11-26-2002 05:14 AM - edited 03-02-2019 03:10 AM
Can anyone give me an idea why this config. is not blocking the incoming nntp port and udp ports. We can still download news groups even after adding deny lines. We would like to block all udp if possible. Static ips were added for the web server.
Thanks ahead. Good holidays.
Router3640#show run
Building configuration...
Current configuration : 1769 bytes
!
version 12.1
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router3640
!
logging rate-limit console 10
enable secret 5 $1$.Nkz$gUmVm3La1a6lbJZ1JscLo0
!
!
!
ip subnet-zero
!
!
no ip finger
ip dhcp excluded-address 10.0.0.1
!
ip dhcp pool cisco3640
network 10.0.0.0 255.0.0.0
default-router 10.0.0.1
dns-server 206.196.128.1 204.147.80.5
!
no ip dhcp-client network-discovery
no mgcp timer receive-rtcp
call rsvp-sync
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.0.0.1 255.0.0.0
ip nat inside
no ip mroute-cache
duplex auto
speed auto
!
interface ATM0/1
no ip address
no ip mroute-cache
atm vc-per-vp 256
no atm ilmi-keepalive
pvc 0/32
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
no fair-queue
hold-queue 224 in
!
interface Dialer0
ip address 63.231.77.134 255.255.255.248
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp pap sent-username xxxxxpassword xxxxxxx
!
interface Dialer101
no ip address
no cdp enable
!
ip nat inside source list 101 interface Dialer0 overload
ip nat inside source static 10.0.0.2 63.231.77.129
ip nat inside source static 10.0.0.3 63.231.77.130
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
!
no logging trap
access-list 101 permit ip 10.0.0.0 0.255.255.255 any
access-list 101 deny tcp any eq nntp any
access-list 101 deny udp any eq 1075 any
access-list 101 deny udp any eq 1028 any
dialer-list 1 protocol ip permit
!
!
!
dial-peer cor custom
!
!
!
!
line con 0
transport input none
line aux 0
line vty 0 4
no exec
exec-timeout 0 1
password qwest
login
transport input none
!
end
Router3
11-26-2002 07:38 AM
First you need to make ACL 101 two seperate lists.
Ex.
ACL 101 for NAT
access-list 101 permit ip 10.0.0.0 0.255.255.255 any
ACL 102 for blocking udp and nntp
access-list 102 deny tcp any eq nntp any
access-list 102 deny udp any eq 1075 any
access-list 102 deny udp any eq 1028 any
access-list 102 permit ip any any
Then you need to apply ACL 102 inbound to your outside interface.
Ex.
access-group 102 in
Hope this helps
11-26-2002 08:02 AM
"access-list 101 permit ip 10.0.0.0 0.255.255.255 any
access-list 101 deny tcp any eq nntp any
access-list 101 deny udp any eq 1075 any
access-list 101 deny udp any eq 1028 any
dialer-list 1 protocol ip permit "
Also, wouldn't this allow all traffic with the source 10.x.x.x/24 address? Access lists go from top to bottom and when finding a match, exit the access list, thus never seeing the denies... maybe put your deny statements first.
11-27-2002 05:15 AM
Made some changes to the config, created another dialer 102 and applied the access-list 102 with ip access-group 102 in but still am able to download news groups from a news server and am not blocking all ports for udp traffic?
new config:
Router3640>enable
Password:
Router3640#show run
Building configuration...
Current configuration : 1818 bytes
!
version 12.1
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router3640
!
logging rate-limit console 10
enable secret 5 $1$.Nkz$gUmVm3La1a6lbJZ1JscLo0
!
!
!
ip subnet-zero
!
!
no ip finger
ip dhcp excluded-address 10.0.0.1
!
ip dhcp pool cisco3640
network 10.0.0.0 255.0.0.0
default-router 10.0.0.1
dns-server 206.196.128.1 204.147.80.5
!
no ip dhcp-client network-discovery
no mgcp timer receive-rtcp
call rsvp-sync
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.0.0.1 255.0.0.0
ip nat inside
no ip mroute-cache
duplex auto
speed auto
!
interface ATM0/1
no ip address
no ip mroute-cache
atm vc-per-vp 256
no atm ilmi-keepalive
pvc 0/32
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
no fair-queue
hold-queue 224 in
!
interface Dialer0
ip address 63.231.77.134 255.255.255.248
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp pap sent-username wlamor password 7 120A0B16190E1F5678
!
interface Dialer101
no ip address
ip access-group 102 in
no cdp enable
!
interface Dialer102
no ip address
ip access-group 102 in
no cdp enable
!
ip nat inside source list 101 interface Dialer0 overload
ip nat inside source static 10.0.0.2 63.231.77.129
ip nat inside source static 10.0.0.3 63.231.77.130
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
!
no logging trap
access-list 101 permit ip 10.0.0.0 0.255.255.255 any
access-list 102 deny tcp any eq nntp any
access-list 102 deny udp any any
dialer-list 1 protocol ip permit
!
!
!
dial-peer cor custom
!
!
!
