1841 access-lists 1

[karmic]

Got stuck with an 1841, and i'm not used to working with them.

It's on the internet and i'm able to surf, but i'm looking for some quick and dirty How to's on access-lists. Just want to block everything outbound, permit certain ports out and stealth it on the outside. It was easy on the pix units but for some reason not so here.

I really don't want to read volumes from cisco...

Thanks.

~ K.I.S.S - Don't make it any more complex than it has to be ~

 

[burtsbees]

router>en
router#conf t
router(config)#access-list 101 permit tcp host 192.168.1.12 any eq 21
That allows ftp access from 192.168.1.12 to any destination. It also depends on where you apply it. An acl like this...say fa0/0 is the router interface that connects to the LAN...
router(config)#int fa0/0
router(config-if)#ip access-group 101 in
This acl alone will allow ftp, but deny everything else, due to an implicit deny statement at the end of every acl in routers. PIX are opposite---you need one to allow access---routers allow everything, until an acl is written. ACL's are also used to define rules with, say route maps, dial-on-demand routing, and NAT.
That's lesson one---perhaps someone else can chime in...

Burt

 

[karmic]

so it's safe to assume it works the same with the entire subnet?

access-list 101 permit tcp host 192.168.1.0 any eq 80
access-list 101 permit udp host 192.168.1.0 any eq 53

and so on?


~ K.I.S.S - Don't make it any more complex than it has to be ~

 

[burtsbees]

No---a subnet does not use the keyword "host", and it includes the wildcard (inverse) mask...

access-list permit tcp 192.168.1.0 0.0.0.255 any eq 80

like that. The inverse is simply 255.255.255.255 minus the subnet mask...255.255.255.0 is 0.0.0.255, because 255.255.255.255 minus 255.255.255.0 equals 0.0.0.255

Burt

 

[karmic]

I am not wrapping my head around this at all... I have a router with fastethernet0/0 ip 192.12.20.1/24.
fastethernet0/1 is linked directly to the internet via dhcp, I can surf no problem.

The only ports I need open are 53, 80, 20, 21, 443 and 25.

I've tried this via host, via subnet, whatever. The minute I add the group, I can't surf at all, nothing.
(config)#
access-list 101 permit tcp any host 192.12.20.1 eq telnet
access-list 101 permit tcp 192.12.20.0 0.0.0.255 any eq 23
access-list 101 permit tcp 192.12.20.0 0.0.0.255 any eq 80
access-list 101 permit tcp 192.12.20.0 0.0.0.255 any eq 53
access-list 101 permit udp 192.12.20.0 0.0.0.255 any eq 53
access-list 101 permit tcp 192.12.20.0 0.0.0.255 any eq 443
access-list 101 permit tcp 192.12.20.0 0.0.0.255 any eq 25
access-list 101 permit tcp 192.12.20.0 0.0.0.255 any eq 110
access-list 101 permit tcp 192.12.20.0 0.0.0.255 any eq 21
access-list 101 permit tcp 192.12.20.0 0.0.0.255 any eq 20
(config-if)#
int fastethernet0/0
ip access-group 101 in
ctrl-z
wr mem

with the different ways i've tried this either I can't surf (nslookup not responding) or I can surf without restriction.

:O( Am I stunned or what?

~ K.I.S.S - Don't make it any more complex than it has to be ~

 

[burtsbees]

router>en
router#sh access-list
Then, you will see the list, as it is numbered. Let's say the last number is 100...add an entry for http at 105 (or for faster processing, add it at 5 or 15, whichever it accepts)...
router#conf t
router(config)#ip access-list 101 extended
15 permit 192.12.20.0 0.0.0.255 any eq 80
Remember---once an acl is written, there is an implicit "deny any any" at the end, so you need to add http access as well.

Burt

 

[karmic]

thank again burt, i'll try later.

~ K.I.S.S - Don't make it any more complex than it has to be ~

 

[karmic]

Well, did the exact same thing as I did this morning and it worked this time. Got me scratching my head now.

Thanks for your help

~ K.I.S.S - Don't make it any more complex than it has to be ~

 

[burtsbees]

I posted to open port 80, but I did not see that you had already done so...glad it's working now.

Burt

 

[karmic]

Got time for one more question?

I think i'm finally getting my head wrapped around the concept here, got port forwarding done for exchange owa and vpn connects. BUT

I can't seem to get into the network through vpn. It is connecting fine but I can't rdp into the server. Should the vpn's dhcp be on a different subnet or the same? I usualy tie a few ip's from the current subnet with the pix or asa units, but is this the case with the router?

~ K.I.S.S - Don't make it any more complex than it has to be ~

 

[burtsbees]

It can be in the same subnet, but you'll have to NAT with a route map, so that you can map it to an extended acl that denies the IP addresses that are assigned through the vpn. For example---let's say you connect 2 users...192.168.1.12 and 192.168.1.13 are reserved for the vpn. Then the group and key statements would look like this...

crypto isakmp client configuration group xxxxxxxxx
key xxxxxxxxxxxx
pool vpn_pool_1
max-users 2
netmask 255.255.255.0

and the vpn pool would look like this...

ip local pool vpn_pool_1 192.168.1.12 192.168.1.13

the acl would look like this...

access-list 101 deny ip any host 192.168.1.12
access-list 101 deny ip any host 192.168.1.13
access-list 101 permit ip 192.168.1.0 0.0.0.255 any

the route map...

route-map vpn_routemap_1 permit 1
match ip address 101

and the NAT statement...

ip nat inside source list 101 int di0 overload

My outgoing interface is Dialer 0, but substitute that for your outgoing interface. The whole key is to make sure the vpn IP's do NOT get NATted.

Burt

 

[burtsbees]

Sorry---the nat statement would be...

ip nat inside source route-map vpn_routemap_1 interface Dialer0 overload

Burt

 

[karmic]

ok, thanks for that. By reading I assumed that by changing the subnet for vpn that it work better. Vpn links up and all is well, can connect to rdp now

Burt, I thank you very much, you've been great

~ K.I.S.S - Don't make it any more complex than it has to be ~

 

[burtsbees]

The different subnet thing I believe usually applies to site-to-site vpn's, but not necessarily remote access.

Burt

 

[karmic]

Well, the internal subnet is 192.12.20.x/24. When I set up the vpn's, I did it originally with the same subnet but couldn't get any network access. I did this through the sdm, and it asked "are you sure you want to do this". Should have been my first clue.

Since your post, I changed the vpn subnet to 192.168.1.0. Linked up to vpn again and everything connects just fine.

On the pix units, I always used reserved addresses on the same subnet as the internal network.

~ K.I.S.S - Don't make it any more complex than it has to be ~