Allow Access Through Router

Answered Question
Jan 19th, 2009
User Badges:

Hello -

I want to allow access to two systems behind a router and have achieved part of that, but for some reason, the additional ip scopes added don't have access using access-list 101. Can someone please look at my config and let me know what I may be missing? Thanks





Correct Answer by Jon Marshall about 8 years 6 months ago

Christopher


Sorry about the confusion. As Victor says we are just messing around but i can see how it might have been taken out of context. No offence intended from either of us.


"Allow any IP to telnet to int F0/0 (195.85.24.4)

Allow TS from the 195.85.x.x subnet specified in the ACL access to the two systems 10.13.3.2 and 10.13.10.5

deny all other access"


Yes your acl will do this altho i'm assuming 10.13.3.2 is a typo as your acl references 10.13.2.3 ?


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Mon, 01/19/2009 - 11:16
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Christopher


Your access-list -


access-list 101 permit tcp any host 195.85.24.4 eq telnet

access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 deny ip 195.85.0.0 0.0.255.255 10.0.0.0 0.255.255.255

access-list 101 permit ip any any

access-list 101 permit tcp 195.85.119.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.120.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.121.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.122.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.123.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.124.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.119.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.120.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.121.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.122.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.123.0 0.0.0.255 host 10.13.10.5 eq 3389


the 4th line says -


access-list 101 deny ip 195.85.0.0 0.0.255.255 10.0.0.0 0.255.255.255


so the permits for the 195.85.x subnets after this line will never be hit because the deny is line is hit first. You need to reorder your access-list to


access-list 101 permit tcp any host 195.85.24.4 eq telnet

access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 deny ip 195.85.0.0 0.0.255.255 10.0.0.0 0.255.255.255

access-list 101 permit tcp 195.85.119.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.120.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.121.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.122.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.123.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.124.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.119.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.120.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.121.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.122.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.123.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.124.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 deny ip 195.85.0.0 0.0.255.255 10.0.0.0 0.255.255.255

access-list 101 permit ip any any


Jon

cacmk5 Mon, 01/19/2009 - 11:23
User Badges:

Hello Jon -


I have added that order but when I add to the config it still shows the same order as I have above?


ip access-list extended CRFementerNAT

deny ip 10.13.0.0 0.0.255.255 any

permit ip 10.0.0.0 0.255.255.255 any

remark allow new Genencor / Danisco IP range

permit ip 195.85.0.0 0.0.255.255 any

access-list 101 permit tcp any host 195.85.24.4 eq telnet

access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 deny ip 195.85.0.0 0.0.255.255 10.0.0.0 0.255.255.255

access-list 101 permit ip any any

access-list 101 permit tcp 195.85.119.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.120.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.121.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.122.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.123.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.124.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.119.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.120.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.121.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.122.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.123.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.124.0 0.0.0.255 host 10.13.10.5 eq 3389

no cdp run

Jon Marshall Mon, 01/19/2009 - 11:24
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Did you remove the access-list ie.


no access-list 101


and then cut and paste the new one back in ?


Jon

cacmk5 Mon, 01/19/2009 - 11:25
User Badges:

Jon -

I am remote from the router and using telnet, if I do this I lose connection to the router.

Jon Marshall Mon, 01/19/2009 - 11:32
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Okay, remove the acl from the interface ie.


int s0/0

no ip access-group 101 in


then do as previously suggested and reapply. Just make sure you get the line right that allows you remote access.


Jon

cacmk5 Mon, 01/19/2009 - 11:30
User Badges:

Jon -

Disregard last post. I did do that. I will test and let you know if this resolves the issue. Thanks

Jon Marshall Mon, 01/19/2009 - 11:41
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

No problem. Please note there is a typo in my previous post -


access-list 101 permit tcp any host 195.85.24.4 eq telnet

access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 deny ip 195.85.0.0 0.0.255.255 10.0.0.0 0.255.255.255

access-list 101 permit tcp 195.85.119.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.120.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.121.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.122.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.123.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.124.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.119.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.120.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.121.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.122.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.123.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.124.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 deny ip 195.85.0.0 0.0.255.255 10.0.0.0 0.255.255.255

access-list 101 permit ip any any


should read


access-list 101 permit tcp any host 195.85.24.4 eq telnet

access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.119.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.120.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.121.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.122.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.123.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.124.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.119.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.120.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.121.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.122.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.123.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.124.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 deny ip 195.85.0.0 0.0.255.255 10.0.0.0 0.255.255.255

access-list 101 permit ip any any


ie. the "access-list 101 deny ip 195.85.0.0 0.0.255.255 10.0.0.0 0.255.255.255" line should only appear second line from end and not as the 4th line as well.


Apologies for that.


