Solved

Help Understanding Cisco ACLs for 861 Router

Posted on 2011-03-09
13
646 Views
Last Modified: 2012-05-11
So, what I want to do is have this on the edge... it'll be plugged right into the internet.  I'm guessing this probably isn't the most solid idea, but realistically if it's rejecting every inbound connection, how dangerous can it be?

I have a satellite building, which is directly connected via a site-to-site wireless link.  This link, however, is very slow (50mbit on a very good day).

We purchased an ADSL connection, and I would like to have the router route all traffic not destined for my internal network (192.168.10.0/24 and 10.0.0.0/8) out to the internet through this ADSL connection.  This should dramatically improve quality of service.

What I obviously do NOT want, however, is the internet to get its traffic routed into my network.  That might be bad.

My router is plugged into the network on interface FA1, and plugged into the ADSL on FA4.  For safety reasons, at this point, fa4 is shutdown, however when testing I no shutdown it to bring it back up.

interface FastEthernet1
description Uplink to Network
switchport mode trunk
end

interface FastEthernet4
 description Uplink to ISP
 ip address xxx.xxx.xxx.xxx 255.255.255.248
 ip access-group 105 in
 shutdown
 duplex auto
 speed auto
end

Extended IP access list 105
    10 deny ip any any (2200 matches)



And now for the problem.

With no access-list on FA4, I am correctly able to ping a public IP address (4.2.2.2 for my testing purposes) from my SSH session on the router... and the internet can reach my router.

With the access-list in place, I am no longer able to ping the public IP address, but the internet is also not able to reach my router.

I'm obviously missing something.

I tried applying the access-group out, as well as prepending the following lines to the top of the ACL:
access-list 105 permit ip 10.0.0.0 0.255.255.255 any
access-list 105 permit ip 192.168.0.0 0.0.255.255 any

Anyone able to help me understand?
0
Comment
Question by:lunanat
  • 7
  • 6
13 Comments
 
LVL 9

Accepted Solution

by:
fcontrepois earned 500 total points
ID: 35088171
short answer: ask your provide to give you a cisco config to connect to their adsl with NAT so you don't need to setup acl at all

Long answer

Use NAT :-) and remove your ACL

With your setup, you can send to the internet but any answer is blocked by your acl

Find a configuration that suite your needs following this url
http://www.cisco.com/en/US/tech/tk175/tk15/tech_configuration_examples_list.html

This one would work in my case but the right config depends on your provider setting: http://www.cisco.com/en/US/tech/tk175/tk15/technologies_configuration_example09186a008071a60e.shtml
0
 
LVL 1

Author Comment

by:lunanat
ID: 35088776
I've reviewed the linked config, and you're right that NATing will definitely work... however my experience with this is quite limited and I'm afraid I don't quite understand the config.

On my firewall I have set up some nating, but the syntax here is slightly different.

As I understand it, and please do correct me where I'm wrong, if my public IP was 1.2.3.4, I would want to nat all of my outbound traffic (from my LAN) through that IP address.

I would then want to NAT the internet to my LAN, but have an empty table so that essentially nothing gets translated and thus not routed.

Right?

If that's the case, I haven't a clue where to begin.
0
 
LVL 9

Expert Comment

by:fcontrepois
ID: 35092425
! ETHERNET
interface ethernet0
 no shut
 ip address <ip address> <subnet mask>
 ip nat inside
 no ip directed-broadcast

! ADSL - 1
interface atm0
 no shut
 no ip address
 no ip directed-broadcast
 no ip mroute-cache
 pvc <vpi/vci>
  encapsulation aal5mux ppp dialer
  dialer pool-member 1

!---
interface dialer1
 ip address negotiated
 no ip directed-broadcast

!--- For NAT:
 ip nat outside
 encapsulation ppp
 dialer pool 1
! username/password for adsl
 ppp chap hostname <username>
 ppp chap password <password>
 ppp pap sent-username <username> password <password>
!
!--- For NAT: this permit all computer con access list 1 to connect to the internet
ip nat inside source list 1 interface dialer1 overload
!--- here you define your LAN subnet for the NAT
access-list 1 permit <ip network address of ethernet0> <wildcard mask>
!--- example access-list 1 permit 192.168.0.0 0.0.0.255

ip classless
!--- default packets goes online :)
ip route 0.0.0.0 0.0.0.0 dialer1
0
 
LVL 1

Author Comment

by:lunanat
ID: 35095938
No luck... I read through that config off the Cisco link you provided already, and I was having trouble adapting it to my network/hardware.