!
line con 0
transport input none
line aux 0
line vty 0 4
no exec
exec-timeout 0 1
password qwest
login
transport input none
!
end
Router3640# config t
Enter configuration commands, one per line. End with CNTL/Z.
Router3640(config)#int dialer 102
Router3640(config-if)#ip access-group 102 in
Router3640(config-if)#ip access-group 102 out
Router3640(config-if)#^Z
Router3640#
3d15h: %SYS-5-CONFIG_I: Configured from console by console
Router3640#copy run star
Destination filename [startup-config]?
Building configuration...
[OK]
Router3640#show run
Building configuration...
Current configuration : 1843 bytes
!
version 12.1
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router3640
!
logging rate-limit console 10
enable secret 5 $1$.Nkz$gUmVm3La1a6lbJZ1JscLo0
!
!
!
ip subnet-zero
!
!
no ip finger
ip dhcp excluded-address 10.0.0.1
!
ip dhcp pool cisco3640
network 10.0.0.0 255.0.0.0
default-router 10.0.0.1
dns-server 206.196.128.1 204.147.80.5
!
no ip dhcp-client network-discovery
no mgcp timer receive-rtcp
call rsvp-sync
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.0.0.1 255.0.0.0
ip nat inside
no ip mroute-cache
duplex auto
speed auto
!
interface ATM0/1
no ip address
no ip mroute-cache
atm vc-per-vp 256
no atm ilmi-keepalive
pvc 0/32
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
no fair-queue
hold-queue 224 in
!
interface Dialer0
ip address 63.231.77.134 255.255.255.248
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp pap sent-username wlamor password 7 120A0B16190E1F5678
!
interface Dialer101
no ip address
ip access-group 102 in
no cdp enable
!
interface Dialer102
no ip address
ip access-group 102 in
ip access-group 102 out
no cdp enable
!
ip nat inside source list 101 interface Dialer0 overload
ip nat inside source static 10.0.0.2 63.231.77.129
ip nat inside source static 10.0.0.3 63.231.77.130
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
!
no logging trap
access-list 101 permit ip 10.0.0.0 0.255.255.255 any
access-list 102 deny tcp any eq nntp any
access-list 102 deny udp any any
dialer-list 1 protocol ip permit
!
!
!
dial-peer cor custom
!
!
!
!
line con 0
transport input none
line aux 0
line vty 0 4
no exec
exec-timeout 0 1
password qwest
login
transport input none
!
end
11-27-2002 08:59 AM
I think you might need to apply the ACL 102 to dialer0 interface although I am not sure exactly what your network layout is. Also on ACL 102 you will want to add "access-list 102 permit ip any any" to the end of the list because ACLs automatically append a deny all statement to the end.
11-27-2002 06:53 PM
Thanks so much, the following seems to be working.
Blocks news groups downloading
Blocks udp on some ports (I'm not sure it is necessary now to block the udp ports to secure the router. It doesn't appear that it hurts to leave them open.
config:
Router3640#copy startup-config tftp
Address or name of remote host []? 10.0.0.3
Destination filename [router3640-confg]? pppoastatic
!!
1961 bytes copied in 0.180 secs
Router3640#show run
Building configuration...
Current configuration : 1961 bytes
!
version 12.1
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router3640
!
logging rate-limit console 10
enable secret 5 $1$.Nkz$gUmVm3La1a6lbJZ1JscLo0
!
!
!
ip subnet-zero
!
!
no ip finger
ip dhcp excluded-address 10.0.0.1
!
ip dhcp pool cisco3640
network 10.0.0.0 255.0.0.0
default-router 10.0.0.1
dns-server 206.196.128.1 204.147.80.5
!
no ip dhcp-client network-discovery
no mgcp timer receive-rtcp
call rsvp-sync
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.0.0.1 255.0.0.0
ip nat inside
no ip mroute-cache
duplex auto
speed auto
!
interface ATM0/1
no ip address
no ip mroute-cache
atm vc-per-vp 256
no atm ilmi-keepalive
pvc 0/32
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
no fair-queue
hold-queue 224 in
!
interface Dialer0
ip address 63.231.77.134 255.255.255.248
ip access-group 102 in
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp pap sent-username wlamor password 7 120A0B16190E1F5678
!
interface Dialer101
no ip address
no cdp enable
!
interface Dialer102
no ip address
no cdp enable
!
ip nat inside source list 101 interface Dialer0 overload
ip nat inside source static 10.0.0.2 63.231.77.129
ip nat inside source static 10.0.0.3 63.231.77.130
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
!
no logging trap
access-list 101 permit ip 10.0.0.0 0.255.255.255 any
access-list 102 deny tcp any eq nntp any
access-list 102 deny udp any eq netbios-ns any
access-list 102 deny udp any eq 1075 any
access-list 102 deny udp any eq 1028 any
access-list 102 permit ip any any
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
!
!
!
dial-peer cor custom
!
!
!
!
line con 0
transport input none
line aux 0
line vty 0 4
no exec
exec-timeout 0 1
password qwest
login
transport input none
!
end
Router3640#
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: