ACL question - blocked ports when initiating connection

Unanswered Question
Jun 7th, 2010

I have a (dumb) question which I'm sure is elementary to the seasoned veterans here. I am trying to telnet from RTRA (12.139.63.107) to RTRB (12.139.63.105) but the packets from RTRB are getting blocked:

RTRA#telnet 12.139.63.105

Trying 12.139.63.105 ...

Jun  7 19:08:49.146: %SEC-6-IPACCESSLOGP: list PERIMETER denied tcp 12.139.63.105                                          (23) -> 12.139.63.107(61124), 1 packet

% Connection timed out; remote host not responding

What do I need to do so that I can initiate connections (HTTP, FTP, telnet, etc) and not have them blocked?
Here's the config of RTRA:
Current configuration : 3235 bytes
!
! Last configuration change at 19:02:44 EDT Mon Jun 7 2010 by admin
! NVRAM config last updated at 19:04:52 EDT Mon Jun 7 2010 by admin
!
version 12.4
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname RTRA
!
boot-start-marker
boot-end-marker
!
card type t1 0 0
logging buffered 4096
!
no aaa new-model
clock timezone EST -5
clock summer-time EDT recurring
ip cef
!
!
!
!
no ip domain lookup
ip domain name yourdomain.com
multilink bundle-name authenticated
!
!
archive
log config
  hidekeys
!
!
controller T1 0/0/0
framing esf
linecode b8zs
cablelength long 0db
channel-group 1 timeslots 1-24
!
!
!
!
interface FastEthernet0/0
description INTERNAL_LAN
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description CONNECTED_TO_ISP
ip address 12.139.63.107 255.255.255.248
ip access-group PERIMETER in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/0/0:1
description POINT-TO-POINT_T1
ip address 172.31.2.1 255.255.255.252
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 12.139.63.105
ip route 192.168.0.0 255.255.255.0 172.31.2.2
!
!
ip http server
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.3 25 12.139.63.107 25 extendable
ip nat inside source static tcp 192.168.1.3 80 12.139.63.107 80 extendable
ip nat inside source static tcp 192.168.1.7 1723 12.139.63.107 1723 extendable
ip nat inside source static tcp 192.168.1.7 3389 12.139.63.107 3389 extendable
ip nat inside source static 192.168.1.2 12.139.63.108
ip nat inside source static 192.168.1.20 12.139.63.109
!
ip access-list extended PERIMETER
permit tcp any host 12.139.63.107 eq 1723
permit tcp any host 12.139.63.107 eq www
permit tcp any host 12.139.63.107 eq smtp
permit tcp any host 12.139.63.107 eq telnet
permit icmp any any
permit tcp any host 12.139.63.108 eq www
permit tcp any host 12.139.63.109 eq www
permit tcp any host 12.139.63.107 eq 3389
deny   ip any any log
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
!
!
control-plane
!
disable-eadi
alias exec sr show run
alias exec s show ip int br
alias exec srt show ip route
alias exec sri show run | i
alias exec srb show run | b
!
line con 0
logging synchronous
login local
line aux 0
line vty 0 4
exec-timeout 30 0
logging synchronous
login local
transport input telnet
line vty 5 15
login local
transport input telnet
!
scheduler allocate 20000 1000
end
Thanks,
-mike
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
William Bell Mon, 06/07/2010 - 19:20

mmurraycisco wrote:

I have a (dumb) question which I'm sure is elementary to the seasoned veterans here. I am trying to telnet from RTRA (12.139.63.107) to RTRB (12.139.63.105) but the packets from RTRB are getting blocked:

RTRA#telnet 12.139.63.105

Trying 12.139.63.105 ...

Jun  7 19:08:49.146: %SEC-6-IPACCESSLOGP: list PERIMETER denied tcp 12.139.63.105                                          (23) -> 12.139.63.107(61124), 1 packet

% Connection timed out; remote host not responding

What do I need to do so that I can initiate connections (HTTP, FTP, telnet, etc) and not have them blocked?
Here's the config of RTRA:
!
interface FastEthernet0/1
description CONNECTED_TO_ISP
ip address 12.139.63.107 255.255.255.248
ip access-group PERIMETER in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto

ip access-list extended PERIMETER
permit tcp any host 12.139.63.107 eq 1723
permit tcp any host 12.139.63.107 eq www
permit tcp any host 12.139.63.107 eq smtp
permit tcp any host 12.139.63.107 eq telnet
permit icmp any any
permit tcp any host 12.139.63.108 eq www
permit tcp any host 12.139.63.109 eq www
permit tcp any host 12.139.63.107 eq 3389
deny   ip any any log
!

Since your PERIMETER is assinged as an ingress ACL you could add something similar to the following to allow telnet (for example):

permit tcp any eq telnet host 12.139.63.107

Place this before the "deny ip any any" statement.  So, the point is your ACL is covering WWW, SMTP, telnet, RDP, etc. from EXTERNAL hosts connecting to your NATted address.  If you want to allow connections from your NATted address to external services, you need to allow the "well-known" ports back in ( as source ports ).  WWW is the same as telnet

permit tcp any eq www host 12.139.63.107

I am assuming you'll take care to apply any security policies fit your organizational needs/requirements.

HTH.

Regards,
Bill

Michael Murray Wed, 06/16/2010 - 16:53

Bill,

Thanks for your response. That takes care of telnet but not for the rest of the services I need (www, dns, tcp). For reference, here's what I came up with that works for most common Internet traffic. The deny statements up front are just for defense against well known attacks:

interface FastEthernet0/1

description CONNECTED_TO_ISP

ip address 12.139.63.107 255.255.255.248

ip access-group INBOUND in

ip nat outside

ip virtual-reassembly

duplex auto

speed auto


ip access-list extended INBOUND

deny   ip 127.0.0.0 0.255.255.255 any

deny   ip 192.0.2.0 0.0.0.255 any

deny   ip 224.0.0.0 31.255.255.255 any

deny   ip 12.139.63.104 0.0.0.7 any

deny   ip host 255.255.255.255 any

deny   ip 10.0.0.0 0.255.255.255 any

deny   ip 172.16.0.0 0.15.255.255 any

deny   ip 192.168.0.0 0.0.255.255 any

permit icmp any any echo-reply

permit icmp any any unreachable

permit icmp any any time-exceeded

deny   icmp any any

permit udp any eq domain host 12.139.63.107 gt 1023

permit udp any eq domain host 12.139.63.107 eq domain

permit tcp any 12.139.63.104 0.0.0.7 established

permit udp any range 1 1023 12.139.63.104 0.0.0.7 gt 1023

permit tcp any eq ftp-data 12.139.63.104 0.0.0.7 gt 1023

permit udp any gt 1023 12.139.63.104 0.0.0.7 gt 1023

permit tcp any host 12.139.63.107 eq 1723

permit tcp any host 12.139.63.107 eq www

permit tcp any host 12.139.63.107 eq smtp

permit tcp any host 12.139.63.108 eq www

permit tcp any host 12.139.63.109 eq www

permit tcp any host 12.139.63.107 eq telnet

deny   ip any any log

chriszibell Mon, 06/07/2010 - 19:17
Sorry, my posting will not work.. I missed it was in inbound ACL, not outbound..

Actions

This Discussion

Related Content