?
Solved

Cisco access-list help

Posted on 2011-03-01
12
Medium Priority
?
907 Views
Last Modified: 2012-06-27
Hi !


I'm trying to block all traffic except http & DNS. This should be applied to the VLAN2 interface.

I created the following access-list :

1811W#show ip access-list 109
Extended IP access list 109
    10 permit tcp any any eq www (119 matches)
    20 permit tcp any any eq 443
    30 permit udp any any eq 443
    40 permit udp any host 208.67.222.222 eq domain
    50 permit udp any host 208.67.220.220 eq domain
    60 deny tcp any any


And Applied it to the vlan :

interface Vlan2
 description PUBLIC
 no ip address
 ip access-group 109 out
 bridge-group 2

interface BVI2
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly


For a reason that I can't point, this is not working. I also try to apply the access-list on the BVI interface which is working but I get no traffic at all in that situation, everything is blocked. I would appreciate a little help please.

Thank you !

-M
0
Comment
Question by:Rubicon2009
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +3
12 Comments
 
LVL 13

Expert Comment

by:GuruChiu
ID: 35013412
Normally we control traffic by incoming ACL, e.g.

ip access-list extended PubIn
 permit tcp any any established
 permit tcp any eq www any
 permit tcp any eq 443 any
 permit udp any host 208.67.222.222 eq domain
 permit udp any host 208.67.222.220 eq domain
 deny ip any any
interface BVI2
 ip access-group PubIn in
0
 
LVL 15

Expert Comment

by:WalkaboutTigger
ID: 35013417
What is it you're trying to accomplish?
The ANY ANY rules are excessive.  I presume you want inbound HTTP and HTTPS traffic to hit an internal web server.
What type of device is it you're configuring?  ASA, router, WAP?
Do you have NATs in place?  If so, what do those look like?
0
 
LVL 13

Expert Comment

by:GuruChiu
ID: 35013463
I read your posting again and there is some problem with your configuration. Which one is your external interface (the one connect to internet)? Is it BVI2? It doesn't make sense as BVI2 have ip nat inside.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:Rubicon2009
ID: 35014116
This router is a 1811w, there is 2 ssid configured on the router.

one ssid is named "PRIVATE" which is on interface VLAN1 using BVI1 the orther is named "PUBLIC" which is on interface VLAN2 using BVI2.

The internet is on FA0.

What I'm trying to do here is to apply an access list on the PUBLIC network so pepoles can use this connexion to only browse the web (no msn, no torrent, no smtp, no nothing except www & dns)

0
 
LVL 13

Accepted Solution

by:
GuruChiu earned 1400 total points
ID: 35014218
In that case, the only changes you need to make:

 interface Vlan2
no ip access-group 109 out

interface BVI2
 ip access-group 109 in
0
 

Author Comment

by:Rubicon2009
ID: 35014361
@GuruChiu : This your solution is working perfectly !
But can ou explain why it's "IN" instead of "OUT" because I designed the access-list thinking it would be originally OUT ???
0
 
LVL 13

Assisted Solution

by:GuruChiu
GuruChiu earned 1400 total points
ID: 35014402
The commands are in the router perpective. The router is looking at packets coming IN.
0
 
LVL 6

Assisted Solution

by:wpharaon
wpharaon earned 200 total points
ID: 35014452
The acl should be applied to the interface with Layer 3 configurations.
since you are allowing specific traffic from your network to go to internet (http & DNS)
apply the acl to the interface where you see it is configured with your internal lan ip address along the ip nat inside
0
 
LVL 5

Expert Comment

by:shubhanshu_jaiswal
ID: 35016358
The Access list will work in OUT direction if you make it reflexive.
0
 
LVL 6

Expert Comment

by:wpharaon
ID: 35016424
from the below you can verify the direction the questioner refer to

40 permit udp any host 208.67.222.222 eq domain
50 permit udp any host 208.67.220.220 eq domain

he is talking about any on his lan towards the real ip (internet host ip) 208.67.220.220
thus i would apply this on the inside interface in direction

0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 400 total points
ID: 35018439
You should drop line 30 permit udp any any eq 443. SSL only runs over TCP 443, never UDP. Add line 55 deny ip any any and drop line 60.

Now, with this access list in place icmp ping will be broken, and where is DHCP being handled? This ACL will block DHCP requests from hitting the router.
0
 

Author Comment

by:Rubicon2009
ID: 35024277
Thank everyone for helping me with this issue !

Now if I want to apply a crypto map ton my private lan, should I place it on the VLAN, on the BVI, or "A crypto map can only be applyed ont the WAN interface" ???
0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question