Jon

lamav Mon, 01/19/2009 - 11:30
User Badges:
  • Blue, 1500 points or more

What kind of cockamamie access list is that? You deny all traffic coming from the entire class B network of 195.85.0.0 and heading to the entire class A network of 10.0.0.0, but then you try to allow traffic with the same source and destination right after that. And whats with the "permit ip any any" statement in the middle of the access list?


[Excuse the cross post, Jon.]



cacmk5 Mon, 01/19/2009 - 11:39
User Badges:

Please help me understand how I can allow what I have listed in the ACL and deny everything else? Thanks

Jon Marshall Mon, 01/19/2009 - 11:45
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Victor


"[Excuse the cross post, Jon.]"


No problem. I think the idea of the acl is to permit certain traffic between 195.85.x.x and 10.13.x.x and then deny all other traffic between 195.85.x.x and 10.13.x.x but then also allow any other traffic from different source addresses and potentially different destination addresses.


You know i wasn't going to write this but knowing what a good sense of humour you have -


apologies if the above was too excruciating in it's detail :-)


Jon

cacmk5 Mon, 01/19/2009 - 12:30
User Badges:

OK I have modified my ACL to make it little easier to manage. Please let me know if this will work for what I want to accomplish? Thanks


access-list 101 permit tcp any host 195.85.24.4 eq telnet

access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.119.0 0.0.3.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.123.0 0.0.1.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.119.0 0.0.3.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.123.0 0.0.1.255 host 10.13.10.5 eq 3389

access-list 101 deny any any

Jon Marshall Mon, 01/19/2009 - 13:35
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Christopher


You haven't actually told us what you want to accomplish :-). But what this access-list does is to


1) allow any IP address to access 195.84.24.4 using telnet


2) then allow terminal services (3389) from a number of 195.85.x.x subnets to particular hosts in the 10.13.x.x range


3) deny all other access


Jon

cacmk5 Mon, 01/19/2009 - 14:50
User Badges:

Jon -

This is what I want to accomplish the ACL.

Allow any IP to telnet to int F0/0 (195.85.24.4)

Allow TS from the 195.85.x.x subnet specified in the ACL access to the two systems 10.13.3.2 and 10.13.10.5

deny all other access


With the ACL will this work?

lamav Mon, 01/19/2009 - 14:33
User Badges:
  • Blue, 1500 points or more

Youre a regular riot, Alice. :-)



cacmk5 Mon, 01/19/2009 - 14:52
User Badges:

what is your deal? I am asking for help here.

lamav Mon, 01/19/2009 - 16:14
User Badges:
  • Blue, 1500 points or more

Relax, Chris, my comment was directed at Jon. We tease each other. Jon and I go back a long way and have a lot in common. In fact, his father and my father were fathers. :-)


As for your ACL dilemma, Cisco has a ton of literature and tutorials on writing ACLs, you may want to check them out.


http://www.ciscosystems.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

cacmk5 Mon, 01/19/2009 - 16:29
User Badges:

sorry about that. I missed that it wasn't directed at me. No worries. I will check the url and see what I can find. Unless you have a solution that may help me out? :-)


Correct Answer
Jon Marshall Tue, 01/20/2009 - 01:23
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Christopher


Sorry about the confusion. As Victor says we are just messing around but i can see how it might have been taken out of context. No offence intended from either of us.


"Allow any IP to telnet to int F0/0 (195.85.24.4)

Allow TS from the 195.85.x.x subnet specified in the ACL access to the two systems 10.13.3.2 and 10.13.10.5

deny all other access"


Yes your acl will do this altho i'm assuming 10.13.3.2 is a typo as your acl references 10.13.2.3 ?


Jon

cacmk5 Tue, 01/20/2009 - 04:42
User Badges:

Jon -

Don't worry about it. No offense taken. I was just caught in trying to locate an answer to my question. I will be trying this today and will let you know if this worked. Thanks

cacmk5 Tue, 01/20/2009 - 07:33
User Badges:

Hello Jon -


I went ahead and re-create the ACL: This worked. Thanks for your help.


access-list 101 permit tcp any host 195.85.24.4 eq telnet

access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.116.0 0.0.3.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.122.0 0.0.1.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.116.0 0.0.3.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.122.0 0.0.1.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.119.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.119.0 0.0.0.255 host 10.13.3.2 eq 3389

access-list 101 permit tcp 195.85.120.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.120.0 0.0.0.255 host 10.13.3.2 eq 3389

access-list 101 permit tcp 195.85.121.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.121.0 0.0.0.255 host 10.13.3.2 eq 3389

access-list 101 permit tcp 195.85.122.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.122.0 0.0.0.255 host 10.13.3.2 eq 3389

access-list 101 permit tcp 195.85.123.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.123.0 0.0.0.255 host 10.13.3.2 eq 3389

access-list 101 permit tcp 195.85.124.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.124.0 0.0.0.255 host 10.13.3.2 eq 3389

Actions

This Discussion