Solved

Cisco access-list help

Posted on 2011-03-01
12
883 Views
Last Modified: 2012-06-27
Hi !


I'm trying to block all traffic except http & DNS. This should be applied to the VLAN2 interface.

I created the following access-list :

1811W#show ip access-list 109
Extended IP access list 109
    10 permit tcp any any eq www (119 matches)
    20 permit tcp any any eq 443
    30 permit udp any any eq 443
    40 permit udp any host 208.67.222.222 eq domain
    50 permit udp any host 208.67.220.220 eq domain
    60 deny tcp any any


And Applied it to the vlan :

interface Vlan2
 description PUBLIC
 no ip address
 ip access-group 109 out
 bridge-group 2

interface BVI2
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly


For a reason that I can't point, this is not working. I also try to apply the access-list on the BVI interface which is working but I get no traffic at all in that situation, everything is blocked. I would appreciate a little help please.

Thank you !

-M
0
Comment
Question by:Rubicon2009
  • 4
  • 3
  • 2
  • +3
12 Comments
 
LVL 13

Expert Comment

by:GuruChiu
Comment Utility
Normally we control traffic by incoming ACL, e.g.

ip access-list extended PubIn
 permit tcp any any established
 permit tcp any eq www any
 permit tcp any eq 443 any
 permit udp any host 208.67.222.222 eq domain
 permit udp any host 208.67.222.220 eq domain
 deny ip any any
interface BVI2
 ip access-group PubIn in
0
 
LVL 15

Expert Comment

by:WalkaboutTigger
Comment Utility
What is it you're trying to accomplish?
The ANY ANY rules are excessive.  I presume you want inbound HTTP and HTTPS traffic to hit an internal web server.
What type of device is it you're configuring?  ASA, router, WAP?
Do you have NATs in place?  If so, what do those look like?
0
 
LVL 13

Expert Comment

by:GuruChiu
Comment Utility
I read your posting again and there is some problem with your configuration. Which one is your external interface (the one connect to internet)? Is it BVI2? It doesn't make sense as BVI2 have ip nat inside.
0
 

Author Comment

by:Rubicon2009
Comment Utility
This router is a 1811w, there is 2 ssid configured on the router.

one ssid is named "PRIVATE" which is on interface VLAN1 using BVI1 the orther is named "PUBLIC" which is on interface VLAN2 using BVI2.

The internet is on FA0.

What I'm trying to do here is to apply an access list on the PUBLIC network so pepoles can use this connexion to only browse the web (no msn, no torrent, no smtp, no nothing except www & dns)

0
 
LVL 13

Accepted Solution

by:
GuruChiu earned 350 total points
Comment Utility
In that case, the only changes you need to make:

 interface Vlan2
no ip access-group 109 out

interface BVI2
 ip access-group 109 in
0
 

Author Comment

by:Rubicon2009
Comment Utility
@GuruChiu : This your solution is working perfectly !
But can ou explain why it's "IN" instead of "OUT" because I designed the access-list thinking it would be originally OUT ???
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 13

Assisted Solution

by:GuruChiu
GuruChiu earned 350 total points
Comment Utility
The commands are in the router perpective. The router is looking at packets coming IN.
0
 
LVL 6

Assisted Solution

by:wpharaon
wpharaon earned 50 total points
Comment Utility
The acl should be applied to the interface with Layer 3 configurations.
since you are allowing specific traffic from your network to go to internet (http & DNS)
apply the acl to the interface where you see it is configured with your internal lan ip address along the ip nat inside
0
 
LVL 5

Expert Comment

by:shubhanshu_jaiswal
Comment Utility
The Access list will work in OUT direction if you make it reflexive.
0
 
LVL 6

Expert Comment

by:wpharaon
Comment Utility
from the below you can verify the direction the questioner refer to

40 permit udp any host 208.67.222.222 eq domain
50 permit udp any host 208.67.220.220 eq domain

he is talking about any on his lan towards the real ip (internet host ip) 208.67.220.220
thus i would apply this on the inside interface in direction

0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 100 total points
Comment Utility
You should drop line 30 permit udp any any eq 443. SSL only runs over TCP 443, never UDP. Add line 55 deny ip any any and drop line 60.

Now, with this access list in place icmp ping will be broken, and where is DHCP being handled? This ACL will block DHCP requests from hitting the router.
0
 

Author Comment

by:Rubicon2009
Comment Utility
Thank everyone for helping me with this issue !

Now if I want to apply a crypto map ton my private lan, should I place it on the VLAN, on the BVI, or "A crypto map can only be applyed ont the WAN interface" ???
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now