192.168.0.0 0.0.255.255 any
Core(config)#access-list 100 deny ip 172.16.0.0 0.15.255.255 any
Core(config)#access-list 100 deny ip 224.0.0.0 31.255.255.255 any
Core(config)#access-list 100 deny ip 169.254.0.0 0.0.255.255 any
Core(config)#access-list 100 deny ip 127.0.0.0 0.255.255.255 any
Core(config)#access-list 100 deny ip 0.0.0.0 0.255.255.255 any
Core(config)#access-list 100 deny ip any any
0
 
WissamSenior Network EngineerCommented:
By default when you apply an ACL to an interface it only allows what is stated as permit, so if you have one specific block in the ACL, and no permits then you apply this acl to the Interface, it will block all the traffic.. have a nice day
0
 
B1izzardAuthor Commented:
Is there anything I should add as far as blocking special ip ranges on the WAN side, or does it look good?
0
 
B1izzardAuthor Commented:
Thanks!
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 4
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now