Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

What's wrong with this configuration?

We are a tiny elementary school with a 70% eRate supported T1 connection. ($23k a year). We have a Cisco 26xx connecting us to the ISP (Verizon). On our initial configuration we were quite happy until we were discovered by the outside. The "outsiders" are using our screening proxy server to access the Internet (they are on 218.x.x.x & 127.x.x.x PRC). I am now in the process of trying to set up an ACL to keep this traffic out. Every time I TFTP the attached config file, I can no longer access the Internet from any of my servers. I have been at this for parts of three days and sorely need help. Here is my config file with remarks and addresses disguised. Please help. Tom

!

version 12.0

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname (not the real one)

!

enable secret xxxxxxxxxxxx

enable password xxxxxxxxx!

!

ip subnet-zero

no service finger

no ip source-route

no service tcp-small-servers

no service udp-small-servers

!

ip name-server 141.154.0.68

ip name-server 141.155.0.68

!

!

interface Serial0/0

description Point-to-Point (local city)

bandwidth 1544

ip address xxx.xxx.xxx.xxx 255.255.255.xxx

ip access-group filterin in

ip access-group filterout out

ntp disable

no snmp

no ip directed-broadcast

no ip redirects

no ip unreachables

no cdp enable

no ip mroute-cache

ip nat outside

!

!

interface FastEthernet0/0

ip address 192.168.0.1 255.255.255.0

no ip directed-broadcast

ip nat inside

duplex auto

speed auto

!

REMARK we are assigned useable ip addresses of x.x.x.33 to x.x.x.62

!

ip nat pool BAIS xxx.xxx.xxx.34 xxx.xxx.xxx.50 netmask 255.255.255.224

ip nat inside source list 1 pool BAIS overload

ip nat inside source static 192.168.0.1 xxx.xxx.xxx.33

ip nat inside source static 192.168.0.18 xxx.xxx.xxx.51

REMARK x.x.x.51 is our weather station

ip nat inside source static 192.168.0.16 xxx.xxx.xxx.52

REMARK x.x.x.52 is our Web Server

ip nat inside source static 192.168.0.13 xxx.xxx.xxx.53

REMARK x.x.x.53 is an externally monitored HP Switch

ip classless

ip route 0.0.0.0 0.0.0.0 64.223.133.141

no ip http server

!

!

ip access-list extended filterin

deny ip 190.190.190.0 0.0.0.255 any

deny ip 10.0.0.0 0.255.255.255 any

deny ip 127.0.0.0 0.255.255.255 any

deny ip 192.168.0.0 0.0.255.255 any

deny ip 224.0.0.0 15.255.255.255 any

deny ip host 0.0.0.0 any

permit tcp any xxx.xxx.xxx.52 0.0.0.0 eq 80

permit tcp any xxx.xxx.xxx.51 0.0.0.0 eq 95

!

ip access-list extended filterout

permit tcp any any eq ftp reflect packets

permit tcp any any eq 22 reflect packets

permit tcp any any eq telnet reflect packets

permit tcp any any eq smtp reflect packets

permit tcp any any eq domain reflect packets

permit tcp any any eq www reflect packets

permit tcp any any eq pop3 reflect packets

permit tcp any any eq nntp reflect packets

permit tcp any any eq 143 reflect packets

permit tcp any any eq 443 reflect packets

permit udp any any eq domain reflect packets

permit icmp any any packet-too-big

!

snmp-server engineID local 000000080797351283

snmp-server community badwav RO 91

!

line con 0

exec-timeout 2 30

transport input none

line aux 0

exec-timeout 2 30

password (fake)

autobaud

login

modem Dialin

transport input all

autohangup

line vty 0 4

exec-timeout 2 30

password (fake)

login

!

end

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: What's wrong with this configuration?

Reflexive access lists are always used with the keywords reflect and evaluate.

Your configuration seems to be missing the later.Please add the following 2 evaluate commands:

evaluate packets

evaluate packet-too-big

Please see below where to add and how the final configuration should look.

!

ip access-list extended filterin

deny ip 190.190.190.0 0.0.0.255 any

deny ip 10.0.0.0 0.255.255.255 any

deny ip 127.0.0.0 0.255.255.255 any

deny ip 192.168.0.0 0.0.255.255 any

deny ip 224.0.0.0 15.255.255.255 any

deny ip host 0.0.0.0 any

permit tcp any xxx.xxx.xxx.52 0.0.0.0 eq 80

permit tcp any xxx.xxx.xxx.51 0.0.0.0 eq 95

evaluate packets

evaluate packet-too-big

!

Please let me know if you still have problems. Hope that helps.

vik

4 REPLIES
New Member

Re: What's wrong with this configuration?

I haven't worked very much with reflective access-lists, but for the inbound filter, you ned the following statement:

ip access-list extended filterin

...

evaluate packets

where "packets" is the name you gave as the keyword for the reflective access-list.

Hope this helps.

Mike

New Member

Re: What's wrong with this configuration?

Reflexive access lists are always used with the keywords reflect and evaluate.

Your configuration seems to be missing the later.Please add the following 2 evaluate commands:

evaluate packets

evaluate packet-too-big

Please see below where to add and how the final configuration should look.

!

ip access-list extended filterin

deny ip 190.190.190.0 0.0.0.255 any

deny ip 10.0.0.0 0.255.255.255 any

deny ip 127.0.0.0 0.255.255.255 any

deny ip 192.168.0.0 0.0.255.255 any

deny ip 224.0.0.0 15.255.255.255 any

deny ip host 0.0.0.0 any

permit tcp any xxx.xxx.xxx.52 0.0.0.0 eq 80

permit tcp any xxx.xxx.xxx.51 0.0.0.0 eq 95

evaluate packets

evaluate packet-too-big

!

Please let me know if you still have problems. Hope that helps.

vik

Anonymous
N/A

Re: What's wrong with this configuration?

Thanks, I'll try this tomorrow and post the results.

Tom

Anonymous
N/A

Re: What's wrong with this configuration?

Eureka!!!! Thanks vic

120
Views
5
Helpful
4
Replies
CreatePlease login to create content