Solved

Cisco access-list help

Posted on 2011-03-01
12
886 Views
Last Modified: 2012-06-27
Hi !


I'm trying to block all traffic except http & DNS. This should be applied to the VLAN2 interface.

I created the following access-list :

1811W#show ip access-list 109
Extended IP access list 109
    10 permit tcp any any eq www (119 matches)
    20 permit tcp any any eq 443
    30 permit udp any any eq 443
    40 permit udp any host 208.67.222.222 eq domain
    50 permit udp any host 208.67.220.220 eq domain
    60 deny tcp any any


And Applied it to the vlan :

interface Vlan2
 description PUBLIC
 no ip address
 ip access-group 109 out
 bridge-group 2

interface BVI2
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly


For a reason that I can't point, this is not working. I also try to apply the access-list on the BVI interface which is working but I get no traffic at all in that situation, everything is blocked. I would appreciate a little help please.

Thank you !

-M
0
Comment
Question by:Rubicon2009
  • 4
  • 3
  • 2
  • +3
12 Comments
 
LVL 13

Expert Comment

by:GuruChiu
ID: 35013412
Normally we control traffic by incoming ACL, e.g.

ip access-list extended PubIn
 permit tcp any any established
 permit tcp any eq www any
 permit tcp any eq 443 any
 permit udp any host 208.67.222.222 eq domain
 permit udp any host 208.67.222.220 eq domain
 deny ip any any
interface BVI2
 ip access-group PubIn in
0
 
LVL 15

Expert Comment

by:WalkaboutTigger
ID: 35013417
What is it you're trying to accomplish?
The ANY ANY rules are excessive.  I presume you want inbound HTTP and HTTPS traffic to hit an internal web server.
What type of device is it you're configuring?  ASA, router, WAP?
Do you have NATs in place?  If so, what do those look like?
0
 
LVL 13

Expert Comment

by:GuruChiu
ID: 35013463
I read your posting again and there is some problem with your configuration. Which one is your external interface (the one connect to internet)? Is it BVI2? It doesn't make sense as BVI2 have ip nat inside.
0
 

Author Comment

by:Rubicon2009
ID: 35014116
This router is a 1811w, there is 2 ssid configured on the router.

one ssid is named "PRIVATE" which is on interface VLAN1 using BVI1 the orther is named "PUBLIC" which is on interface VLAN2 using BVI2.

The internet is on FA0.

What I'm trying to do here is to apply an access list on the PUBLIC network so pepoles can use this connexion to only browse the web (no msn, no torrent, no smtp, no nothing except www & dns)

0
 
LVL 13

Accepted Solution

by:
GuruChiu earned 350 total points
ID: 35014218
In that case, the only changes you need to make:

 interface Vlan2
no ip access-group 109 out

interface BVI2
 ip access-group 109 in
0
 

Author Comment

by:Rubicon2009
ID: 35014361
@GuruChiu : This your solution is working perfectly !
But can ou explain why it's "IN" instead of "OUT" because I designed the access-list thinking it would be originally OUT ???
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 13

Assisted Solution

by:GuruChiu
GuruChiu earned 350 total points
ID: 35014402
The commands are in the router perpective. The router is looking at packets coming IN.
0
 
LVL 6

Assisted Solution

by:wpharaon
wpharaon earned 50 total points
ID: 35014452
The acl should be applied to the interface with Layer 3 configurations.
since you are allowing specific traffic from your network to go to internet (http & DNS)
apply the acl to the interface where you see it is configured with your internal lan ip address along the ip nat inside
0
 
LVL 5

Expert Comment

by:shubhanshu_jaiswal
ID: 35016358
The Access list will work in OUT direction if you make it reflexive.
0
 
LVL 6

Expert Comment

by:wpharaon
ID: 35016424
from the below you can verify the direction the questioner refer to

40 permit udp any host 208.67.222.222 eq domain
50 permit udp any host 208.67.220.220 eq domain

he is talking about any on his lan towards the real ip (internet host ip) 208.67.220.220
thus i would apply this on the inside interface in direction

0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 100 total points
ID: 35018439
You should drop line 30 permit udp any any eq 443. SSL only runs over TCP 443, never UDP. Add line 55 deny ip any any and drop line 60.

Now, with this access list in place icmp ping will be broken, and where is DHCP being handled? This ACL will block DHCP requests from hitting the router.
0
 

Author Comment

by:Rubicon2009
ID: 35024277
Thank everyone for helping me with this issue !

Now if I want to apply a crypto map ton my private lan, should I place it on the VLAN, on the BVI, or "A crypto map can only be applyed ont the WAN interface" ???
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now