ACL on 7200 Router

Unanswered Question
Mar 19th, 2007

Hi,

I have a 7200 Router, and I am implementing a ACL that would block uncertain traffic going in to my network. So I created an extended access lists and apply it to my LAN interface but the acl seems not working eventhough I explicitly put a deny any any command, yet other network still successfully got in. The second thing I did was apply it to the WAN interface, though the ACl is working, the problem now was i can't be able to access the internet. I try to upgrade its IOS to 12.4 but uploading it give me a hardtime too, e.g., on my tftp server give me such error "file does not exists". When I issue the command "dir" the IOS is located on disk0:. Should I do "copy tftp disk0"? Any suggestions? specifically on the ACl..

Show Version:

Cisco Internetwork Operating System Software

IOS (tm) 7200 Software (C7200-IS-M), Version 12.2(28a), RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2005 by cisco Systems, Inc.

Compiled Mon 28-Mar-05 18:21 by kellmill

Image text-base: 0x60008940, data-base: 0x61316000

ROM: System Bootstrap, Version 11.1(13)CA, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

BOOTLDR: 7200 Software (C7200-BOOT-M), Version 12.0(28a), RELEASE SOFTWARE (fc1)

TelwiseXOEther uptime is 1 day, 3 hours, 7 minutes

System returned to ROM by power-on

Running default software

cisco 7206 (NPE200) processor (revision B) with 114688K/16384K bytes of memory.

Processor board ID 3796562

R5000 CPU at 200Mhz, Implementation 35, Rev 2.1, 512KB L2 Cache

6 slot midplane, Version 1.3

Last reset from power-on

Bridging software.

X.25 software, Version 3.0.0.

Number of Fast PAs = 3

Number of Fast+Medium PAs = 3

Total number of PA bandwidth points consumed = 490

Please refer to the following document "Cisco 7200 Series Port

Adaptor Hardware Configuration Guidelines" on CCO <www.cisco.com>,

for c7200 bandwidth points oversubscription/usage guidelines.

2 FastEthernet/IEEE 802.3 interface(s)

1 ATM network interface(s)

125K bytes of non-volatile configuration memory.

4096K bytes of packet SRAM memory.

62976K bytes of ATA PCMCIA card at slot 0 (Sector size 512 bytes).

4096K bytes of Flash internal SIMM (Sector size 256K).

Configuration register is 0x2102

LAN Interface

int fa 4/0

WAN Interface

int fa 3/0

Extended IP access list Filter_Inbound_Traffic

permit ip 196.128.112.64 0.0.0.63 10.10.10.0 0.0.1.255

permit ip 192.168.250.48 0.0.0.15 10.10.10.0 0.0.1.255

permit ip 192.168.250.224 0.0.0.31 10.10.10.0 0.0.1.255

permit ip 192.168.33.32 0.0.0.31 10.10.10.0 0.0.1.255

permit ip 172.192.63.0 0.0.0.63 10.10.10.0 0.0.1.255

deny tcp any eq telnet 10.10.10.0 0.0.1.255 eq telnet

deny udp any range 5004 5005 10.10.10.0 0.0.1.255 range 5004 5005

deny tcp any eq 22 10.10.10.0 0.0.1.255 eq 22

deny udp any eq 22 10.10.10.0 0.0.1.255 eq 22

deny tcp any eq 5800 10.10.10.0 0.0.1.255 eq 58

deny tcp any eq 5801 10.10.10.0 0.0.1.255 eq 580

deny tcp any eq 5900 10.10.10.0 0.0.1.255 eq 5900

deny tcp any eq 5901 10.10.10.0 0.0.1.255 eq 5901

deny tcp any eq 3389 10.10.10.0 0.0.1.255 eq 3389

deny tcp any eq 1433 10.10.10.0 0.0.1.255 eq 1433

deny tcp any eq 1434 10.10.10.0 0.0.1.255 eq 1434

deny udp any eq 1433 10.10.10.0 0.0.1.255 eq 1433

deny udp any eq 1434 10.10.10.0 0.0.1.255 eq 1434

deny udp any eq 80 10.10.10.0 0.0.1.255 eq 80

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
spremkumar Mon, 03/19/2007 - 23:50

hi

Did you try checking the available file systems on your router ?

do try show disk0: and check whether you are seeing the current ios file is available out there..

Once you are through with that check the tftp server config and the directory mapping on the server side.

Also do make sure whether you have the new ios code file on the directory mapped with the tftp services..

regds

Richard Burts Tue, 03/20/2007 - 13:18

Rick

It would help us answer your question better if you had told us what your address space is. But without knowing that helpful detail here are some observations about your access list:

- all of the statements reflect a destination of 10.10.10.0 0.0.1.255. Would we understand from this that 10.10.10.x and 10.10.11.x are your address space?

- the statements in the later part of the access list specify protocol and port values and specify the same port value as source and as destination. This generally does not work. Very few protocols use the same source port and destination port. So for example the first one of these is:

deny tcp any eq telnet 10.10.10.0 0.0.1.255 eq telnet

if you want to deny with telnet as source or telnet as destination then you probably need 2 statements in the access list. As it is written it will never match a telnet packet because in the telnet packet the source OR the destination will be telnet but not both.

- you describe using this access list on LAN then on the WAN. You did not specify whether you changed the access list around when you moved it. But the relationship of source address and destination address probably needs to swap when you move between interfaces.

HTH

Rick

Actions

This Discussion