08-29-2007 12:46 PM - edited 03-11-2019 04:03 AM
Hi,
I'm new and trying to work out an access-list for my home Internet connection. I've replaced my Linksys with a 2514 router and want to implement access lists to keep my home PCs safe. I've read similar posts and am using the statements that I've seen however I'm unable to connect to any web sites when I apply the list. Any help would be appreciated. Thanks.
ersion 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname 2514B
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxx
enable password 7 xxxxxxxxxxxxxxxx
!
no aaa new-model
ip subnet-zero
ip dhcp excluded-address 192.168.126.1
ip dhcp excluded-address 192.168.126.2
!
ip dhcp pool DHCPPool
import all
network 192.168.126.0 255.255.255.240
default-router 192.168.126.1
!
!
!
!
interface Ethernet0
description Outside interface
ip address dhcp
ip access-group Incoming in
ip access-group Outgoing out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
no ip route-cache
no ip mroute-cache
ntp disable
no cdp enable
hold-queue 32 in
hold-queue 100 out
!
interface Ethernet1
description Inside interface
ip address 192.168.126.1 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no ip route-cache
no ip mroute-cache
!
interface Serial0
no ip address
no ip route-cache
no ip mroute-cache
!
interface Serial1
no ip address
no ip route-cache
no ip mroute-cache
shutdown
!
ip nat inside source list 1 interface Ethernet0 overload
no ip http server
ip classless
!
!
!
ip access-list extended Incoming
remark Deny NetBIOS Name, Datagram and Session service
deny udp any range netbios-ns netbios-ss any
deny tcp any range 137 139 any
remark Only allow ACKed tcp packets to our network
permit tcp any 192.168.126.0 0.0.0.255 gt 1023 established
remark Allow DHCP replies to reach the e0 interface
permit udp any any eq bootpc
remark Allow DNS queries
permit tcp any eq domain any
permit udp any eq domain any
remark Only allow specific ICMP message type & code
permit icmp any 192.168.126.0 0.0.0.255 net-unreachable
permit icmp any 192.168.126.0 0.0.0.255 host-unreachable
permit icmp any 192.168.126.0 0.0.0.255 port-unreachable
permit icmp any 192.168.126.0 0.0.0.255 packet-too-big
permit icmp any 192.168.126.0 0.0.0.255 administratively-prohibited
permit icmp any 192.168.126.0 0.0.0.255 source-quench
permit icmp any 192.168.126.0 0.0.0.255 ttl-exceeded
ip access-list extended Outgoing
remark Don't allow internal hosts to send icmp
deny icmp any any
remark Only allow packets from the internal network
permit ip 192.168.126.0 0.0.0.255 any
access-list 1 permit 192.168.126.0 0.0.0.255
!
!
line con 0
exec-timeout 20 0
password 7 xxxxxxxxxxxxxxxx
logging synchronous
login
line aux 0
password 7 xxxxxxxxxxxxxxxx
login
transport input all
line vty 0 4
access-class 1 in
exec-timeout 20 0
password 7 xxxxxxxxxxxxxxxx
login
!
end
Solved! Go to Solution.
08-29-2007 03:15 PM
Hi .. remember that you are using NAT and so any reference to 192.168.126.0 network on the Incoming access-list needs to be replaced by the IP address allocated to your e0 interface as 192.168.126.0 is not reachable from the internet.
The same thing with the outgoing access list, you might want to try replacing the last entry by permit ip host
I hope it helps .. please rate it if it does !!!
08-29-2007 03:15 PM
Hi .. remember that you are using NAT and so any reference to 192.168.126.0 network on the Incoming access-list needs to be replaced by the IP address allocated to your e0 interface as 192.168.126.0 is not reachable from the internet.
The same thing with the outgoing access list, you might want to try replacing the last entry by permit ip host
I hope it helps .. please rate it if it does !!!
08-30-2007 07:31 AM
Thanks, I replaced the references to the 192.168.126.0 network with the address of my external interface and it now works.
I didn't want to have to update my ACL every time the DHCP address of my cablemodem changes so I thought I could specify the network and a wildcard mask however I must not be calculating it correctly because I tried that and I couldn't get out again.
Here is what I tried:
The address on the outside interface provided by my cablemodem is 24.46.171.29/20.
So, I calculated that the subnet mask is 255.255.240.0 and the network address is 24.46.160.0. Next I figured the wildcard mask should be the network number plus all the addresses on that network which I calculated as 24.46.160.0 0.0.94.255.
My inbound ACL on my outside interface is as follows:
ip access-list extended Incoming
remark Deny NetBIOS Name, Datagram and Session service
deny udp any range netbios-ns netbios-ss any
deny tcp any range 137 139 any
remark Only allow ACKed tcp packets to our network
permit tcp any 24.46.160.0 0.0.94.255 gt 1023 established
remark Allow DHCP replies to reach the e0 interface
permit udp any any eq bootpc
remark Allow DNS queries
permit tcp any eq domain any
permit udp any eq domain any
remark Only allow specific ICMP message type & code
permit icmp any 24.46.160.0 0.0.94.255 net-unreachable
permit icmp any 24.46.160.0 0.0.94.255 host-unreachable
permit icmp any 24.46.160.0 0.0.94.255 port-unreachable
permit icmp any 24.46.160.0 0.0.94.255 packet-too-big
permit icmp any 24.46.160.0 0.0.94.255 administratively-prohibited
permit icmp any 24.46.160.0 0.0.94.255 source-quench
permit icmp any 24.46.160.0 0.0.94.255 ttl-exceeded
08-30-2007 08:02 AM
0.0.94.255 is not a valid wildcard mask. The only valid numbers are 0, 1, 3, 7, 15, 31, 63, 127, and 255.
To turn a netmask into a wildcard mask, simply subtract each octet from 255.
255.255.240.0 becomes 0.0.15.255
08-30-2007 06:48 PM
Thank you jeremyault and fernando_meza.
I updated my ACL with the network and wildcard mask of my outside interface and so far everything's working fine. With the subnet and wildcard mask I won't have to change my ACL whenever I get a new DHCP address from my cablemodem. If I do, I'll just add that network as well. Thanks again to both of you for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide