Link to home
Start Free TrialLog in
Avatar of First Last
First LastFlag for United States of America

asked on

Cisco 1841 Bridge Mode ACLs

Hello Experts - I am attempting to use a Cisco 1841 router in bridged mode.  I'd like to use its ACL features to limit access to a set of predefined IP address ranges.  I have a 50mb FIOS line plugged into the FE0/0 port and a D-Link 605L home router plugged into the 1841's FE0/1 port, pass through is working fine.  I then setup a series of extended access control lists with the ranges of the hosts I want people to be able to access:  

access-list 110 permit ip x.x.x.x any

Unfortunately this doesn't seem to be working as I still have access to things like VPN which should be blocked.  I'm setting this up after entering confg t but I am not under a particular interface and am wondering if (and how) the ACL needs to be applied to the bridge group I created.  My assumption is that the router would block requests to anything other than the hosts I defined in the ACLs but I don't know if that is correct.  I'd appreciate any general advice on things I could be doing wrong or if the concept of what I'm trying to do is sound, thanks!
Avatar of Ramakrishna Prabhu
Ramakrishna Prabhu
Flag of Malaysia image

Can you post your current config please?
Avatar of First Last

ASKER

Sure, here we go:

Current configuration : 4858 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname HOSTNAME
!
boot-start-marker
boot system flash:c1841-entbase-mz.124-8d.bin
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 40096 debugging
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
enable password 7 XXXXXXXXXXXXXX
!
aaa new-model
!
!
aaa authentication login local_auth local
!
aaa session-id common
clock timezone EST -5
clock summer-time EST recurring
no ip source-route
no ip gratuitous-arps
ip cef
!
!
!
!
no ip bootp server
no ip domain lookup
ip domain name XXXX
login block-for 32767 attempts 5 within 60
!
crypto pki trustpoint TP-self-signed-1127056236
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1127056236
 revocation-check none
 rsakeypair TP-self-signed-1127056236
!
!
crypto pki certificate chain TP-self-signed-1127056236
 certificate self-signed 01
  30820247 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31313237 30353632 3336301E 170D3133 31323136 31343136
  32315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31323730
  35363233 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100B230 116ADDF5 F18C1420 83CF7310 3DD16713 3D40927F 1DCA788A DA91AA27
  E5ABCD2A 55FEAEF1 CAEEF264 490BC6A0 2FEB0F94 7D0C80E9 E0E13163 5491E2F2
  49E9925B 1D9CAE9F 448C5EB0 D03AB094 365F1286 87F1C9C6 2D0B1373 3E82C42D
  69EC5650 AF657256 6C36C8A0 AC870464 7DFCE66A E356635B 14550551 1A4BDD15
  FFA30203 010001A3 6F306D30 0F060355 1D130101 FF040530 030101FF 301A0603
  551D1104 13301182 0F457769 6E675F41 5050532E 41505053 301F0603 551D2304
  18301680 149D66E5 2C5420A9 D930D8DD BCCF3D3D 4B2E61F3 BD301D06 03551D0E
  04160414 9D66E52C 5420A9D9 30D8DDBC CF3D3D4B 2E61F3BD 300D0609 2A864886
  F70D0101 04050003 81810080 86AB9D46 386A77EC BEE819F9 741D3DB4 B18B4931
  E39B20BC 2810D090 8F27628C 5157C0E3 E5CF160B 823C0D46 81016932 157EF6D3
  13372624 27047BCC 93EA38BF 2C0F60B0 977CB8A6 F1EBE7F8 B65904D2 4A90BCD6
  83A83E4B 85837CBA 60792A1E 24767B0F 3302CB57 6E79D519 97238BF8 C1CFE9C5
  0698CD33 CED4F041 B25966
  quit
username XXXXXXX privilege 15 password 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
!
ip tcp intercept list autosec_tcp_intercept_list
ip tcp intercept connection-timeout 3600
ip tcp intercept watch-timeout 15
ip tcp intercept max-incomplete low 450
ip tcp intercept max-incomplete high 550
ip tcp intercept drop-mode random
bridge irb
!
!
interface FastEthernet0/0
 description FIOS in
 no ip address
 no ip proxy-arp
 speed auto
 full-duplex
 no mop enabled
 bridge-group 1
!
interface FastEthernet0/1
 description Wireless in
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 duplex auto
 speed auto
 no mop enabled
 bridge-group 1
!
interface Serial0/0/0
 description XXXXXXX
 no ip address
 ip verify unicast source reachable-via rx allow-default 100
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
!
interface BVI1
 ip address 192.168.0.200 255.255.255.0
!
no ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
no logging trap
access-list 110 remark Allow Google
access-list 110 permit ip 17.0.0.0 0.0.0.255 any
access-list 110 permit ip 17.0.0.0 0.255.255.255 any
access-list 130 permit ip 23.0.0.0 0.15.255.255 any
access-list 140 permit ip 23.0.0.0 0.127.255.255 any
access-list 150 permit ip 23.64.0.0 0.31.255.255 any
access-list 160 permit ip 208.0.0.0 0.63.255.255 any
access-list 170 permit ip 173.194.0.0 0.0.255.255 any
access-list 180 permit ip 74.125.0.0 0.0.255.255 any
snmp-server location XXXXXXXX
snmp-server host xxx.xxx.xxx.xxx XXXXXXXXX
no cdp run
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^C
This is a private Network.
Access beyond this point is for authorized personnel only.
Unauthorized access will be prosecuted to the full extent of the law.
We thank you for respecting our privacy.^C
!
line con 0
 exec-timeout 5 0
 login authentication local_auth
 transport output telnet
line aux 0
 exec-timeout 15 0
 login authentication local_auth
 transport output telnet
line vty 0 4
 access-class 23 in
 privilege level 15
 password 7 XXXXXXXXXXXXXXXXXXXXXX
 login authentication local_auth
 transport input ssh
!
scheduler allocate 20000 1000
ntp clock-period 17178226
ntp update-calendar
ntp server XXX.XXX.XXX.XXX source Serial0/0/0 prefer
end
ASKER CERTIFIED SOLUTION
Avatar of Craig Beck
Craig Beck
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Ouch, didn't realize the 1841 can't do that but it explains why I couldn't find commands to bind the ACLs to the bridge group.  I can't do MAC based ACLs because the general public will be connecting and I won't have them ahead of time.  Thanks for the info!