07-19-2008 03:40 AM - edited 03-03-2019 10:48 PM
Hi,
I'm just looking at an config on a Cisco 877 DSL router we have which provides a VPN from a small office to our HQ where it connects to a Cisco ASA.
Correct me if I'm wrong but the access list seems too big and can be simplified.
Our Cisco ASA at our HQ it is our firewall and VPN device, our internet also runs off the ASA, so the VPN's and ASA's global IP is 80.171.150.66. So we PAT out as that IP and to connect to routers and server the internet and our VPN's use this as their peer address.
So when you look at the config can:
permit tcp 80.171.150.64 0.0.0.31 any eq telnet
permit tcp 80.171.150.64 0.0.0.31 any eq 22
permit tcp 80.171.150.64 0.0.0.31 any eq ftp-data
permit tcp 80.171.150.64 0.0.0.31 any eq ftp
permit tcp 80.171.150.64 0.0.0.31 any eq www
permit tcp 80.171.150.64 0.0.0.31 any eq 443
be (don't need to ftp to router):
permit tcp 80.171.150.66 0.0.0.0 any eq telnet
permit tcp 80.171.150.66 0.0.0.0 any eq 22
permit tcp 80.171.150.66 0.0.0.0 any eq www
permit tcp 80.171.150.66 0.0.0.0 any eq 443
Plus why do I need all the HQ's subnets:
permit ip 192.168.20.0 0.0.0.255 172.19.2.0 0.0.0.255
permit ip 192.168.21.0 0.0.0.255 172.19.2.0 0.0.0.255
permit ip 192.168.30.0 0.0.0.255 172.19.2.0 0.0.0.255
permit ip 192.168.40.0 0.0.0.255 172.19.2.0 0.0.0.255
permit ip 192.168.50.0 0.0.0.255 172.19.2.0 0.0.0.255
permit ip 192.168.60.0 0.0.0.255 172.19.2.0 0.0.0.255
permit ip 192.168.70.0 0.0.0.255 172.19.2.0 0.0.0.255
permit ip 192.168.80.0 0.0.0.255 172.19.2.0 0.0.0.255
permit ip 192.168.90.0 0.0.0.255 172.19.2.0 0.0.0.255
when I have a access-list 101 permit ip 172.19.2.0 0.0.0.255 any? Surely this means 172.19.2.0/24 can contact any of those subnets and visa versa? So why are the subnets in that list?
Hope this makes sense as I really want to tidy this up.
07-19-2008 04:10 AM
first of all
there is two kind of ACLs
standard which match based on the source address only
extended mtach source and destination IP and port too
so with ur ACL 101
it match any ip traffic from 172.19.2.0 with prefex 24 or as u have it above 0.0.0.255 which is a wild card the reverse of the subnet mask
u need the mask to match exactly the number of IPs withing ur network
so with subnet 255.255.255.252 u will match only 2 IPs and so on
in addition to the above informations
ACLs used inconjunction with other services such as route maps and policies to match traffic
for example when u match traffic u use the permit statement
whe u want to igonre traffic (not block it ) u use the deny statment
this is in general
Rate if helpful
07-19-2008 04:17 AM
Thanks I undersand that, but is it resonable to make the changes I suggest?
07-19-2008 04:23 AM
u removed ftp traffic from 80.171.150.64 0.0.0.31
is that what u want ?
Rate if helpful
07-19-2008 04:40 AM
If you look at the config that's attached and what I want to change.
My current ACL is (minus a few parts):
permit tcp 80.171.150.64 0.0.0.31 any eq telnet
permit tcp 80.171.150.64 0.0.0.31 any eq 22
permit tcp 80.171.150.64 0.0.0.31 any eq ftp-data
permit tcp 80.171.150.64 0.0.0.31 any eq ftp
permit tcp 80.171.150.64 0.0.0.31 any eq www
permit tcp 80.171.150.64 0.0.0.31 any eq 443
permit ip 192.168.20.0 0.0.0.255 172.19.2.0 0.0.0.255
permit ip 192.168.21.0 0.0.0.255 172.19.2.0 0.0.0.255
permit ip 192.168.30.0 0.0.0.255 172.19.2.0 0.0.0.255
permit ip 192.168.40.0 0.0.0.255 172.19.2.0 0.0.0.255
permit ip 192.168.50.0 0.0.0.255 172.19.2.0 0.0.0.255
permit ip 192.168.60.0 0.0.0.255 172.19.2.0 0.0.0.255
permit ip 192.168.70.0 0.0.0.255 172.19.2.0 0.0.0.255
permit ip 192.168.80.0 0.0.0.255 172.19.2.0 0.0.0.255
permit ip 192.168.90.0 0.0.0.255 172.19.2.0 0.0.0.255
permit ip 192.168.100.0 0.0.0.255 172.19.2.0 0.0.0.255
Surely I don't need the subnets 192.168.30.x-192.168.100.x as they are covered by "access-list 101 permit ip 172.19.2.0 0.0.0.255 any"
07-19-2008 04:45 AM
sorry, but i got confused!!
can u tell me what u want exactly and with bit more detail
07-19-2008 07:06 AM
The first group of ACLs are security ACLs (protecting the router and subnets in your network).
The second group of ACLs (the one listing the HQ's subnets) are for the VPN.
When creating a site-to-site VPN, you need to create an ACL to include the 'interesting' traffic that must traverse the IPSec.
All ACLs listed are valid, IMHO.
HTH,
__
Edison.
Please rate helpful posts
07-19-2008 08:04 AM
Thing is I removed the HQ subnets and I'm on 192.168.7.x and can access the remote sites PC's on the 172.19.2.x range shoudl I be able to do this?
07-19-2008 08:21 AM
I just took a look at your attached document and what I said previously was incorrect.
match address 101 is your VPN traffic
which is access-list 101 permit ip 172.19.2.0 0.0.0.255 any
If you don't include the HQ subnets in the inbound ACL, they will be blocked with the implied deny any any
If you don't want all those commands listed, simply duplicate the ACL 101 under the ip access-list extended inbound_acl ACL.
__
Edison.
07-19-2008 08:25 AM
Thing is I removed the HQ subnets and I'm on 192.168.7.x and can access the remote sites PC's on the 172.19.2.x range shoudl I be able to do this?
All I have is this and my 192.168.7.10 IP can access the c drive of 172.19.2.9.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide