Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Access list help....please!!!

Hello,

Here is my situation. I have an internal network of 10.81.0.X. I have an external location of 10.12.1.X. I want to only allow access into my 10.81 network for 10.12.1.X, but still allow Web traffice from my internal network to pass. I'm not a pro with ACL. I tried a few things but didn't have any luck. Any help would be greatly appreciated.

Tony

27 REPLIES
Community Member

Re: Access list help....please!!!

Tony,

What are you implementing acls on? 6500? 7200?

I would probably start with

ip access-list ext wwwblok

permit ip any any established

permit ip 10.81.0.x (i-mask) 10.12.1.x (i-mask)

permit ip 10.12.1.x (i-mask) 10.81.0.x (i-mask)

permit ip 10.81.0.x (i-mask) any any eq 80

i-mask = inverted mask

subnet mask = class c (255.255.255.0)

imask = 0.0.0.255

lemme know how this turns out

-Bo

Community Member

Re: Access list help....please!!!

Sorry for the delay. I'm trying to use ACL's on a 1721. I didn't get a chance to try what you suggest. Thanks for the help.

Tony

Community Member

Re: Access list help....please!!!

What do you have now? The access list is one way through the interface, so it should not effect both incoming and outgoing traffic. The following will allow the traffic between the two sites.

access-list 100 permit ip 10.12.1.0 0.0.0.255 10.81.0.0 0.0.0.255

The following command needs to be added to the outside interface.

ip access-group 100 in

Community Member

Re: Access list help....please!!!

I tried what you suggest. And I'm pretty sure that's what I tried before. But still now luck. I am still blocked from using the internet from the 10.81 network. That's the location that I'm at. When you say "outsdie interface", your refering to the Serial interface...correct?

Tony

Bronze

Re: Access list help....please!!!

Assuming you have /24 for your networks:

access-list 100 permit ip 10.81.0.0 0.0.0.255 10.12.1.0 0.0.0.255

access-list 100 permit tcp 10.81.0.0 0.0.0.255 any eq www

access-list 100 deny any any ---> OPTIONAL (for viewing)

(Remember that there's an implicit DENY at the end of the ACL)

You can apply the ACL on the router's interface where your

10.81.0.0 network is located. For example:

interface Ethernet0

ip access-group 100 in

The ACL above allows ONLY the following:

- Any traffic from 10.81.0.0/24 (Source) to 10.12.1.0/24 (Destination)

- Web traffic from 10.81.0.0/24 (Source) to any destination

(With the assumption that Web traffic will be provided by different network)

Hope this info helps.

Community Member

Re: Access list help....please!!!

I'm getting closer.... This helped. But here is what I'm getting now. On the 10.12 network users use client software that use telnet (to a unix server). This was still not working. Also telnet wasn't working from the 10.81 side. WWW traffic was working find. Thanks for all the help...

Tony

Community Member

Re: Access list help....please!!!

Can you paste a copy of your access list. The Access-list permit IP statement between those two networks should allow all IP traffic including telnet.

Bronze

Re: Access list help....please!!!

So the problem you now have is the telnet access.

For isolation purposes, you could verify if it is

working without the ACLs, then re-apply the ACL to

make sure that it is causing the problem.

(It would be better to remove all ACLs first, if

it possible.)

You mentioned that telnet isn't working from the

10.81.0.0 side. Are there any other device between

the 10.81.0.0 and the 10.12.1.0 networks?

If there are, you can check if there are existing policies

or filters.

Community Member

Re: Access list help....please!!!

Just to let you know, everything is working fine without the ACL's in the config. Telnet is not working from the 10.12 network. There is a firewall between the 2 networks that is working fine without any ACL's in there. The config I used was exactly the one that you gave me. The other user mentioned that the Access-list permit IP statement between those two networks should allow all IP traffic including telnet.

Community Member

Re: Access list help....please!!!

That is true for the one access-list with the permit ip statement. Is there any other devices that may be filtering the traffice besides the PIX? Also, is there a line blocking telnet traffic higher up in the access-list? When a PIX processes the access list, if it makes a match it drops the packet without processing the rest of the access-list. Placement of the access-list lines if very important.

Community Member

Re: Access list help....please!!!

Just to clear things up. There is no PIX involved here. They have a firewall at there end. I beleive it's Raptor. I don't think there is any other access list involved. Without any ACL at my end (10.81), things work fine from the 10.12 network.

Community Member

Re: Access list help....please!!!

Can you paste a copy of the access-list? If removing the access-list resolves the problem, there should be something in the access-list that is causing the telnet to fail.

Community Member

Re: Access list help....please!!!

interface FastEthernet0

ip access-group 100 in

access-list 100 permit ip 10.81.0.0 0.0.0.255 10.12.1.0 0.0.0.255

access-list 100 permit tcp 10.81.0.0 0.0.0.255 any eq www

Community Member

Re: Access list help....please!!!

That should allow telnet from 10.81.0.0 to 10.12.1.0. If this is the only access-list, then telnet should work, but try this access list, just to see what happens.

access-list 100 permit ip 10.81.0.0 0.0.0.255 10.12.1.0 0.0.0.255

access-list 100 permit ip 10.12.1.0 0.0.0.255 10.81.0.0 0.0.0.255

access-list 100 permit tcp 10.81.0.0 0.0.0.255 any eq www

It should have to have both directions in the access-list, but I want to see if it changes anything.

Community Member

Re: Access list help....please!!!

The problem is I need to allow telnet from the 10.12 network to the 10.81 network, and vis versa. That is what's not working. The ACL for the internet worked fine. I didn't try the ACL you mentioned yet. I will let you know. Thanks

Community Member

Re: Access list help....please!!!

I applied this ACL. Here is where it's at. Internet works from the 10.81 side. Telnet does not work from the 10.81 side. Also the app that is run on the 10.12 side still doesn't work. I looked into the client application. It looks like it uses telnet and rlogin.

Community Member

Re: Access list help....please!!!

It may be something with the rlogin. Have you tried testing telnet without that client to see if if works? What client application is it. It may use another protocol beside IP (Like GRE) that has to be opened also. An example of this would be an access list for Windows VPN. Not only do you need to open up port for the VPN connection, you have to allow the GRE protocol by adding "access-list permit gre any any" to the access list. It could be a situation like that causeing the problem, because the ACL you are using should allow all IP Traffic between thost networks.

Community Member

Re: Access list help....please!!!

This may assist you with determining which traffic is being denied that you want to let through.

In an early post a.manosca mentioned using an explicit deny statement. I have used this in the past to determine what was actually the problem

access-list 100 deny any any log

Add this statement to the end of your accesslist. Make sure you have logging buffered turned on. Check your log for your deny's. Determine what port and addresses need to be added. Add those to the appropriate location in the access list. Be aware, if the rule logs a tremendous number of entries, it could impact performance of the router. You can also off load the log file to a syslog with the proper configuration.

HTH

Once you have successfully connected all applications, remove the log part of the entry or the whole explicit deny statement.

Community Member

Re: Access list help....please!!!

I tried what you suggested. Turned on logging and had the user from the 10.12 network try and access the server on my end(10.81). Nothing shows in the log from the 10.12 side. However, I do have access denied udp, and tcp from my side trying to access the internet. One question I have is. Where should I be applying the access-list? Do I apply it on the Ethernet pot(10.81), or on the Serial Interface where 10.12 comes in? When I can I will post a portion of the log...

Community Member

Re: Access list help....please!!!

I also noticed that I get a lot of denials from our DNS at 10.0.0.1. Does this need to be in the ACL also?

Community Member

Re: Access list help....please!!!

A couple points to clarify,

The serial port that the 10.12.1.0 network is out of, are there any other networks out that interface?

I assume your Internet connection is out some other serial port/router?

Do the clients on the 10.12.1.0 network require name resolution to access the applications/hosts on the 10.81.0.0 network?

If DNS is required, and on a different network, you need to allow that access.

If there are no orther networks out the serial port for 10.12.1.0, you may consider an ACL that only controls destination traffic for the serial interface.

Create that ACL and apply only to the Serial port.

By putting the access list on the serial port, you controll the engress into your network. You may still require ACL's on other interfaces, but it can be simpler and easier to support if your ACL has a main function associated with a specific source network rather than a very large do everything ACL. ACL's tend to grow very quickly over time and very rarely get cleaned up like they should. (enough soap box)

interface serial 1/0 (not sure if this is your exact port)

ip access-group 100 in

access-list 100 permit ip 10.12.1.0 0.0.0.255 10.81.0.0 0.0.0.255

*** allows all traffic with source address 10.12.1.x to 10.81.0.x ***

access-list 100 permit tcp 10.12.1.0 0.0.0.255 10.0.0.1 0.0.0.0 eq 53

*** allows clients/hosts on 10.12.1.0 access to the DNS server ***

access-list 100 deny any any log

*** explicitly denies all other traffic and logs the denial ***

By installing the access list on the incoming serial port, you do not impact your 10.81.0.0 local traffic from accessing any services. If you need to control what 10.81.0.0 access, apply a different ACL to the local LAN interface.

HTH

Community Member

Re: Access list help....please!!!

1.) The internet connection for 10.81 is out the same serial that the 10.12 network comes in on.

2.) No. The clients from 10.12 do not require name resolution to access the 10.81 side.

3.) The DNS is located at 10.0.0.1 which is located at the 10.12 location.

Hope this helps. Thanks everyone for all this help.

Tony

Community Member

Re: Access list help....please!!!

Tony,

is the 10.81.0.0 network the only network address on your internal net?

The reason I ask, helps to determine where you would apply your access list. If you have other networks, placing the ACL on the serial link, will require entries for each network due to the implicit deny, if you require outside inbound communications with these networks.

Applying the ACL on the ethernet interface allows 10.12.1.0 access to all other routes on the router since the ACL is not enforced until the traffic hits the LAN interface. So if you had multiple LAN interfaces, having the ACL on one LAN only impacts traffic to or from that interface.

With these considerations, you have other networks that 10.81.0.0 must communicate with, ie 10.0.0.1(DNS server) is being blocked by your current configuration.

A complete map of resources would help to document where your traffic must flow. It will assist you in building the simplest ACL's possible while making you network as secure as you would like it to be, short of installing a firewall.

One more note, when you see items that you are not sure about, maybe the 'rlogin' denial. Don't jump to open traffic up for the denial. I was amazed at how much snooping, probing and down right hacking was taking place on the first network where I installed ACLs. Investigate the denied access and only open as needed.

I know a lot of my reply is very generic, but without the complete map of your network, I feel I can only point you in the right direction(hopefully) to solving your problem.

Community Member

Re: Access list help....please!!!

I really appreciate the help. I know without a map things are fuzzy.

Here is the ACL that I applied to s0.

access-list 100 permit ip 10.12.1.0 0.0.0.255 10.81.0.0 0.0.0.255

access-list 100 permit tcp 10.81.0.0 0.0.255.255 host 10.0.0.1 eq domain

access-list 100 deny ip any any log

NOTE:

The ACL- access-list 100 permit tcp 10.81.0.0 0.0.255.255 host 10.0.0.1 eq domain.

I had changed what you told me because the 10.81 side needs to get to this DNS. I hope I was write there. Also, applying this ACL didn't allow anthing from 10.81 and didn't allow anyone from 10.12 in

Below is a piece of the log file:

Log Buffer (4096 bytes):

2) -> 10.81.0.2(513), 1 packet

1w1d: %SEC-6-IPACCESSLOGP: list 100 denied tcp 10.0.0.1(828) -> 10.81.0.2(513), 1 packet

1w1d: %SEC-6-IPACCESSLOGP: list 100 denied tcp 10.0.0.1(821) -> 10.81.0.2(513), 9 packets

1w1d: %SEC-6-IPACCESSLOGP: list 100 denied tcp 10.0.0.1(863) -> 10.81.0.2(513), 1 packet

1w1d: %SEC-6-IPACCESSLOGP: list 100 denied tcp 10.0.0.1(829) -> 10.81.0.2(513), 1 packet

1w1d: %SEC-6-IPACCESSLOGP: list 100 denied udp 10.0.0.1(53) -> 10.81.2.66(1030), 1 packet

1w1d: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 8 packets

1w1d: %SEC-6-IPACCESSLOGP: list 100 denied tcp 10.0.0.1(823) -> 10.81.0.2(513), 8 packets

1w1d: %SEC-6-IPACCESSLOGP: list 100 denied udp 172.16.51.2(520) -> 224.0.0.9(520), 11 packets

1w1d: %SEC-6-IPACCESSLOGP: list 100 denied tcp 10.0.0.1(822) -> 10.81.0.2(513), 9 packets

1w1d: %SEC-6-IPACCESSLOGP: list 100 denied udp 10.0.0.1(53) -> 10.81.2.66(1031), 1 packet

1w1d: %SEC-6-IPACCESSLOGP: list 100 denied tcp 10.0.0.1(830) -> 10.81.0.2(513), 1 packet

1w1d: %SEC-6-IPACCESSLOGP: list 100 denied tcp 10.0.0.1(865) -> 10.81.0.2(513), 1 packet

Community Member

Re: Access list help....please!!!

Tony,

Here is what I see, assuming that this ACL is applied to the serial interface inbound traffic

interface s0

ip access-group 100 in

access-list 100 permit ip 10.12.1.0 0.0.0.255 10.81.0.0 0.0.0.255

*** allows source network 10.12.1.0/24 access to the destination network 10.81.0.0/24 with no port restrictions, this should be working fine ***

access-list 100 permit tcp 10.81.0.0 0.0.255.255 host 10.0.0.1 eq domain

*** allows source network 10.81.0.0/24 inbound access to the 10.0.0.1 host for the DNS only, you should remove this, because it is applied in the wrong direction. ***

access-list 100 permit tcp 10.0.0.1 0.0.0.0 10.81.0.0 0.0.0.255

*** this one will allow the source 10.0.0.1 host access the destination 10.81.0.0/24 network if this host is trusted, you may or may not want to limit it to DNS only ***

access-list 100 deny ip any any log

*** just for logging and debuging purposes ***

Since you do not have any ACL applied to the outbound traffic, 10.81.0.0 can go any where they want. The thing you will have to watch is that you may require the following if you have troubles with estabilished connections with other networks out your serial interface. I believe it would be at the top of the ACL.

access-list 100 permit tcp any 10.81.0.0 0.0.0.255 established

*** This would allow already established TCP connections between remote hosts and a host on the 10.81.0.0/24 network ***

With the above configuration, you will only allow 10.12.1.0/24 and 10.0.0.1/32 to initiate a connect from outside your network to 10.81.0.0/24. For any other remote site, you will need to add an entry in the ACL for that specific network or host. If you need more granularity, you can start to add entries that define which ports/protocols that are allowed.

HTH

Community Member

Re: Access list help....please!!!

tried this with no luck. So I dug deeper and asked the other network and admin some questions. This is what I have put together.

There is a router at the 10.0 side. The Serial ip that points to the internet is 204.60.231.42. The ether ip is 204.60.106.1 which routes traiffic to the firewall. The firewall then route's it out 10.0.0.1, which then goes to another router 10.0.0.20. This router sends it to 10.81 network.

The 10.12.1 network is connected by fiber to another port on the firewall which sends it out 10.0.0.1 then also to the 10.81 network.

I hope this can help me solve this.

Tony

Community Member

Re: Access list help....please!!!

Tony,

by looking at the log that you posted, it appears that you have other networks connected or downstream of your local router that you are applying the ACL's to.

Log Buffer (4096 bytes):

2) -> 10.81.0.2(513), 1 packet

1w1d: %SEC-6-IPACCESSLOGP: list 100 denied tcp 10.0.0.1(828) -> 10.81.0.2(513), 1 packet

1w1d: %SEC-6-IPACCESSLOGP: list 100 denied tcp 10.0.0.1(821) -> 10.81.0.2(513), 9 packets

1w1d: %SEC-6-IPACCESSLOGP: list 100 denied tcp 10.0.0.1(863) -> 10.81.0.2(513), 1 packet

1w1d: %SEC-6-IPACCESSLOGP: list 100 denied tcp 10.0.0.1(829) -> 10.81.0.2(513), 1 packet

1w1d: %SEC-6-IPACCESSLOGP: list 100 denied udp 10.0.0.1(53) -> 10.81.2.66(1030), 1 packet

*** The above entry shows that a 10.81.2.x network has a route originating from this side of the filter. If this access is required, you need to add that network also. ***

1w1d: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 8 packets

1w1d: %SEC-6-IPACCESSLOGP: list 100 denied tcp 10.0.0.1(823) -> 10.81.0.2(513), 8 packets

1w1d: %SEC-6-IPACCESSLOGP: list 100 denied udp 172.16.51.2(520) -> 224.0.0.9(520), 11 packets

*** This looks like a RIP V2 multicast, do you require that from the 172.16.51.2 host/router? ****

1w1d: %SEC-6-IPACCESSLOGP: list 100 denied tcp 10.0.0.1(822) -> 10.81.0.2(513), 9 packets

1w1d: %SEC-6-IPACCESSLOGP: list 100 denied udp 10.0.0.1(53) -> 10.81.2.66(1031), 1 packet

*** Again, another denied packet with destination for a network that is not in your filter. ***

1w1d: %SEC-6-IPACCESSLOGP: list 100 denied tcp 10.0.0.1(830) -> 10.81.0.2(513), 1 packet

1w1d: %SEC-6-IPACCESSLOGP: list 100 denied tcp 10.0.0.1(865) -> 10.81.0.2(513), 1 packet

There is another track you can take, if your only concern is the 10.12.1.0 network access. Restrict the 10.12.1.0 and allow every thing else.

Since you have a firewall, do you need to worry about other networks?

interface serial0

ip access-group 100 in

access-list 100 permit ip 10.12.1.0 0.0.0.255 10.81.0.0 0.0.0.255

*** will allow 10.12.1.0/24 access to all of the 10.81.0.0/24 network ***

access-list 100 deny ip 10.12.1.0 0.0.0.255 any

*** Will deny 10.12.1.0/24 access to any other network behind this router ***

access-list 100 permit ip any any

*** will allow all other traffic into this network***

HTH

178
Views
0
Helpful
27
Replies
CreatePlease to create content