There is an ISP-owned router on the other side of my FA4 interface, already configured with the ppp stuff... no need to have any of that info in.  It's a black box, I cannot access it (at least, not legally).

This is what I have:
!
interface Vlan752
 ip address 10.2.7.xxx 255.255.255.0
 ip helper-address 192.168.0.x
 ip nat inside
 ip virtual-reassembly
end
!
interface FastEthernet1
 description Uplink to LAN
 switchport mode trunk
end
!
interface FastEthernet4
 description Uplink to ISP
 ip address xxx.xxx.xxx.xxx 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 shutdown
 duplex auto
 speed auto
end
!
Standard IP access list 1
    10 permit 10.0.0.0, wildcard bits 0.255.255.255
    20 permit 192.168.0.0, wildcard bits 0.0.255.255

!
ip nat inside source list 1 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 FastEthernet4
ip route 10.0.0.0 255.0.0.0 Vlan752
ip route 192.168.0.0 255.255.0.0 Vlan752
!

Open in new window


The result of this is completely unfettered access through the router, in both directions.
0
 
LVL 9

Expert Comment

by:fcontrepois
ID: 35096049
Let's do some test:
from the router try to ping the isp router, this will check the connectivity on FE4
from the router try to ping on the inside to be sure that VLAN is working
from the inside try to ping the isp router to be sure routing is working fine

if this last step is not working then change
ip route 0.0.0.0 0.0.0.0 FastEthernet4
to
ip route 0.0.0.0 0.0.0.0 IP_OF_ISP_ROUTER

NB: remember to use the no shutdown command on fe4
0
 
LVL 1

Author Comment

by:lunanat
ID: 35096100
No need to test, I can tell you that connectivity is definitely there, and traffic is most certainly flowing.

From my PC, I'm able to run an nmap scan on the router through its public IP, and even access the HTTPS Device Manager via the public IP address.

I'm currently SSHed into the router via its internal IP address.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 9

Expert Comment

by:fcontrepois
ID: 35096128
can you ping the isp router ?
can you ping an ip on the internet from your router ?
0
 
LVL 1

Author Comment

by:lunanat
ID: 35096156
Yes to both.
0
 
LVL 9

Expert Comment

by:fcontrepois
ID: 35096912
FYI: every port on a router will answer for every ip used by the router. A ping on IP_OF_FE4 is probably answered by the vlan interface..

I assume you know all the vlan and trunk and helper-address (quite rare to see one of those) is right for your setup

looks good to me :(
0
 
LVL 1

Author Comment

by:lunanat
ID: 35097089
The vlan, trunk, and helper-addres stuff is all working as best I can tell.  I had FE0 set up as a switchport access vlan 752, and I was able to plug a PC right into it.  It got an IP address, traceroute confirmed that it was leaving the 752 subnet through the router, and it was able to reach everything that it was supposed to reach.

Since the NATing doesn't seem to be working, is there any way to define in the router that the ACL should only apply to new connections, rather than already-established connections?

You had mentioned that with my initial ACL attempt, the information was being sent, but the response was being blocked.  A stateless connection, if you would.

Is it possible that the problem exists within the handling of stateful (or stateless) connections?
0
 
LVL 9

Expert Comment

by:fcontrepois
ID: 35107659
0
 
LVL 1

Author Comment

by:lunanat
ID: 35202280
Sorry for the delay in getting back to this... I was out of town for some training.

I have the following status update:

1) NAT is working.  If I connect a PC to the VLAN that the router is on, and connect back to my firewall on a blocked port, I am able to generate alerts that confirm the traffic is coming from the public address assigned to FA4

2) Traffic is flowing both directions.  When FA4 is up, I am able to reach the internet, and the internet is able to reach the router.

nmap indicates the TCP ports 22,23,80, and 443 are all accessible from the public address.

Perhaps now all I need to do is disable access to those services from all but specific addresses?
0
 
LVL 1

Author Comment

by:lunanat
ID: 35202324
Yes indeed, the only remaining thing was to restrict access to the management ports.

Unfortunately, all I had to do was look at the terminal lines... lines 0-4 were controlled by access-class 23.

access-list 23, unfortunately, did not exist.

So, I made it.  Permit from 10.0.0.0/8 and 192.168.0.0/16, deny from everywhere else.

Now nmap shows a whole lot of white space where before the router was extremely inviting to all sorts of connections.

Problem solved.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now