Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL for ISDN 64k DDR query

Hello -

I am worried about my ACL's if someone would be kind enough to have a look at them below.

Is access list 150 bypassing 101 and letting evrything else in?

Is 101 set up properly to just let out 80,21,25 and 53 out?

I have set up a 1600 series 64k ISDN Dial up with the intention of just allowing one IP address out. It is a small office with a proxy and mail server on the box. I just want to allow mail,www and ftp traffic out from this box. Also I dont want to allow pings to their IP from the internet.

I think I have achieved this but am having secound thoughts about my ip access-group 150 in on the dialer int.

I know access list 150 is preventing pings responding to the router because I have tested it and viewed debug output but is it alllowing all other traffic in bacause of the permit ip any any after it?

Here is a copy of the config attached below.

Current configuration:

!

version 12.0

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname

!

enable secret

enable password

!

ip subnet-zero

ip domain-list

no ip domain-lookup

ip name-server

ip name-server

isdn switch-type basic-net3

!!

!

interface Ethernet0

description *** LAN IP Address 10.10.10.50/24***

ip address 10.10.10.50 255.255.255.0

no ip directed-broadcast

ip nat inside

no ip route-cache

no keepalive

no cdp enable

!

interface BRI0

description *** 64k Link to ISP ***

no ip address

no ip directed-broadcast

encapsulation ppp

no keepalive

dialer pool-member 10

isdn switch-type basic-net3

no cdp enable

!

!

interface Dialer1

description *** DDR int 4 ISP ***

bandwidth 64

ip address

ip access-group 150 in

no ip directed-broadcast

ip nat outside

encapsulation ppp

dialer remote-name

dialer idle-timeout 180

dialer string

dialer pool 10

dialer-group 1

pulse-time 0

no cdp enable

ppp authentication chap pap callin

ppp chap hostname xx

ppp chap password xx

ppp pap sent-username

!

ip nat translation timeout 1800

ip nat inside source list 1 interface Dialer1 overload

ip nat inside source static tcp xxxx extendable

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

!

access-list 1 permit 10.10.10.1

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.0.2.0 0.0.0.255 any

access-list 101 deny ip 169.254.0.0 0.0.255.255 any

access-list 101 deny udp any range netbios-ns netbios-ss any

access-list 101 deny udp any eq netbios-ns any

access-list 101 deny udp any any eq netbios-ns

access-list 101 deny udp any any eq netbios-dgm

access-list 101 deny tcp any any eq 139

access-list 101 deny udp any any eq ntp

access-list 101 deny icmp any any echo

access-list 101 deny icmp any any

access-list 101 permit tcp host xxx(Internet IP) any established

access-list 101 permit tcp host (Internet IP) eq domain host (ISP DNS IP) eq dom

ain

access-list 101 permit tcp host (Internet IP) eq domain host(ISP DNS IP) eq dom

ain

access-list 101 permit tcp host (Internet IP) any eq www

access-list 101 permit tcp host (Internet IP) any eq smtp

access-list 101 permit tcp host (Internet IP) any eq ftp

access-list 101 deny tcp any range 0 65535 any range 0 65535

access-list 101 deny udp any range 0 65535 any range 0 6553

access-list 150 deny icmp any any echo

access-list 150 deny icmp any any echo-reply

access-list 150 permit ip any any

dialer-list 1 protocol ip list 101

no cdp run

banner motd ^C UNAUTHORISED USE PROHIBITED ^C

!

line con 0

exec-timeout 0 0

password

login

transport input none

line vty 0 4

password

login

!

end

4 REPLIES
Cisco Employee

Re: ACL for ISDN 64k DDR query

Hi,

The ACL 101 is just defining the interesting traffic that will trigger the ISDN connection. It has nothing to do with blocking traffic. Whatever defined in ACL 101 is eligible to trigger the ISDN link.

The ACL 150 is only blocking ICMP echo and echo-reply from the outside and allows everything else in.

Hope this helps,

yatin

New Member

Re: ACL for ISDN 64k DDR query

Thanks a lot. You've cleared it up for me.

I'll sort out a proper ACL for traffic in on 150 then.

Thanks again,

Gavin.

Cisco Employee

Re: ACL for ISDN 64k DDR query

Forgot to mention, after the dialer interface is up and connected, i.e. the interesting traffic as defined by ACL 101, is triggered by the ONLY host on the inside, any other host will be able to pass traffic out as far as the interesting traffic flows through and keeps the idle-timer ticking.

You would want to define an additional acl that applies in the IN direction on the inside interface that would restrict the access to the internet.

Thanks,

yatin

New Member

Re: ACL for ISDN 64k DDR query

Hi Yatin,

Do you mean put an IN ACL on the eth0 int, for example access-group 160 in?

Or do you mean put it on the bri0 int?

I'm fairly sure you mean eth0 because the dialer 1 int already has the access-group 150 in on it.

Regards,

Gavin.

135
Views
0
Helpful
4
Replies
CreatePlease to create content