help with cisco 1841

Unanswered Question
Feb 27th, 2008

Hi all. I have a cisco 1841 which i use to segregrate 2 private lans.

The commands below shows one of my fast ethernet int which i place acl on.

interface FastEthernet0/1

description $ETH-LAN$

ip address 192.168.4.253 255.255.255.0

ip access-group 100 out

duplex auto

speed auto

access-list 100 permit icmp any any

access-list 100 permit tcp 192.168.4.0 0.0.0.255 host 192.168.1.204 eq www

access-list 100 permit tcp host 192.168.1.204 192.168.4.0 0.0.0.255 established

My objective is to allow 192.168.4.0/24 subnet to be able to access 192.168.1.204/24 on port 80 only. However with my acl implemented as shown i could access 192.168.1.204/24 even through rdp. But the ACLs manage to prevent access to other workstations on 192.168.1.0/24. Can anyone advise me what is wrong with my acl?

Another query is the command "access-list 100 permit tcp host 192.168.1.204 192.168.4.0 0.0.0.255 established". I believe this command is to allow incoming packets only after any station on 192.168.4.0/24 subnet has initiated the connection. Hence i feel this acl should be place in fa0/1 incoming traffic instead of outgoing traffic. Hence it should be "access-list 110 permit tcp host 192.168.1.204 192.168.4.0 0.0.0.255 established" with "ip access-group 110 in". However when i try to place that acl on incoming traffic, no traffic could pass through. Pls advise.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Wed, 02/27/2008 - 09:58

wenbin

You are correct that the permit tcp established is used in an inbound access list (at least usually it is). The reason that traffic fails when you apply access list 110 inbound is that you are applying the access list on the wrong interface. Access list 110 should be applied inbound on the interface which leads to network 192.168.1.

It may help to remember that access list in and out is relative to the router interface. So if you place an access list inbound on interface fastethernet0/1 then it will be filtering traffic coming from the LAN on fastethernet0/1 into the router. Since host 192.168.1.204 is not on that LAN if you put access list 110 inbound on interface fastethernet0/1 then no traffic will be permitted.

Remembering how in and out work on the interface also explains the difficulty with your access list 100.

access-list 100 permit tcp 192.168.4.0 0.0.0.255 host 192.168.1.204 eq www

access-list 100 permit tcp host 192.168.1.204 192.168.4.0 0.0.0.255 established

you applied it outbound so it will be filtering traffic going from the router out onto fastethernet0/1. So no packet will ever match the first permit tcp (which is the restriction to www) and any TCP packet from host 192.168.1.204 will be permitted by the next statement.

HTH

Rick

donnie Wed, 02/27/2008 - 17:19

Hi Rick,

Thanks for your reply. My command "access-list 100 permit tcp 192.168.4.0 0.0.0.255 host 192.168.1.204 eq www" is meant to allow only outgoing traffic from 192.168.4.0/24 into port 80 of 192.168.1.204. Hence by using "ip access-group 100 out" on fa0/1 why wouldn't it work? Since "out" refers to outgoing packets. I believe your previous explaination is right as it is exactly the scenario that i face but i still do not understand why that accesslist of mine when applied to fa0/1 "out" wouldnt work. Thks in advance.

donnie Wed, 02/27/2008 - 20:15

Hi Rick,

After looking at your post, i think i understand what you mean. Hence am i right that i should implment the following for my 1841 to resolve the prob?

interface FastEthernet0/1

description $ETH-LAN$

ip address 192.168.4.253 255.255.255.0

ip access-group 100 in

ip access-group 110 out

duplex auto

speed auto

access-list 100 permit icmp any any

access-list 100 permit tcp 192.168.4.0 0.0.0.255 host 192.168.1.204 eq www

access-list 110 permit tcp host 192.168.1.204 192.168.4.0 0.0.0.255 established

Do i need to state "access-list 110 permit tcp host 192.168.1.204 192.168.4.0 0.0.0.255 established" since 1841 is stateful?

Richard Burts Wed, 02/27/2008 - 20:31

wenbin

This is better. If you implement 100 in and 110 out it will provide the restriction on HTTP that you want.

There is a small issue to consider. The access list 100 in permits ICMP. so end stations on the LAN of Fastethernet0/1 can send any ICMP. But if access-list 110 out does not permit any ICMP then the ICMP responses will never get back to the host that generated the ICMP. Why permit it to be generated if you are not going to permit the response to get through?

HTH

Rick

donnie Wed, 02/27/2008 - 23:30

Hi Rick,

Thank you very much for the advise. But do i need "access-list 110 permit tcp host 192.168.1.204 192.168.4.0 0.0.0.255 established " as shown below since cisco1841 is stateful? Without adding this line, would 192.168.1.204 be able to respond after connection is initialised by 192.168.4.0/24?

interface FastEthernet0/1

description $ETH-LAN$

ip address 192.168.4.253 255.255.255.0

ip access-group 100 in

ip access-group 110 out

duplex auto

speed auto

access-list 100 permit icmp any any

access-list 100 permit tcp 192.168.4.0 0.0.0.255 host 192.168.1.204 eq www

access-list 110 permit icmp any any

access-list 110 permit tcp host 192.168.1.204 192.168.4.0 0.0.0.255 established

Richard Burts Thu, 02/28/2008 - 05:37

wenbin

This is the second time that you have referred to the 1841 as stateful. I am not clear what you mean by that. Can you clarify?

Whether you need access list 110 out depends on what you want to accomplish. If you do not have the access list the responses from 192.168.1.204 will certainly be sent out the interface to end stations in the subnet connected to the interface. So you do not need it to enable the delivery of response. I think that perhaps you are not entirely clear what that access list does. And the important thing that it does is not related to the tcp traffic from 192.168.1.204 but is related to other traffic. With no access list then any traffic intended for end stations in the subnet will be forwarded. With access list 110 applied out no other traffic will be forwarded to those end stations. So what are you trying to accomplish? Do you want to restrict those end stations to only ICMP and HTTP to that server - then use the access list. If you do not want to restrict the end stations then do not use the access list.

An important thing to remember about access lists is that with the implied deny any at the bottom of the access list, anything that is not specifically permitted will be denied. So if access list 110 only permits ICMP and HTTP to that server then that is the only traffic that will be sent out the interface.

HTH

Rick

donnie Thu, 02/28/2008 - 21:43

Hi Rick,

Thank you for your reply.

My objective is to restrict traffic from 192.168.4.0 to only icmp and http to 192.168.1.204. And only icmp and reponse traffic from 192.168.1.204 port 80 can access 192.168.4.0 subnet. Hence can the below config work the way i want? Thks in advance.

interface FastEthernet0/1

description $ETH-LAN$

ip address 192.168.4.253 255.255.255.0

ip access-group 100 in

ip access-group 110 out

duplex auto

speed auto

access-list 100 permit icmp any any

access-list 100 permit tcp 192.168.4.0 0.0.0.255 host 192.168.1.204 eq www

access-list 110 permit icmp any any

access-list 110 permit tcp host 192.168.1.204 eq 80 192.168.4.0 0.0.0.255 established

Richard Burts Fri, 02/29/2008 - 13:24

wenbin

If that is your objective then these access lists should do what you want.

HTH

Rick

Actions

This Discussion