Continuing Internet connection access list trouble...=(

rshullaw · ‎01-17-2003

Based on advice from a previous post, I applied the recommended standard access-list to the serial interface of my router connected to the Internet, but it immediately causes Internet access to fail. Any thoughts on what might be wrong with this list, or why it might prohibit Internet traffic?

Thoughts are greatly appreciated!

access-list 110 deny ip host 0.0.0.0 any log

access-list 110 deny ip any 255.255.255.128 0.0.0.127 log

access-list 110 deny ip 0.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255 log

access-list 110 deny ip 10.0.0.0 0.255.255.255 log

access-list 110 deny ip 127.0.0.0 0.255.255.255 any log

access-list 110 deny ip 172.16.0.0 0.15.255.255 log

access-list 110 deny ip 192.168.0.0 0.0.255.255 log

access-list 110 deny ip 223.255.255.0 0.0.0.255 255.255.255.0 0.0.0.255 log

access-list 110 deny ip 224.0.0.0 31.255.255.255 224.0.0.0 31.255.255.255 log

access-list 110 deny ip x.x.x.64 0.0.0.31 any log (my network's IP)

access-list 110 permit tcp any host x.x.x.69 eq 443

access-list 110 permit tcp any host x.x.x.74 eq smtp

access-list 110 permit tcp any eq ftp-data host x.x.x.74

access-list 110 deny ip any any log

Thanks!

b-pelphrey · ‎01-17-2003

This acl is on the serial interface inbound?? Do you have any other acls on this router? Make sure that the acls don't negate your network to the Internet. Once you start appling permits and denies, you need to make sure you have your network Internet traffic included. For example this acl here is on the serial interface that only allows ssl, mail, and ftp to your internal systems and denying many services and networks. But my question is, what is on your Ethernet interface from where your internal people are trying to get to the Internet?

Maybe if you could provide some more of your scrubbed config? Then we can get this solved!

rshullaw · ‎01-17-2003

Yes, it's on the Serial interface inbound. Here's the rest of the config. With the "ip access-group 105 in" applied to the itnerface, no Internet. When I remove that single statement, it works fine. Obviously you can see that we are doing other things with ACLs, but it they seem to allow for Internet browsing when the 105 is not applied.

Thanks for your thoughts...

Current configuration : 4478 bytes

!

version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname XXXX-XXXX

!

enable secret 5 $1$uc3j$3h.aq3I/d0COwVxQt5A7./

enable password 7 021605481811003348

!

memory-size iomem 25

ip subnet-zero

no ip source-route

ip name-server xxx.xxx.xxx.xxx

!

ip inspect name STOP tcp

ip inspect name STOP ftp

ip inspect name STOP smtp

ip inspect name STOP h323

ip inspect name STOP rcmd

ip audit notify log

ip audit po max-events 100

!

interface FastEthernet0/0

description InterVLAN routing Interface

no ip address

speed auto

full-duplex

!

interface FastEthernet0/0.1

description Org 1 Network Segment

encapsulation dot1Q 1 native

ip address 10.1.1.1 255.255.255.0

ip access-group 1 out

ip nat inside

!

interface FastEthernet0/0.2

description Org 2 Network Segment

encapsulation dot1Q 2

ip address 10.1.2.1 255.255.255.0

ip access-group 1 out

ip nat inside

!

interface FastEthernet0/0.3

description Org 3 Network Segment

encapsulation dot1Q 3

ip address 10.1.3.1 255.255.255.0

ip access-group 1 out

ip nat inside

!

interface FastEthernet0/0.4

description Org 4 Network Segment

encapsulation dot1Q 4

ip address 10.1.4.1 255.255.255.0

ip access-group 1 out

ip nat inside

!

interface FastEthernet0/0.5

description Org 5 Network Segment

encapsulation dot1Q 5

ip address 10.1.5.1 255.255.255.0

ip access-group 1 out

ip nat inside

!

interface FastEthernet0/0.6

description Org 6 Network Segment

encapsulation dot1Q 6

ip address 10.1.6.1 255.255.255.0

ip access-group 1 out

ip nat inside

!

interface FastEthernet0/0.7

description Org 7 Network Segment

encapsulation dot1Q 7

ip address 10.1.7.1 255.255.255.0

ip access-group 1 out

ip nat inside

!

interface FastEthernet0/0.8

description Org 8 Network Segment

encapsulation dot1Q 8

ip address 10.1.8.1 255.255.255.0

ip access-group 1 out

ip nat inside

!

interface FastEthernet0/0.9

description Org 9 Network Segment

encapsulation dot1Q 9

ip address 10.1.9.1 255.255.255.0

ip access-group 1 out

ip nat inside

!

interface FastEthernet0/0.10

description Org 10 Network Segment

encapsulation dot1Q 10

ip address 10.1.10.1 255.255.255.0

ip access-group 1 out

ip nat inside

!

interface FastEthernet0/0.11

description Org 11 Network Segment

encapsulation dot1Q 11

ip address 10.1.11.1 255.255.255.0

ip access-group 1 out

ip nat inside

!

interface FastEthernet0/0.12

description Org 12 Network Segment

encapsulation dot1Q 12

ip address 10.1.12.1 255.255.255.0

ip access-group 1 out

ip nat inside

!

interface FastEthernet0/0.13

description Org 13 Network Segment

encapsulation dot1Q 13

ip address 10.1.13.1 255.255.255.0

ip access-group 1 out

ip nat inside

!

interface FastEthernet0/0.14

description Org 14 Network Segment

encapsulation dot1Q 14

ip address 10.1.14.1 255.255.255.0

ip access-group 1 out

ip nat inside

!

interface FastEthernet0/0.15

description Shared Network Segment

encapsulation dot1Q 15

ip address 10.1.32.1 255.255.255.0

ip nat inside

!

interface Serial0/0

no ip address

encapsulation frame-relay IETF

no ip route-cache

service-module t1 timeslots 1-24

frame-relay lmi-type ansi

!

interface Serial0/0.1 point-to-point

ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

ip nat outside

ip inspect STOP out

no ip route-cache

ip access-group 105 in

no arp frame-relay

frame-relay interface-dlci XXX

!

ip nat pool dynamic XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX prefix-length XX

ip nat inside source list 7 pool dynamic

ip classless

ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX

no ip http server

!

access-list 1 deny 10.1.0.0 0.0.31.255

access-list 1 permit any

access-list 7 permit 10.1.0.0 0.0.255.255

access-list 105 deny ip host 0.0.0.0 any log

access-list 105 deny ip any 255.255.255.128 0.0.0.127 log

access-list 105 deny ip 0.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255 log

access-list 105 deny ip 10.0.0.0 0.255.255.255 log

access-list 105 deny ip 127.0.0.0 0.255.255.255 any log

access-list 105 deny ip 172.16.0.0 0.15.255.255 log

access-list 105 deny ip 192.168.0.0 0.0.255.255 log

access-list 105 deny ip 223.255.255.0 0.0.0.255 255.255.255.0 0.0.0.255 log

access-list 105 deny ip 224.0.0.0 31.255.255.255 224.0.0.0 31.255.255.255 log

access-list 105 deny ip 10.1.0.0 0.0.255.255 any log (my network's IP)

access-list 105 deny ip any any log

dialer-list 1 protocol ip permit

dialer-list 1 protocol ipx permit

banner motd ^C

XXXXXXXXXXXXXXXXXXXXXXXX

WARNING: Unauthorized access to this computer system

is prohibited. Violators are subject to

criminal and civil penalties.^C

!

line con 0

line aux 0

line vty 0 4

password 7 13151601181B54382F

login

!

end

kevin-reynolds · ‎01-17-2003

You are blocking all return web traffic with the following statement:

access-list 110 deny ip any any log

If you just want web traffic try this at the end:

access-list 110 permit udp y.y.y.y eq 53 x.x.x.x 0.0.0.32

access-list 110 permit tcp any eq 80 x.x.x.x 0.0.0.31

access-list 110 deny ip any any log

This will permit any source address ( the internet) with a source port of 80 (web traffic) access to your network (where x.x.x.x 0.0.0.31 is your internal net). It also allows name requests to come back to you. y.y.y.y represnets a DNS server. You would have to do the same thing for any service you want to permit. ( 443, SMTP, telnet, ssh, whatever).

Kevin

rshullaw · ‎01-17-2003

Thanks, Kevin! I'll give that a try!

b-pelphrey · ‎01-17-2003

.