Access List help

whiteford · ‎07-19-2008

Hi,

I'm just looking at an config on a Cisco 877 DSL router we have which provides a VPN from a small office to our HQ where it connects to a Cisco ASA.

Correct me if I'm wrong but the access list seems too big and can be simplified.

Our Cisco ASA at our HQ it is our firewall and VPN device, our internet also runs off the ASA, so the VPN's and ASA's global IP is 80.171.150.66. So we PAT out as that IP and to connect to routers and server the internet and our VPN's use this as their peer address.

So when you look at the config can:

permit tcp 80.171.150.64 0.0.0.31 any eq telnet

permit tcp 80.171.150.64 0.0.0.31 any eq 22

permit tcp 80.171.150.64 0.0.0.31 any eq ftp-data

permit tcp 80.171.150.64 0.0.0.31 any eq ftp

permit tcp 80.171.150.64 0.0.0.31 any eq www

permit tcp 80.171.150.64 0.0.0.31 any eq 443

be (don't need to ftp to router):

permit tcp 80.171.150.66 0.0.0.0 any eq telnet

permit tcp 80.171.150.66 0.0.0.0 any eq 22

permit tcp 80.171.150.66 0.0.0.0 any eq www

permit tcp 80.171.150.66 0.0.0.0 any eq 443

Plus why do I need all the HQ's subnets:

permit ip 192.168.20.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.21.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.30.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.40.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.50.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.60.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.70.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.80.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.90.0 0.0.0.255 172.19.2.0 0.0.0.255

when I have a access-list 101 permit ip 172.19.2.0 0.0.0.255 any? Surely this means 172.19.2.0/24 can contact any of those subnets and visa versa? So why are the subnets in that list?

Hope this makes sense as I really want to tidy this up.

Marwan ALshawi · ‎07-19-2008

first of all

there is two kind of ACLs

standard which match based on the source address only

extended mtach source and destination IP and port too

so with ur ACL 101

it match any ip traffic from 172.19.2.0 with prefex 24 or as u have it above 0.0.0.255 which is a wild card the reverse of the subnet mask

u need the mask to match exactly the number of IPs withing ur network

so with subnet 255.255.255.252 u will match only 2 IPs and so on

in addition to the above informations

ACLs used inconjunction with other services such as route maps and policies to match traffic

for example when u match traffic u use the permit statement

whe u want to igonre traffic (not block it ) u use the deny statment

this is in general

Rate if helpful

whiteford · ‎07-19-2008

Thanks I undersand that, but is it resonable to make the changes I suggest?

Marwan ALshawi · ‎07-19-2008

u removed ftp traffic from 80.171.150.64 0.0.0.31

is that what u want ?

Rate if helpful

whiteford · ‎07-19-2008

If you look at the config that's attached and what I want to change.

My current ACL is (minus a few parts):

permit tcp 80.171.150.64 0.0.0.31 any eq telnet

permit tcp 80.171.150.64 0.0.0.31 any eq 22

permit tcp 80.171.150.64 0.0.0.31 any eq ftp-data

permit tcp 80.171.150.64 0.0.0.31 any eq ftp

permit tcp 80.171.150.64 0.0.0.31 any eq www

permit tcp 80.171.150.64 0.0.0.31 any eq 443

permit ip 192.168.20.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.21.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.30.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.40.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.50.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.60.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.70.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.80.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.90.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.100.0 0.0.0.255 172.19.2.0 0.0.0.255

Surely I don't need the subnets 192.168.30.x-192.168.100.x as they are covered by "access-list 101 permit ip 172.19.2.0 0.0.0.255 any"

Marwan ALshawi · ‎07-19-2008

sorry, but i got confused!!

can u tell me what u want exactly and with bit more detail

Edison Ortiz · ‎07-19-2008

The first group of ACLs are security ACLs (protecting the router and subnets in your network).

The second group of ACLs (the one listing the HQ's subnets) are for the VPN.

When creating a site-to-site VPN, you need to create an ACL to include the 'interesting' traffic that must traverse the IPSec.

All ACLs listed are valid, IMHO.

HTH,

__

Edison.

Please rate helpful posts

whiteford · ‎07-19-2008

Thing is I removed the HQ subnets and I'm on 192.168.7.x and can access the remote sites PC's on the 172.19.2.x range shoudl I be able to do this?

Edison Ortiz · ‎07-19-2008

I just took a look at your attached document and what I said previously was incorrect.

match address 101 is your VPN traffic

which is access-list 101 permit ip 172.19.2.0 0.0.0.255 any

If you don't include the HQ subnets in the inbound ACL, they will be blocked with the implied deny any any

If you don't want all those commands listed, simply duplicate the ACL 101 under the ip access-list extended inbound_acl ACL.

__

Edison.

whiteford · ‎07-19-2008

Thing is I removed the HQ subnets and I'm on 192.168.7.x and can access the remote sites PC's on the 172.19.2.x range shoudl I be able to do this?

All I have is this and my 192.168.7.10 IP can access the c drive of 172.19.2.9.