Cisco 831 Access List problem

Answered Question
Aug 22nd, 2010

I am trying to configure an access list on my LAN segment  e0 as a preliminary step to secure the network which will include a DMZ webserver.

The PC at 40.5 loses internet conectivity when I add the access list.  I'd eventually like to be able to permit only established sessions. Any clues, I'm sure it's elementary.  Thanks

network diagram c.JPG


Current configuration : 1704 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Cisco831
!
boot-start-marker
boot-end-marker
!
memory-size iomem 5
!
username PICOMETER
no aaa new-model
ip subnet-zero
!
!!
no ip domain lookup
ip ids po max-events 100
no ftp-server write-enable
password encryption aes
!!
!
interface Ethernet0
description inside LAN segment
ip address 192.168.40.10 255.255.255.0
ip access-group 150 in
ip access-group 160 out
no cdp enable
!
interface Ethernet1
description internet WAN segment
ip address 172.16.2.10 255.255.255.0
ip access-group 151 in
ip access-group 161 out
duplex auto
no cdp enable
!
interface Ethernet2
description DMZ LAN segment
ip address 192.168.30.1 255.255.255.0

ip access-group 152 in
ip access-group 162 out
no cdp enable
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet3
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.2.1
!
ip http server
no ip http secure-server
!
!
access-list 151 deny   ip any host 192.168.40.5 fragments
access-list 151 permit tcp any host 192.168.40.5 eq www
access-list 151 deny   ip any any

!

!
no cdp run
!
!
control-plane
!
!line con 0
exec-timeout 120 0
no modem enable
transport preferred all
transport output all
stopbits 1
line aux 0
transport preferred all
transport output all
line vty 0 4
exec-timeout 120 0
password 7 11031008161606050A
login
transport preferred all
transport input all
transport output all
!
scheduler max-task-time 5000
end

I have this problem too.
0 votes
Correct Answer by Richard Burts about 6 years 3 months ago

If the PC is not able to ping the router one of the tests that I would suggest is to determine whether there is an ARP entry in the PC for the address of the router. Since the ARP table in Windows is cleared pretty quickly I would suggest that you attempt ping from PC to router and immediately do arp -a on the PC to see what is in the ARP table.

If the router is not able to ping the e0 interface it makes me wonder what is going on with the router. Would you post the output of show ip interface brief from the router?

Beyond the question of pinging the router interface there is a larger issue that needs to be addressed. Your approach to the access list is overly restrictive. I understand that you want to limit access but you need to think about things like DNS. Your access list does not permit any traffic for DNS. So the PC DNS request for an Internet web site will never resolve. This causes the result of no Internet connectivity. So you need to permit DNS traffic. You should also think about whether there are other types of service traffic that the PC might need that you should permit.

HTH

Rick

Correct Answer by Nagaraja Thanthry about 6 years 3 months ago

Hello,

While reviewing your configurations, I did not find any NAT rules. Could you

please configure the NAT rules and see if that helps? Also, I see that you

have configured access-groups on the outside interface (Ethernet1). Can you

append the access-list entries for that access-group as well?

access-list 151 permit icmp any any

access-list 151 permit tcp any eq www any established

access-list 151 permit tcp any eq www any psh

access-list 151 permit tcp any eq www any ack

access-list 151 deny ip any any

access-list 161 permit icmp any any

access-list 161 permit tcp any any eq www

access-list 161 deny ip any any

Regards,

NT

Correct Answer by Paolo Bevilacqua about 6 years 3 months ago

It is never necessary to configure both in and out access-group.

Use one or the other.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Nagaraja Thanthry Sun, 08/22/2010 - 12:01

Hello,

I see on Ethernet0 interface, you have configured access-group 150/160 but I

do not see those access-lists defined.

interface Ethernet0

description inside LAN segment

ip address 192.168.40.10 255.255.255.0

ip access-group 150 in

ip access-group 160 out

no cdp enable

Can you please define the access-lists and see if that helps. A sample would

be as follows:

access-list 150 permit tcp host 192.168.40.5 any eq www

access-list 150 deny ip any any

access-list 160 permit tcp any eq www host 192.168.40.5 established

access-list 160 permit tcp any eq www host 192.168.40.5 ack

access-list 160 permit tcp any eq www host 192.168.40.5 psh

access-list 160 deny ip any any

The above access-list will allow host 192.168.40.5 to access external

websites and external websites to reply back.

Hope this helps.

Regards,

NT

picotable Sun, 08/22/2010 - 12:41

With those lists defined and without any list on e1 interface the PC 40.5 can ping itself but not the segment gateway e0 at 40.1.  The router itself cannot ping the e0 interface at 40.1 but can ping e1 and e2 and everything beyond.

Nagaraja Thanthry Sun, 08/22/2010 - 12:49

Hello,

If you want to enable icmp, you need to add that rule.

access-list 150 permit icmp any any

access-list 150 permit tcp host 192.168.40.5 any eq www

access-list 150 deny ip any any

access-list 160 permit icmp any any

access-list 160 permit tcp any eq www host 192.168.40.5 established

access-list 160 permit tcp any eq www host 192.168.40.5 ack

access-list 160 permit tcp any eq www host 192.168.40.5 psh

access-list 160 deny ip any any

Hope this helps.

Regards,

NT

picotable Sun, 08/22/2010 - 13:54

I used the following list as you suggest which lets the router ping the PC, but there is still no internet conectivity.  I cannot ping the e0 interface from the PC or the router itself.  Is it a loopback issue?

access-list  160 permit icmp any any

access-list 160 permit tcp any eq www  host 192.168.40.5 established

access-list 160 permit tcp any eq  www host 192.168.40.5 ack

access-list 160 permit tcp any eq www  host 192.168.40.5 psh

access-list 160 deny ip any any

Correct Answer
Nagaraja Thanthry Sun, 08/22/2010 - 14:05

Hello,

While reviewing your configurations, I did not find any NAT rules. Could you

please configure the NAT rules and see if that helps? Also, I see that you

have configured access-groups on the outside interface (Ethernet1). Can you

append the access-list entries for that access-group as well?

access-list 151 permit icmp any any

access-list 151 permit tcp any eq www any established

access-list 151 permit tcp any eq www any psh

access-list 151 permit tcp any eq www any ack

access-list 151 deny ip any any

access-list 161 permit icmp any any

access-list 161 permit tcp any any eq www

access-list 161 deny ip any any

Regards,

NT

Correct Answer
Paolo Bevilacqua Sun, 08/22/2010 - 12:38

It is never necessary to configure both in and out access-group.

Use one or the other.

picotable Sun, 08/22/2010 - 12:47

I used only the 160 list.  The e0 interface pinged from the PC is "destination host unreachable"  The router cannot ping it's own e0 interface.

Correct Answer
Richard Burts Sun, 08/22/2010 - 14:18

If the PC is not able to ping the router one of the tests that I would suggest is to determine whether there is an ARP entry in the PC for the address of the router. Since the ARP table in Windows is cleared pretty quickly I would suggest that you attempt ping from PC to router and immediately do arp -a on the PC to see what is in the ARP table.

If the router is not able to ping the e0 interface it makes me wonder what is going on with the router. Would you post the output of show ip interface brief from the router?

Beyond the question of pinging the router interface there is a larger issue that needs to be addressed. Your approach to the access list is overly restrictive. I understand that you want to limit access but you need to think about things like DNS. Your access list does not permit any traffic for DNS. So the PC DNS request for an Internet web site will never resolve. This causes the result of no Internet connectivity. So you need to permit DNS traffic. You should also think about whether there are other types of service traffic that the PC might need that you should permit.

HTH

Rick

picotable Sun, 08/22/2010 - 14:38

The PC arp table showed the error.  The e0 interface is assigned 40.10 not 40.1.  It pings just fine from the router and the PC. Sorry for the confusion.  I now have to think about the DNS issue and any and all other services.

picotable Sun, 08/22/2010 - 18:30

Success

Thanks again to the Community:

I've got conectivity with the list:

access-list 160 permit ip host any
access-list 160 permit tcp any any established
access-list 160 permit ip host any
access-list 160 permit tcp any eq www host 192.168.40.5 ack

I have questions about the ordering, and also if the DNS lines can be further restricted.  I notice gmail chat is restricted which is apperently dependent on either POP or IMAP or both.  It's not a necessary feature and if either of these avenues are vulnerable, I'd rather do without them.  So far I don't notice any other trouble.  How does NAT play into this?

I suppose the DMZ webserver won't need the DNS lines but will need ftp.  Please correct me if I'm wrong.  Any suggestions?

Thanks again to everyone, thanks Rick.

Jim

Richard Burts Sun, 08/22/2010 - 20:56

Jim

You are quite welcome. Thank you for the rating.

As far as order of access list is concerned it will work ok with these 4 statements in any order. In trying to optimize operation of access lists one suggestion is to place statements early in the ACL that will get the most hits. So I would suggest putting the permit tcp established as the first statement. Other than that I do not think that order of the access list matters much.

I do wonder about the ACL statement  permit tcp any eq www host 192.168.40.5 ack. In my understanding permit tcp ack is one part of permit tcp established. So I am not sure that this line is really needed. It would be an interesting test to leave that statement in the list for a while, make sure that the permit tcp established is before the permit tcp ack, and to use show access list to see if that line ever gets any hits.

If you wanted to tighten up the access list it should be possible that instead of permit ip host you could change it to permit udp and tcp port numbers (port 53). Note that most DNS requests use udp port 53 but some DNS communication does use tcp. So I would advise permitting both udp and tcp port 53.

HTH

Rick

[edit] In rereading the thread I remember that you asked how Network Address Translation plays into this. With private addressing being used (192.168.x.x) there is certainly need to NAT (or PAT). I believe that with the topology that you show in the original post that it makes sense to do the address translation on R1 rather than on the 831.

Actions

This Discussion

Related Content