Help Understanding Cisco ACLs for 861 Router
So, what I want to do is have this on the edge... it'll be plugged right into the internet. I'm guessing this probably isn't the most solid idea, but realistically if it's rejecting every inbound connection, how dangerous can it be?
I have a satellite building, which is directly connected via a site-to-site wireless link. This link, however, is very slow (50mbit on a very good day).
We purchased an ADSL connection, and I would like to have the router route all traffic not destined for my internal network (192.168.10.0/24 and 10.0.0.0/8) out to the internet through this ADSL connection. This should dramatically improve quality of service.
What I obviously do NOT want, however, is the internet to get its traffic routed into my network. That might be bad.
My router is plugged into the network on interface FA1, and plugged into the ADSL on FA4. For safety reasons, at this point, fa4 is shutdown, however when testing I no shutdown it to bring it back up.
interface FastEthernet1
description Uplink to Network
switchport mode trunk
end
interface FastEthernet4
description Uplink to ISP
ip address xxx.xxx.xxx.xxx 255.255.255.248
ip access-group 105 in
shutdown
duplex auto
speed auto
end
Extended IP access list 105
10 deny ip any any (2200 matches)
And now for the problem.
With no access-list on FA4, I am correctly able to ping a public IP address (4.2.2.2 for my testing purposes) from my SSH session on the router... and the internet can reach my router.
With the access-list in place, I am no longer able to ping the public IP address, but the internet is also not able to reach my router.
I'm obviously missing something.
I tried applying the access-group out, as well as prepending the following lines to the top of the ACL:
access-list 105 permit ip 10.0.0.0 0.255.255.255 any
access-list 105 permit ip 192.168.0.0 0.0.255.255 any
Anyone able to help me understand?
I have a satellite building, which is directly connected via a site-to-site wireless link. This link, however, is very slow (50mbit on a very good day).
We purchased an ADSL connection, and I would like to have the router route all traffic not destined for my internal network (192.168.10.0/24 and 10.0.0.0/8) out to the internet through this ADSL connection. This should dramatically improve quality of service.
What I obviously do NOT want, however, is the internet to get its traffic routed into my network. That might be bad.
My router is plugged into the network on interface FA1, and plugged into the ADSL on FA4. For safety reasons, at this point, fa4 is shutdown, however when testing I no shutdown it to bring it back up.
interface FastEthernet1
description Uplink to Network
switchport mode trunk
end
interface FastEthernet4
description Uplink to ISP
ip address xxx.xxx.xxx.xxx 255.255.255.248
ip access-group 105 in
shutdown
duplex auto
speed auto
end
Extended IP access list 105
10 deny ip any any (2200 matches)
And now for the problem.
With no access-list on FA4, I am correctly able to ping a public IP address (4.2.2.2 for my testing purposes) from my SSH session on the router... and the internet can reach my router.
With the access-list in place, I am no longer able to ping the public IP address, but the internet is also not able to reach my router.
I'm obviously missing something.
I tried applying the access-group out, as well as prepending the following lines to the top of the ACL:
access-list 105 permit ip 10.0.0.0 0.255.255.255 any
access-list 105 permit ip 192.168.0.0 0.0.255.255 any
Anyone able to help me understand?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
! ETHERNET
interface ethernet0
no shut
ip address <ip address> <subnet mask>
ip nat inside
no ip directed-broadcast
! ADSL - 1
interface atm0
no shut
no ip address
no ip directed-broadcast
no ip mroute-cache
pvc <vpi/vci>
encapsulation aal5mux ppp dialer
dialer pool-member 1
!---
interface dialer1
ip address negotiated
no ip directed-broadcast
!--- For NAT:
ip nat outside
encapsulation ppp
dialer pool 1
! username/password for adsl
ppp chap hostname <username>
ppp chap password <password>
ppp pap sent-username <username> password <password>
!
!--- For NAT: this permit all computer con access list 1 to connect to the internet
ip nat inside source list 1 interface dialer1 overload
!--- here you define your LAN subnet for the NAT
access-list 1 permit <ip network address of ethernet0> <wildcard mask>
!--- example access-list 1 permit 192.168.0.0 0.0.0.255
ip classless
!--- default packets goes online :)
ip route 0.0.0.0 0.0.0.0 dialer1
interface ethernet0
no shut
ip address <ip address> <subnet mask>
ip nat inside
no ip directed-broadcast
! ADSL - 1
interface atm0
no shut
no ip address
no ip directed-broadcast
no ip mroute-cache
pvc <vpi/vci>
encapsulation aal5mux ppp dialer
dialer pool-member 1
!---
interface dialer1
ip address negotiated
no ip directed-broadcast
!--- For NAT:
ip nat outside
encapsulation ppp
dialer pool 1
! username/password for adsl
ppp chap hostname <username>
ppp chap password <password>
ppp pap sent-username <username> password <password>
!
!--- For NAT: this permit all computer con access list 1 to connect to the internet
ip nat inside source list 1 interface dialer1 overload
!--- here you define your LAN subnet for the NAT
access-list 1 permit <ip network address of ethernet0> <wildcard mask>
!--- example access-list 1 permit 192.168.0.0 0.0.0.255
ip classless
!--- default packets goes online :)
ip route 0.0.0.0 0.0.0.0 dialer1
ASKER
No luck... I read through that config off the Cisco link you provided already, and I was having trouble adapting it to my network/hardware.
There is an ISP-owned router on the other side of my FA4 interface, already configured with the ppp stuff... no need to have any of that info in. It's a black box, I cannot access it (at least, not legally).
This is what I have:
The result of this is completely unfettered access through the router, in both directions.
There is an ISP-owned router on the other side of my FA4 interface, already configured with the ppp stuff... no need to have any of that info in. It's a black box, I cannot access it (at least, not legally).
This is what I have:
!
interface Vlan752
ip address 10.2.7.xxx 255.255.255.0
ip helper-address 192.168.0.x
ip nat inside
ip virtual-reassembly
end
!
interface FastEthernet1
description Uplink to LAN
switchport mode trunk
end
!
interface FastEthernet4
description Uplink to ISP
ip address xxx.xxx.xxx.xxx 255.255.255.248
ip nat outside
ip virtual-reassembly
shutdown
duplex auto
speed auto
end
!
Standard IP access list 1
10 permit 10.0.0.0, wildcard bits 0.255.255.255
20 permit 192.168.0.0, wildcard bits 0.0.255.255
!
ip nat inside source list 1 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 FastEthernet4
ip route 10.0.0.0 255.0.0.0 Vlan752
ip route 192.168.0.0 255.255.0.0 Vlan752
!The result of this is completely unfettered access through the router, in both directions.
Let's do some test:
from the router try to ping the isp router, this will check the connectivity on FE4
from the router try to ping on the inside to be sure that VLAN is working
from the inside try to ping the isp router to be sure routing is working fine
if this last step is not working then change
ip route 0.0.0.0 0.0.0.0 FastEthernet4
to
ip route 0.0.0.0 0.0.0.0 IP_OF_ISP_ROUTER
NB: remember to use the no shutdown command on fe4
from the router try to ping the isp router, this will check the connectivity on FE4
from the router try to ping on the inside to be sure that VLAN is working
from the inside try to ping the isp router to be sure routing is working fine
if this last step is not working then change
ip route 0.0.0.0 0.0.0.0 FastEthernet4
to
ip route 0.0.0.0 0.0.0.0 IP_OF_ISP_ROUTER
NB: remember to use the no shutdown command on fe4
ASKER
No need to test, I can tell you that connectivity is definitely there, and traffic is most certainly flowing.
From my PC, I'm able to run an nmap scan on the router through its public IP, and even access the HTTPS Device Manager via the public IP address.
I'm currently SSHed into the router via its internal IP address.
From my PC, I'm able to run an nmap scan on the router through its public IP, and even access the HTTPS Device Manager via the public IP address.
I'm currently SSHed into the router via its internal IP address.
can you ping the isp router ?
can you ping an ip on the internet from your router ?
can you ping an ip on the internet from your router ?
ASKER
Yes to both.
FYI: every port on a router will answer for every ip used by the router. A ping on IP_OF_FE4 is probably answered by the vlan interface..
I assume you know all the vlan and trunk and helper-address (quite rare to see one of those) is right for your setup
looks good to me :(
I assume you know all the vlan and trunk and helper-address (quite rare to see one of those) is right for your setup
looks good to me :(
ASKER
The vlan, trunk, and helper-addres stuff is all working as best I can tell. I had FE0 set up as a switchport access vlan 752, and I was able to plug a PC right into it. It got an IP address, traceroute confirmed that it was leaving the 752 subnet through the router, and it was able to reach everything that it was supposed to reach.
Since the NATing doesn't seem to be working, is there any way to define in the router that the ACL should only apply to new connections, rather than already-established connections?
You had mentioned that with my initial ACL attempt, the information was being sent, but the response was being blocked. A stateless connection, if you would.
Is it possible that the problem exists within the handling of stateful (or stateless) connections?
Since the NATing doesn't seem to be working, is there any way to define in the router that the ACL should only apply to new connections, rather than already-established connections?
You had mentioned that with my initial ACL attempt, the information was being sent, but the response was being blocked. A stateless connection, if you would.
Is it possible that the problem exists within the handling of stateful (or stateless) connections?
That's what nat is for
troubleshoot nat
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094c32.shtml
Nat order
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
troubleshoot nat
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094c32.shtml
Nat order
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
ASKER
Sorry for the delay in getting back to this... I was out of town for some training.
I have the following status update:
1) NAT is working. If I connect a PC to the VLAN that the router is on, and connect back to my firewall on a blocked port, I am able to generate alerts that confirm the traffic is coming from the public address assigned to FA4
2) Traffic is flowing both directions. When FA4 is up, I am able to reach the internet, and the internet is able to reach the router.
nmap indicates the TCP ports 22,23,80, and 443 are all accessible from the public address.
Perhaps now all I need to do is disable access to those services from all but specific addresses?
I have the following status update:
1) NAT is working. If I connect a PC to the VLAN that the router is on, and connect back to my firewall on a blocked port, I am able to generate alerts that confirm the traffic is coming from the public address assigned to FA4
2) Traffic is flowing both directions. When FA4 is up, I am able to reach the internet, and the internet is able to reach the router.
nmap indicates the TCP ports 22,23,80, and 443 are all accessible from the public address.
Perhaps now all I need to do is disable access to those services from all but specific addresses?
ASKER
Yes indeed, the only remaining thing was to restrict access to the management ports.
Unfortunately, all I had to do was look at the terminal lines... lines 0-4 were controlled by access-class 23.
access-list 23, unfortunately, did not exist.
So, I made it. Permit from 10.0.0.0/8 and 192.168.0.0/16, deny from everywhere else.
Now nmap shows a whole lot of white space where before the router was extremely inviting to all sorts of connections.
Problem solved.
Unfortunately, all I had to do was look at the terminal lines... lines 0-4 were controlled by access-class 23.
access-list 23, unfortunately, did not exist.
So, I made it. Permit from 10.0.0.0/8 and 192.168.0.0/16, deny from everywhere else.
Now nmap shows a whole lot of white space where before the router was extremely inviting to all sorts of connections.
Problem solved.
ASKER
On my firewall I have set up some nating, but the syntax here is slightly different.
As I understand it, and please do correct me where I'm wrong, if my public IP was 1.2.3.4, I would want to nat all of my outbound traffic (from my LAN) through that IP address.
I would then want to NAT the internet to my LAN, but have an empty table so that essentially nothing gets translated and thus not routed.
Right?
If that's the case, I haven't a clue where to begin.