cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
986
Views
0
Helpful
27
Replies

Access list help....please!!!

tonysanta
Level 1
Level 1

Hello,

Here is my situation. I have an internal network of 10.81.0.X. I have an external location of 10.12.1.X. I want to only allow access into my 10.81 network for 10.12.1.X, but still allow Web traffice from my internal network to pass. I'm not a pro with ACL. I tried a few things but didn't have any luck. Any help would be greatly appreciated.

Tony

27 Replies 27

The problem is I need to allow telnet from the 10.12 network to the 10.81 network, and vis versa. That is what's not working. The ACL for the internet worked fine. I didn't try the ACL you mentioned yet. I will let you know. Thanks

I applied this ACL. Here is where it's at. Internet works from the 10.81 side. Telnet does not work from the 10.81 side. Also the app that is run on the 10.12 side still doesn't work. I looked into the client application. It looks like it uses telnet and rlogin.

It may be something with the rlogin. Have you tried testing telnet without that client to see if if works? What client application is it. It may use another protocol beside IP (Like GRE) that has to be opened also. An example of this would be an access list for Windows VPN. Not only do you need to open up port for the VPN connection, you have to allow the GRE protocol by adding "access-list permit gre any any" to the access list. It could be a situation like that causeing the problem, because the ACL you are using should allow all IP Traffic between thost networks.

This may assist you with determining which traffic is being denied that you want to let through.

In an early post a.manosca mentioned using an explicit deny statement. I have used this in the past to determine what was actually the problem

access-list 100 deny any any log

Add this statement to the end of your accesslist. Make sure you have logging buffered turned on. Check your log for your deny's. Determine what port and addresses need to be added. Add those to the appropriate location in the access list. Be aware, if the rule logs a tremendous number of entries, it could impact performance of the router. You can also off load the log file to a syslog with the proper configuration.

HTH

Once you have successfully connected all applications, remove the log part of the entry or the whole explicit deny statement.

I tried what you suggested. Turned on logging and had the user from the 10.12 network try and access the server on my end(10.81). Nothing shows in the log from the 10.12 side. However, I do have access denied udp, and tcp from my side trying to access the internet. One question I have is. Where should I be applying the access-list? Do I apply it on the Ethernet pot(10.81), or on the Serial Interface where 10.12 comes in? When I can I will post a portion of the log...

I also noticed that I get a lot of denials from our DNS at 10.0.0.1. Does this need to be in the ACL also?

A couple points to clarify,

The serial port that the 10.12.1.0 network is out of, are there any other networks out that interface?

I assume your Internet connection is out some other serial port/router?

Do the clients on the 10.12.1.0 network require name resolution to access the applications/hosts on the 10.81.0.0 network?

If DNS is required, and on a different network, you need to allow that access.

If there are no orther networks out the serial port for 10.12.1.0, you may consider an ACL that only controls destination traffic for the serial interface.

Create that ACL and apply only to the Serial port.

By putting the access list on the serial port, you controll the engress into your network. You may still require ACL's on other interfaces, but it can be simpler and easier to support if your ACL has a main function associated with a specific source network rather than a very large do everything ACL. ACL's tend to grow very quickly over time and very rarely get cleaned up like they should. (enough soap box)

interface serial 1/0 (not sure if this is your exact port)

ip access-group 100 in

access-list 100 permit ip 10.12.1.0 0.0.0.255 10.81.0.0 0.0.0.255

*** allows all traffic with source address 10.12.1.x to 10.81.0.x ***

access-list 100 permit tcp 10.12.1.0 0.0.0.255 10.0.0.1 0.0.0.0 eq 53

*** allows clients/hosts on 10.12.1.0 access to the DNS server ***

access-list 100 deny any any log

*** explicitly denies all other traffic and logs the denial ***

By installing the access list on the incoming serial port, you do not impact your 10.81.0.0 local traffic from accessing any services. If you need to control what 10.81.0.0 access, apply a different ACL to the local LAN interface.

HTH

1.) The internet connection for 10.81 is out the same serial that the 10.12 network comes in on.

2.) No. The clients from 10.12 do not require name resolution to access the 10.81 side.

3.) The DNS is located at 10.0.0.1 which is located at the 10.12 location.

Hope this helps. Thanks everyone for all this help.

Tony

Tony,

is the 10.81.0.0 network the only network address on your internal net?

The reason I ask, helps to determine where you would apply your access list. If you have other networks, placing the ACL on the serial link, will require entries for each network due to the implicit deny, if you require outside inbound communications with these networks.

Applying the ACL on the ethernet interface allows 10.12.1.0 access to all other routes on the router since the ACL is not enforced until the traffic hits the LAN interface. So if you had multiple LAN interfaces, having the ACL on one LAN only impacts traffic to or from that interface.

With these considerations, you have other networks that 10.81.0.0 must communicate with, ie 10.0.0.1(DNS server) is being blocked by your current configuration.

A complete map of resources would help to document where your traffic must flow. It will assist you in building the simplest ACL's possible while making you network as secure as you would like it to be, short of installing a firewall.

One more note, when you see items that you are not sure about, maybe the 'rlogin' denial. Don't jump to open traffic up for the denial. I was amazed at how much snooping, probing and down right hacking was taking place on the first network where I installed ACLs. Investigate the denied access and only open as needed.

I know a lot of my reply is very generic, but without the complete map of your network, I feel I can only point you in the right direction(hopefully) to solving your problem.

I really appreciate the help. I know without a map things are fuzzy.

Here is the ACL that I applied to s0.

access-list 100 permit ip 10.12.1.0 0.0.0.255 10.81.0.0 0.0.0.255

access-list 100 permit tcp 10.81.0.0 0.0.255.255 host 10.0.0.1 eq domain

access-list 100 deny ip any any log

NOTE:

The ACL- access-list 100 permit tcp 10.81.0.0 0.0.255.255 host 10.0.0.1 eq domain.

I had changed what you told me because the 10.81 side needs to get to this DNS. I hope I was write there. Also, applying this ACL didn't allow anthing from 10.81 and didn't allow anyone from 10.12 in

Below is a piece of the log file:

Log Buffer (4096 bytes):

2) -> 10.81.0.2(513), 1 packet

1w1d: %SEC-6-IPACCESSLOGP: list 100 denied tcp 10.0.0.1(828) -> 10.81.0.2(513), 1 packet

1w1d: %SEC-6-IPACCESSLOGP: list 100 denied tcp 10.0.0.1(821) -> 10.81.0.2(513), 9 packets

1w1d: %SEC-6-IPACCESSLOGP: list 100 denied tcp 10.0.0.1(863) -> 10.81.0.2(513), 1 packet

1w1d: %SEC-6-IPACCESSLOGP: list 100 denied tcp 10.0.0.1(829) -> 10.81.0.2(513), 1 packet

1w1d: %SEC-6-IPACCESSLOGP: list 100 denied udp 10.0.0.1(53) -> 10.81.2.66(1030), 1 packet

1w1d: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 8 packets

1w1d: %SEC-6-IPACCESSLOGP: list 100 denied tcp 10.0.0.1(823) -> 10.81.0.2(513), 8 packets

1w1d: %SEC-6-IPACCESSLOGP: list 100 denied udp 172.16.51.2(520) -> 224.0.0.9(520), 11 packets

1w1d: %SEC-6-IPACCESSLOGP: list 100 denied tcp 10.0.0.1(822) -> 10.81.0.2(513), 9 packets

1w1d: %SEC-6-IPACCESSLOGP: list 100 denied udp 10.0.0.1(53) -> 10.81.2.66(1031), 1 packet

1w1d: %SEC-6-IPACCESSLOGP: list 100 denied tcp 10.0.0.1(830) -> 10.81.0.2(513), 1 packet

1w1d: %SEC-6-IPACCESSLOGP: list 100 denied tcp 10.0.0.1(865) -> 10.81.0.2(513), 1 packet

Tony,

Here is what I see, assuming that this ACL is applied to the serial interface inbound traffic

interface s0

ip access-group 100 in

access-list 100 permit ip 10.12.1.0 0.0.0.255 10.81.0.0 0.0.0.255

*** allows source network 10.12.1.0/24 access to the destination network 10.81.0.0/24 with no port restrictions, this should be working fine ***

access-list 100 permit tcp 10.81.0.0 0.0.255.255 host 10.0.0.1 eq domain

*** allows source network 10.81.0.0/24 inbound access to the 10.0.0.1 host for the DNS only, you should remove this, because it is applied in the wrong direction. ***

access-list 100 permit tcp 10.0.0.1 0.0.0.0 10.81.0.0 0.0.0.255

*** this one will allow the source 10.0.0.1 host access the destination 10.81.0.0/24 network if this host is trusted, you may or may not want to limit it to DNS only ***

access-list 100 deny ip any any log

*** just for logging and debuging purposes ***

Since you do not have any ACL applied to the outbound traffic, 10.81.0.0 can go any where they want. The thing you will have to watch is that you may require the following if you have troubles with estabilished connections with other networks out your serial interface. I believe it would be at the top of the ACL.

access-list 100 permit tcp any 10.81.0.0 0.0.0.255 established

*** This would allow already established TCP connections between remote hosts and a host on the 10.81.0.0/24 network ***

With the above configuration, you will only allow 10.12.1.0/24 and 10.0.0.1/32 to initiate a connect from outside your network to 10.81.0.0/24. For any other remote site, you will need to add an entry in the ACL for that specific network or host. If you need more granularity, you can start to add entries that define which ports/protocols that are allowed.

HTH

tried this with no luck. So I dug deeper and asked the other network and admin some questions. This is what I have put together.

There is a router at the 10.0 side. The Serial ip that points to the internet is 204.60.231.42. The ether ip is 204.60.106.1 which routes traiffic to the firewall. The firewall then route's it out 10.0.0.1, which then goes to another router 10.0.0.20. This router sends it to 10.81 network.

The 10.12.1 network is connected by fiber to another port on the firewall which sends it out 10.0.0.1 then also to the 10.81 network.

I hope this can help me solve this.

Tony

Tony,

by looking at the log that you posted, it appears that you have other networks connected or downstream of your local router that you are applying the ACL's to.

Log Buffer (4096 bytes):

2) -> 10.81.0.2(513), 1 packet

1w1d: %SEC-6-IPACCESSLOGP: list 100 denied tcp 10.0.0.1(828) -> 10.81.0.2(513), 1 packet

1w1d: %SEC-6-IPACCESSLOGP: list 100 denied tcp 10.0.0.1(821) -> 10.81.0.2(513), 9 packets

1w1d: %SEC-6-IPACCESSLOGP: list 100 denied tcp 10.0.0.1(863) -> 10.81.0.2(513), 1 packet

1w1d: %SEC-6-IPACCESSLOGP: list 100 denied tcp 10.0.0.1(829) -> 10.81.0.2(513), 1 packet

1w1d: %SEC-6-IPACCESSLOGP: list 100 denied udp 10.0.0.1(53) -> 10.81.2.66(1030), 1 packet

*** The above entry shows that a 10.81.2.x network has a route originating from this side of the filter. If this access is required, you need to add that network also. ***

1w1d: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 8 packets

1w1d: %SEC-6-IPACCESSLOGP: list 100 denied tcp 10.0.0.1(823) -> 10.81.0.2(513), 8 packets

1w1d: %SEC-6-IPACCESSLOGP: list 100 denied udp 172.16.51.2(520) -> 224.0.0.9(520), 11 packets

*** This looks like a RIP V2 multicast, do you require that from the 172.16.51.2 host/router? ****

1w1d: %SEC-6-IPACCESSLOGP: list 100 denied tcp 10.0.0.1(822) -> 10.81.0.2(513), 9 packets

1w1d: %SEC-6-IPACCESSLOGP: list 100 denied udp 10.0.0.1(53) -> 10.81.2.66(1031), 1 packet

*** Again, another denied packet with destination for a network that is not in your filter. ***

1w1d: %SEC-6-IPACCESSLOGP: list 100 denied tcp 10.0.0.1(830) -> 10.81.0.2(513), 1 packet

1w1d: %SEC-6-IPACCESSLOGP: list 100 denied tcp 10.0.0.1(865) -> 10.81.0.2(513), 1 packet

There is another track you can take, if your only concern is the 10.12.1.0 network access. Restrict the 10.12.1.0 and allow every thing else.

Since you have a firewall, do you need to worry about other networks?

interface serial0

ip access-group 100 in

access-list 100 permit ip 10.12.1.0 0.0.0.255 10.81.0.0 0.0.0.255

*** will allow 10.12.1.0/24 access to all of the 10.81.0.0/24 network ***

access-list 100 deny ip 10.12.1.0 0.0.0.255 any

*** Will deny 10.12.1.0/24 access to any other network behind this router ***

access-list 100 permit ip any any

*** will allow all other traffic into this network***

HTH

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: