01-17-2003 09:56 AM - edited 02-20-2020 09:20 PM
Based on advice from a previous post, I applied the recommended standard access-list to the serial interface of my router connected to the Internet, but it immediately causes Internet access to fail. Any thoughts on what might be wrong with this list, or why it might prohibit Internet traffic?
Thoughts are greatly appreciated!
access-list 110 deny ip host 0.0.0.0 any log
access-list 110 deny ip any 255.255.255.128 0.0.0.127 log
access-list 110 deny ip 0.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255 log
access-list 110 deny ip 10.0.0.0 0.255.255.255 log
access-list 110 deny ip 127.0.0.0 0.255.255.255 any log
access-list 110 deny ip 172.16.0.0 0.15.255.255 log
access-list 110 deny ip 192.168.0.0 0.0.255.255 log
access-list 110 deny ip 223.255.255.0 0.0.0.255 255.255.255.0 0.0.0.255 log
access-list 110 deny ip 224.0.0.0 31.255.255.255 224.0.0.0 31.255.255.255 log
access-list 110 deny ip x.x.x.64 0.0.0.31 any log (my network's IP)
access-list 110 permit tcp any host x.x.x.69 eq 443
access-list 110 permit tcp any host x.x.x.74 eq smtp
access-list 110 permit tcp any eq ftp-data host x.x.x.74
access-list 110 deny ip any any log
Thanks!
01-17-2003 10:13 AM
This acl is on the serial interface inbound?? Do you have any other acls on this router? Make sure that the acls don't negate your network to the Internet. Once you start appling permits and denies, you need to make sure you have your network Internet traffic included. For example this acl here is on the serial interface that only allows ssl, mail, and ftp to your internal systems and denying many services and networks. But my question is, what is on your Ethernet interface from where your internal people are trying to get to the Internet?
Maybe if you could provide some more of your scrubbed config? Then we can get this solved!
01-17-2003 10:30 AM
Yes, it's on the Serial interface inbound. Here's the rest of the config. With the "ip access-group 105 in" applied to the itnerface, no Internet. When I remove that single statement, it works fine. Obviously you can see that we are doing other things with ACLs, but it they seem to allow for Internet browsing when the 105 is not applied.
Thanks for your thoughts...
Current configuration : 4478 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname XXXX-XXXX
!
enable secret 5 $1$uc3j$3h.aq3I/d0COwVxQt5A7./
enable password 7 021605481811003348
!
memory-size iomem 25
ip subnet-zero
no ip source-route
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx
!
ip inspect name STOP tcp
ip inspect name STOP ftp
ip inspect name STOP smtp
ip inspect name STOP h323
ip inspect name STOP rcmd
ip audit notify log
ip audit po max-events 100
!
!
!
!
interface FastEthernet0/0
description InterVLAN routing Interface
no ip address
speed auto
full-duplex
!
interface FastEthernet0/0.1
description Org 1 Network Segment
encapsulation dot1Q 1 native
ip address 10.1.1.1 255.255.255.0
ip access-group 1 out
ip nat inside
!
interface FastEthernet0/0.2
description Org 2 Network Segment
encapsulation dot1Q 2
ip address 10.1.2.1 255.255.255.0
ip access-group 1 out
ip nat inside
!
interface FastEthernet0/0.3
description Org 3 Network Segment
encapsulation dot1Q 3
ip address 10.1.3.1 255.255.255.0
ip access-group 1 out
ip nat inside
!
interface FastEthernet0/0.4
description Org 4 Network Segment
encapsulation dot1Q 4
ip address 10.1.4.1 255.255.255.0
ip access-group 1 out
ip nat inside
!
interface FastEthernet0/0.5
description Org 5 Network Segment
encapsulation dot1Q 5
ip address 10.1.5.1 255.255.255.0
ip access-group 1 out
ip nat inside
!
interface FastEthernet0/0.6
description Org 6 Network Segment
encapsulation dot1Q 6
ip address 10.1.6.1 255.255.255.0
ip access-group 1 out
ip nat inside
!
interface FastEthernet0/0.7
description Org 7 Network Segment
encapsulation dot1Q 7
ip address 10.1.7.1 255.255.255.0
ip access-group 1 out
ip nat inside
!
interface FastEthernet0/0.8
description Org 8 Network Segment
encapsulation dot1Q 8
ip address 10.1.8.1 255.255.255.0
ip access-group 1 out
ip nat inside
!
interface FastEthernet0/0.9
description Org 9 Network Segment
encapsulation dot1Q 9
ip address 10.1.9.1 255.255.255.0
ip access-group 1 out
ip nat inside
!
interface FastEthernet0/0.10
description Org 10 Network Segment
encapsulation dot1Q 10
ip address 10.1.10.1 255.255.255.0
ip access-group 1 out
ip nat inside
!
interface FastEthernet0/0.11
description Org 11 Network Segment
encapsulation dot1Q 11
ip address 10.1.11.1 255.255.255.0
ip access-group 1 out
ip nat inside
!
interface FastEthernet0/0.12
description Org 12 Network Segment
encapsulation dot1Q 12
ip address 10.1.12.1 255.255.255.0
ip access-group 1 out
ip nat inside
!
interface FastEthernet0/0.13
description Org 13 Network Segment
encapsulation dot1Q 13
ip address 10.1.13.1 255.255.255.0
ip access-group 1 out
ip nat inside
!
interface FastEthernet0/0.14
description Org 14 Network Segment
encapsulation dot1Q 14
ip address 10.1.14.1 255.255.255.0
ip access-group 1 out
ip nat inside
!
interface FastEthernet0/0.15
description Shared Network Segment
encapsulation dot1Q 15
ip address 10.1.32.1 255.255.255.0
ip nat inside
!
interface Serial0/0
no ip address
encapsulation frame-relay IETF
no ip route-cache
service-module t1 timeslots 1-24
frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
ip nat outside
ip inspect STOP out
no ip route-cache
ip access-group 105 in
no arp frame-relay
frame-relay interface-dlci XXX
!
ip nat pool dynamic XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX prefix-length XX
ip nat inside source list 7 pool dynamic
ip classless
ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX
no ip http server
!
!
access-list 1 deny 10.1.0.0 0.0.31.255
access-list 1 permit any
access-list 7 permit 10.1.0.0 0.0.255.255
access-list 105 deny ip host 0.0.0.0 any log
access-list 105 deny ip any 255.255.255.128 0.0.0.127 log
access-list 105 deny ip 0.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255 log
access-list 105 deny ip 10.0.0.0 0.255.255.255 log
access-list 105 deny ip 127.0.0.0 0.255.255.255 any log
access-list 105 deny ip 172.16.0.0 0.15.255.255 log
access-list 105 deny ip 192.168.0.0 0.0.255.255 log
access-list 105 deny ip 223.255.255.0 0.0.0.255 255.255.255.0 0.0.0.255 log
access-list 105 deny ip 224.0.0.0 31.255.255.255 224.0.0.0 31.255.255.255 log
access-list 105 deny ip 10.1.0.0 0.0.255.255 any log (my network's IP)
access-list 105 deny ip any any log
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
banner motd ^C
XXXXXXXXXXXXXXXXXXXXXXXX
WARNING: Unauthorized access to this computer system
is prohibited. Violators are subject to
criminal and civil penalties.^C
!
line con 0
line aux 0
line vty 0 4
password 7 13151601181B54382F
login
!
end
01-17-2003 11:07 AM
You are blocking all return web traffic with the following statement:
access-list 110 deny ip any any log
If you just want web traffic try this at the end:
access-list 110 permit udp y.y.y.y eq 53 x.x.x.x 0.0.0.32
access-list 110 permit tcp any eq 80 x.x.x.x 0.0.0.31
access-list 110 deny ip any any log
This will permit any source address ( the internet) with a source port of 80 (web traffic) access to your network (where x.x.x.x 0.0.0.31 is your internal net). It also allows name requests to come back to you. y.y.y.y represnets a DNS server. You would have to do the same thing for any service you want to permit. ( 443, SMTP, telnet, ssh, whatever).
Kevin
01-17-2003 11:17 AM
Thanks, Kevin! I'll give that a try!
01-17-2003 11:31 AM
.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide