06-11-2003 10:36 AM - edited 03-02-2019 08:04 AM
I am trying to set up a ACL that restricts traffic comming into the network through serial 0. I am using a cisco 1721 router with the IOS firewall feature set. When I implemented the ACL below it blocked all traffic going out. I could not even ping out of the network. I don't see what is wrong with it. Please help me find the flaws because I am lost. And other pointers on the ACL would be appreciated also. The ip's and subnet have been changed.
This is exactly how I typed it in....
configure terminal
access-list 101 permit tcp any any eq established
access-list 101 deny ip 92.92.92.0 0.0.0.45 any
access-list 101 permit tcp any 92.92.92.0 0.0.0.45 eq 1494
access-list 101 permit udp any 92.92.92.0 0.0.0.45 eq domain
access-list 101 permit tcp any 92.92.92.0 0.0.0.45 eq www
access-list 101 permit udp any 92.92.92.0 0.0.0.45 eq 443
access-list 101 permit tcp any 92.92.92.0 0.0.0.45 eq smtp
access-list 101 permit udp any 92.92.92.0 0.0.0.45 eq login
access-list 101 permit tcp any 92.92.92.0 0.0.0.45 eq 10000
access-list 101 permit tcp any 92.92.92.0 0.0.0.45 eq bgp
access-list 101 permit tcp any 92.92.92.5 0.0.0.45 eq 110
access-list 101 permit tcp any 92.92.92.5 0.0.0.45 eq 143
access-list 101 permit tcp any 92.92.92.0 0.0.0.45 eq 22
access-list 101 deny ip any any
end
configure terminal
interface serial 0
ip access-group 101 in
end
Thanks for any help!!!
06-11-2003 10:44 AM
ping wont work because ping uses icmp traffic, if you want to allow ping, then you need to add a line for icmp and permit the traffic. (delete above accesslist and remake it with the new line added - best app to use is notepad and then copy and paste).
Also you need to remove the deny statement (2nd line) because that is not really needed, since there is a "deny ip any any" at the end of the access list. line 3 through 11 wont be used at all, for matching TCP traffic (on the specified ports) because line 2 will deny them.
HTH
06-11-2003 11:38 AM
Hi -
Change line 2 as you already have a deny ip any any at the end of ACL also if need icmp then pls contruct a ACL for icmp,
HTH --
06-11-2003 11:50 AM
When the IOS processes the Access list, it starts from the top to bottom.Once it finds a match, it executes the action and ends the processes there. Hence, you need to move the 2nd line i.e.
access-list 101 deny ip 92.92.92.0 0.0.0.45 any
to the bottom of the access lists. This is because all the other packets that would have matched the permit statements below it are also matched by this line. Hence, the packet will be denied and the other statements will never be evaluated, and hence not permitted.
As a rule try you try to put the more specific statements at the top, and the more general at the bottom.
The last line is also not needed, because of the implicit deny all properties of all access lists. Though this will not affect you.
06-11-2003 01:43 PM
I took out line 2 with no resolve.... so that isn't it. I posted this question on anouther forum and I was told to do this.......
ip inspect name MYRULES tcp
ip inspect name MYRULES udp
access-list 101 permit tcp any 92.92.92.0 0.0.0.45 eq 1494
access-list 101 permit udp any 92.92.92.0 0.0.0.45 eq domain
access-list 101 permit tcp any 92.92.92.0 0.0.0.45 eq www
access-list 101 permit udp any 92.92.92.0 0.0.0.45 eq 443
access-list 101 permit tcp any 92.92.92.0 0.0.0.45 eq smtp
access-list 101 permit udp any 92.92.92.0 0.0.0.45 eq login
access-list 101 permit tcp any 92.92.92.0 0.0.0.45 eq 10000
access-list 101 permit tcp any 92.92.92.0 0.0.0.45 eq bgp
access-list 101 permit tcp any 92.92.92.5 0.0.0.45 eq 110
access-list 101 permit tcp any 92.92.92.5 0.0.0.45 eq 143
access-list 101 permit tcp any 92.92.92.0 0.0.0.45 eq 22
access-list 101 deny ip any any
configure terminal
interface serial 0
ip access-group 101 in
ip inspect MYRULES out
end
Does anyone think this might work better?? I hate to keep trying during the work hours and having to reload.
06-11-2003 04:21 PM
Add a log statement to each of the lines - generate traffic and see what is hitting what - if you are looking at connections incoming - my guess from the interternet to perhaps to a DMZ of sorts - what the acl is saying is that all layer 4 connections come in - what about layer 3.
have you tested a couple of lines at a time? Try that by connecting from the outside to one of the specific ports - keep going down the list. Verify the range is correct with you mask.
Not sure why your testing durin production hours though - you may want to remove the access-group on the interface until you have the time to work with the config - less under pressure. Additionaly, you should not have to reloda the router - just unapply and re-apply the access-group - most of the time that works.
good luck.
06-11-2003 05:56 PM
Hi there
According to my calculation, the line 92.92.92.0 0.0.0.45 stating that you're permitting only devices that has IP address x.x.x.0-1;4-5;8-9;12-13;32-33;36-37;40-41 and 44-45 where x = 92. Is this what you wanted to do? Could it be the cause of your problem? Make sure that your devices are in the range specified above for only those devices are allowed by the ACL.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide