Cisco 1841 Bridge Mode ACLs

Posted on 2013-12-16
Medium Priority
Last Modified: 2013-12-19
Hello Experts - I am attempting to use a Cisco 1841 router in bridged mode.  I'd like to use its ACL features to limit access to a set of predefined IP address ranges.  I have a 50mb FIOS line plugged into the FE0/0 port and a D-Link 605L home router plugged into the 1841's FE0/1 port, pass through is working fine.  I then setup a series of extended access control lists with the ranges of the hosts I want people to be able to access:  

access-list 110 permit ip x.x.x.x any

Unfortunately this doesn't seem to be working as I still have access to things like VPN which should be blocked.  I'm setting this up after entering confg t but I am not under a particular interface and am wondering if (and how) the ACL needs to be applied to the bridge group I created.  My assumption is that the router would block requests to anything other than the hosts I defined in the ACLs but I don't know if that is correct.  I'd appreciate any general advice on things I could be doing wrong or if the concept of what I'm trying to do is sound, thanks!
Question by:First Last
  • 2

Expert Comment

by:Ramakrishna Prabhu
ID: 39721989
Can you post your current config please?

Author Comment

by:First Last
ID: 39721996
Sure, here we go:

Current configuration : 4858 bytes
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname HOSTNAME
boot system flash:c1841-entbase-mz.124-8d.bin
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 40096 debugging
enable password 7 XXXXXXXXXXXXXX
aaa new-model
aaa authentication login local_auth local
aaa session-id common
clock timezone EST -5
clock summer-time EST recurring
no ip source-route
no ip gratuitous-arps
ip cef
no ip bootp server
no ip domain lookup
ip domain name XXXX
login block-for 32767 attempts 5 within 60
crypto pki trustpoint TP-self-signed-1127056236
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1127056236
 revocation-check none
 rsakeypair TP-self-signed-1127056236
crypto pki certificate chain TP-self-signed-1127056236
 certificate self-signed 01
  30820247 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31313237 30353632 3336301E 170D3133 31323136 31343136
  32315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31323730
  35363233 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100B230 116ADDF5 F18C1420 83CF7310 3DD16713 3D40927F 1DCA788A DA91AA27
  E5ABCD2A 55FEAEF1 CAEEF264 490BC6A0 2FEB0F94 7D0C80E9 E0E13163 5491E2F2
  49E9925B 1D9CAE9F 448C5EB0 D03AB094 365F1286 87F1C9C6 2D0B1373 3E82C42D
  69EC5650 AF657256 6C36C8A0 AC870464 7DFCE66A E356635B 14550551 1A4BDD15
  FFA30203 010001A3 6F306D30 0F060355 1D130101 FF040530 030101FF 301A0603
  551D1104 13301182 0F457769 6E675F41 5050532E 41505053 301F0603 551D2304
  18301680 149D66E5 2C5420A9 D930D8DD BCCF3D3D 4B2E61F3 BD301D06 03551D0E
  04160414 9D66E52C 5420A9D9 30D8DDBC CF3D3D4B 2E61F3BD 300D0609 2A864886
  F70D0101 04050003 81810080 86AB9D46 386A77EC BEE819F9 741D3DB4 B18B4931
  E39B20BC 2810D090 8F27628C 5157C0E3 E5CF160B 823C0D46 81016932 157EF6D3
  13372624 27047BCC 93EA38BF 2C0F60B0 977CB8A6 F1EBE7F8 B65904D2 4A90BCD6
  83A83E4B 85837CBA 60792A1E 24767B0F 3302CB57 6E79D519 97238BF8 C1CFE9C5
  0698CD33 CED4F041 B25966
ip tcp intercept list autosec_tcp_intercept_list
ip tcp intercept connection-timeout 3600
ip tcp intercept watch-timeout 15
ip tcp intercept max-incomplete low 450
ip tcp intercept max-incomplete high 550
ip tcp intercept drop-mode random
bridge irb
interface FastEthernet0/0
 description FIOS in
 no ip address
 no ip proxy-arp
 speed auto
 no mop enabled
 bridge-group 1
interface FastEthernet0/1
 description Wireless in
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 duplex auto
 speed auto
 no mop enabled
 bridge-group 1
interface Serial0/0/0
 description XXXXXXX
 no ip address
 ip verify unicast source reachable-via rx allow-default 100
 no ip redirects
 no ip unreachables
 no ip proxy-arp
interface BVI1
 ip address
no ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
no logging trap
access-list 110 remark Allow Google
access-list 110 permit ip any
access-list 110 permit ip any
access-list 130 permit ip any
access-list 140 permit ip any
access-list 150 permit ip any
access-list 160 permit ip any
access-list 170 permit ip any
access-list 180 permit ip any
snmp-server location XXXXXXXX
snmp-server host xxx.xxx.xxx.xxx XXXXXXXXX
no cdp run
bridge 1 protocol ieee
bridge 1 route ip
banner login ^C
This is a private Network.
Access beyond this point is for authorized personnel only.
Unauthorized access will be prosecuted to the full extent of the law.
We thank you for respecting our privacy.^C
line con 0
 exec-timeout 5 0
 login authentication local_auth
 transport output telnet
line aux 0
 exec-timeout 15 0
 login authentication local_auth
 transport output telnet
line vty 0 4
 access-class 23 in
 privilege level 15
 login authentication local_auth
 transport input ssh
scheduler allocate 20000 1000
ntp clock-period 17178226
ntp update-calendar
ntp server XXX.XXX.XXX.XXX source Serial0/0/0 prefer
LVL 47

Accepted Solution

Craig Beck earned 2000 total points
ID: 39722697
You need to attach the ACL to an interface, however you're bridging here so it may not work on the 1841.

Basically you're trying to apply a layer-3 ACL to a layer-2 bridge.  Traditionally this would only work with MAC-based ACLs so you probably can't do what you want to do.

Author Comment

by:First Last
ID: 39723808
Ouch, didn't realize the 1841 can't do that but it explains why I couldn't find commands to bind the ACLs to the bridge group.  I can't do MAC based ACLs because the general public will be connecting and I won't have them ahead of time.  Thanks for the info!

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
LinkedIn blogging is great for networking, building up an audience, and expanding your influence as well. However, if you want to achieve these results, you need to work really hard to make your post worth liking and sharing. Here are 4 tips that ca…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question