Solved: Access list problem

rileymartin · ‎08-29-2007

Hi,

I'm new and trying to work out an access-list for my home Internet connection. I've replaced my Linksys with a 2514 router and want to implement access lists to keep my home PCs safe. I've read similar posts and am using the statements that I've seen however I'm unable to connect to any web sites when I apply the list. Any help would be appreciated. Thanks.

ersion 12.3

service timestamps debug uptime

service timestamps log uptime

service password-encryption

service udp-small-servers

service tcp-small-servers

!

hostname 2514B

!

boot-start-marker

boot-end-marker

!

enable secret 5 xxxxxxxxxxxxxxxx

enable password 7 xxxxxxxxxxxxxxxx

!

no aaa new-model

ip subnet-zero

ip dhcp excluded-address 192.168.126.1

ip dhcp excluded-address 192.168.126.2

!

ip dhcp pool DHCPPool

import all

network 192.168.126.0 255.255.255.240

default-router 192.168.126.1

!

interface Ethernet0

description Outside interface

ip address dhcp

ip access-group Incoming in

ip access-group Outgoing out

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

no ip route-cache

no ip mroute-cache

ntp disable

no cdp enable

hold-queue 32 in

hold-queue 100 out

!

interface Ethernet1

description Inside interface

ip address 192.168.126.1 255.255.255.240

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

no ip route-cache

no ip mroute-cache

!

interface Serial0

no ip address

no ip route-cache

no ip mroute-cache

!

interface Serial1

no ip address

no ip route-cache

no ip mroute-cache

shutdown

!

ip nat inside source list 1 interface Ethernet0 overload

no ip http server

ip classless

!

ip access-list extended Incoming

remark Deny NetBIOS Name, Datagram and Session service

deny udp any range netbios-ns netbios-ss any

deny tcp any range 137 139 any

remark Only allow ACKed tcp packets to our network

permit tcp any 192.168.126.0 0.0.0.255 gt 1023 established

remark Allow DHCP replies to reach the e0 interface

permit udp any any eq bootpc

remark Allow DNS queries

permit tcp any eq domain any

permit udp any eq domain any

remark Only allow specific ICMP message type & code

permit icmp any 192.168.126.0 0.0.0.255 net-unreachable

permit icmp any 192.168.126.0 0.0.0.255 host-unreachable

permit icmp any 192.168.126.0 0.0.0.255 port-unreachable

permit icmp any 192.168.126.0 0.0.0.255 packet-too-big

permit icmp any 192.168.126.0 0.0.0.255 administratively-prohibited

permit icmp any 192.168.126.0 0.0.0.255 source-quench

permit icmp any 192.168.126.0 0.0.0.255 ttl-exceeded

ip access-list extended Outgoing

remark Don't allow internal hosts to send icmp

deny icmp any any

remark Only allow packets from the internal network

permit ip 192.168.126.0 0.0.0.255 any

access-list 1 permit 192.168.126.0 0.0.0.255

!

line con 0

exec-timeout 20 0

password 7 xxxxxxxxxxxxxxxx

logging synchronous

login

line aux 0

password 7 xxxxxxxxxxxxxxxx

login

transport input all

line vty 0 4

access-class 1 in

exec-timeout 20 0

password 7 xxxxxxxxxxxxxxxx

login

!

end

Fernando_Meza · ‎08-29-2007

Hi .. remember that you are using NAT and so any reference to 192.168.126.0 network on the Incoming access-list needs to be replaced by the IP address allocated to your e0 interface as 192.168.126.0 is not reachable from the internet.

The same thing with the outgoing access list, you might want to try replacing the last entry by permit ip host any

I hope it helps .. please rate it if it does !!!

View solution in original post

Fernando_Meza · ‎08-29-2007

Hi .. remember that you are using NAT and so any reference to 192.168.126.0 network on the Incoming access-list needs to be replaced by the IP address allocated to your e0 interface as 192.168.126.0 is not reachable from the internet.

The same thing with the outgoing access list, you might want to try replacing the last entry by permit ip host any

I hope it helps .. please rate it if it does !!!

rileymartin · ‎08-30-2007

Thanks, I replaced the references to the 192.168.126.0 network with the address of my external interface and it now works.

I didn't want to have to update my ACL every time the DHCP address of my cablemodem changes so I thought I could specify the network and a wildcard mask however I must not be calculating it correctly because I tried that and I couldn't get out again.

Here is what I tried:

The address on the outside interface provided by my cablemodem is 24.46.171.29/20.

So, I calculated that the subnet mask is 255.255.240.0 and the network address is 24.46.160.0. Next I figured the wildcard mask should be the network number plus all the addresses on that network which I calculated as 24.46.160.0 0.0.94.255.

My inbound ACL on my outside interface is as follows:

ip access-list extended Incoming

remark Deny NetBIOS Name, Datagram and Session service

deny udp any range netbios-ns netbios-ss any

deny tcp any range 137 139 any

remark Only allow ACKed tcp packets to our network

permit tcp any 24.46.160.0 0.0.94.255 gt 1023 established

remark Allow DHCP replies to reach the e0 interface

permit udp any any eq bootpc

remark Allow DNS queries

permit tcp any eq domain any

permit udp any eq domain any

remark Only allow specific ICMP message type & code

permit icmp any 24.46.160.0 0.0.94.255 net-unreachable

permit icmp any 24.46.160.0 0.0.94.255 host-unreachable

permit icmp any 24.46.160.0 0.0.94.255 port-unreachable

permit icmp any 24.46.160.0 0.0.94.255 packet-too-big

permit icmp any 24.46.160.0 0.0.94.255 administratively-prohibited

permit icmp any 24.46.160.0 0.0.94.255 source-quench

permit icmp any 24.46.160.0 0.0.94.255 ttl-exceeded

jeremyault · ‎08-30-2007

0.0.94.255 is not a valid wildcard mask. The only valid numbers are 0, 1, 3, 7, 15, 31, 63, 127, and 255.

To turn a netmask into a wildcard mask, simply subtract each octet from 255.

255.255.240.0 becomes 0.0.15.255

rileymartin · ‎08-30-2007

Thank you jeremyault and fernando_meza.

I updated my ACL with the network and wildcard mask of my outside interface and so far everything's working fine. With the subnet and wildcard mask I won't have to change my ACL whenever I get a new DHCP address from my cablemodem. If I do, I'll just add that network as well. Thanks again to both of you for your help.