801 access-list help 1

[DanielUK]

Hello, me again....I asked about setting up an access list to deny the ports that shieldsup! (

http://www.grc.com)

say is still open on my 801 ISDN router, namely port 23 (telnet) and port 80. I've just revisited this after a couple of months no action and still having trouble with it and I can't quite grasp some of the concepts. So I have a couple of questions that a Cisco expert may be able to answer:

1. When the documentation talks about applying access lists to an interface, I am meant to be applying them to BRI0? If I do a "show interface" command at telnet I get references to BRI0, BRI0:1, BRI0:2 and finally ethernet 0.

2. For the life of me I can't seem to deny incoming telnet. The commands I have used are:
[ul]
[li]Telnet to router[/li]
[li]type "enable" to become priveleged EXEC mode[/li]
[li]type "configure" to go into Global configuration[/li]
[li]type "access-list 121 deny tcp any any eq 23"[/li]
[li]type "interface BRI0" to enter interface config mode[/li]
[li]type "ip access-group 100 in to activate access list 100"[/li][/ul]

If I then go back to Privelege mode (router#) and type "show access-lists" I get:

Standard IP access list 18
permit 192.168.0.0, wildcard bits 0.0.0.255 (201596 matches) check=1123
Extended IP access list 100
deny tcp any host 192.168.0.1 eq telnet
Extended IP access list 121
deny udp any eq netbios-dgm any (29416 matches)
deny udp any eq netbios-ns any (30494 matches)
deny udp any eq netbios-ss any
deny tcp any eq 137 any
deny tcp any eq 138 any
deny tcp any eq 139 any
permit ip any any time-range TIME (active) (225633 matches)
deny tcp any any eq telnet

The telnet reference at the end is from an earlier attempt a few weeks ago (that doesn't block it), but anyway, it doesn't seem to show the port 23 I just denied. Am I doing this wrong?

4. I know there is the router's FastStep config text file in my Cisco fastStep directory, but where is the routers configuration file kept that has details of the existing access lists?

Sorry if these are simple questions!

Thanks

Dan

 

[MTandSAV]

you need to apply the access list to deny telnet to the line vty 0 4 interface. Thats where telnet sessions are coming in. Otherwise post your config, take ip addresses and passwords out and we can help you futher.

conf t
line vty 0 4
ip access-class 23 in

create an access list 23 where do allow telnet from the addresses you want, the rest will be denied.

 

[DanielUK]

Thanks, I'm not back in work until Monday but my running config has not changed much, if at all, from my last postings on this forum (http://www.tek-tips.com/viewthread.cfm?qid=886330):

OutputCommand base-URL was: /level/15/exec/-
Complete URL was: /level/15/exec/-/show/running-config/CR 
Command was:  show running-config--------------------------------------------------------------------------------
Building configuration...

Current configuration : 2114 bytes
!
! Last configuration change at 17:56:42 UTC Mon Jul 26 2004
! NVRAM config last updated at 17:31:42 UTC Mon Jul 26 2004
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
logging buffered 8192 debugging
aaa new-model
!
!
aaa session-id common
enable secret 5 $1$QvfG$fiD6ZzWY/6SZFmkxNGsGO.
!
username Router password 7 142713181F13253920
username Router password 7 070D235E4908150916000F03
ip subnet-zero
no ip source-route
!
isdn switch-type basic-net3
!
!
!
interface Ethernet0
 ip address 192.168.0.16 255.255.255.0
 ip access-group 121 in
 no ip proxy-arp
 ip nat inside
!
interface BRI0
 no ip address
 encapsulation ppp
 dialer pool-member 1
 isdn switch-type basic-net3
 ppp authentication chap pap callin
 ppp multilink
!
interface Dialer1
 description ISP
 ip address negotiated
 ip access-group 121 in
 no ip proxy-arp
 ip nat outside
 encapsulation ppp
 no ip split-horizon
 dialer pool 1
 dialer remote-name Cisco1
 dialer idle-timeout 300
 dialer string 08089916001 class DialClass
 dialer hold-queue 10
 dialer load-threshold 10 either
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname ****************.co.uk
 ppp chap password 7 121D0D44475E1A172F38343A3A21261B
 ppp pap sent-username **************.co.uk password 7 14131A5859513C38213B23272B07031E
 ppp multilink
!
ip nat inside source list 18 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
!
!
!
map-class dialer DialClass
access-list 18 permit 192.168.0.0 0.0.0.255
access-list 121 deny   udp any eq netbios-dgm any
access-list 121 deny   udp any eq netbios-ns any
access-list 121 deny   udp any eq netbios-ss any
access-list 121 deny   tcp any eq 137 any
access-list 121 deny   tcp any eq 138 any
access-list 121 deny   tcp any eq 139 any
access-list 121 permit ip any any time-range TIME
dialer-list 1 protocol ip permit
!
line con 0
 exec-timeout 0 0
 stopbits 1
line vty 0 4
 exec-timeout 0 0
!
no rcapi server
!
!
time-range TIME
 periodic daily 0:00 to 23:59
!
end
--------------------------------------------------------------------------------command completed.

Thanks, Dan

 

[MTandSAV]

so to permit and deny telnet to your device this is a solution:

access-list 23 permit 192.168.0.0 0.0.0.255

conf t
line vty 0 4
access-class 23 in

Now everyone inside your network, starting with ip address 192.168.0.x will be able to telnet to your device. Nobody else will be permitted to telnet
You also want to put a pw there, otherwise you still can't connect
conf t
line vty 0 5
login
password cisco

 

[DanielUK]

Thanks Mtelleka! That closed off port 23, now how do I close off port 80? I must admit I'm having trouble working out what the command "line vty 0 4" does, as I can't seem to find it any of the examples in the manual. Is there an idiots guide to Cisco configuration files?

Thanks again,

Dan

 

[MTandSAV]

here is a cisco site where they explain some 'basic' configurations and also the line vty 0 4. They are virtual lines (5 in total here) to telnet into the device

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_fix/826/swg/routconf.htm#wp1015102

Blocking port 80, means that nobody can surf the internet, if thats what you want.

access-list 101 deny tcp any any eq 80 (or similar to this)and apply this to your interface going out to the internet
-outbound-

 

[DanielUK]

Thanks again,

I'm simply running the Shields up program on the grc website. It was saying port 23 and 80 is open, but now port 23 is closed to incoming. I want to ba able to browse (outbound) but not accept incoming on port 80 as the test is implying.

Thanks

Dan

 

[DanielUK]

Am I being stupid here? I tried to apply a:

access-list 101 deny tcp any any eq 80

line to the incoming on interface Ethernet0 to prevent port 80 incoming, and allow browsing (outgoing):

interface Ethernet0
ip access-group 101 in
exit
exit

yet it's still saying port 80 is open to incoming! My running-config now looks like this:

Router#show running-config
Building configuration...

Current configuration : 2352 bytes
!
! Last configuration change at 09:29:41 UTC Mon Oct 11 2004
! NVRAM config last updated at 09:29:47 UTC Mon Oct 11 2004
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
logging buffered 8192 debugging
aaa new-model
!
!
aaa session-id common
enable secret 5 $1$g0ZA$k1NunU4e/pdIDhQj.8eaV0
!
username Router password 7 121B0705150A00082B392027
username Router password 7 070D235E4908150916000F03
ip subnet-zero
no ip source-route
!
isdn switch-type basic-net3
!
!
!
interface Ethernet0
 ip address 192.168.0.16 255.255.255.0
 ip access-group 121 in
 no ip proxy-arp
 ip nat inside
!
interface BRI0
 no ip address
 ip access-group 121 in
 encapsulation ppp
 dialer pool-member 1
Current configuration : 2436 bytes
!
! Last configuration change at 13:27:47 UTC Tue Oct 12 2004
! NVRAM config last updated at 09:29:47 UTC Mon Oct 11 2004
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
logging buffered 8192 debugging
aaa new-model
!
!
aaa session-id common
enable secret 5 $1$g0ZA$k1NunU4e/pdIDhQj.8eaV0
!
username Router password 7 121B0705150A00082B392027
username Router password 7 070D235E4908150916000F03
ip subnet-zero
no ip source-route
!
isdn switch-type basic-net3
!
!
!
interface Ethernet0
 ip address 192.168.0.16 255.255.255.0
 ip access-group 121 in
 no ip proxy-arp
 ip nat inside
!
interface BRI0
 no ip address
 ip access-group 121 in
 encapsulation ppp
 dialer pool-member 1
 isdn switch-type basic-net3
 ppp authentication chap pap callin
 ppp multilink
!
interface Dialer1
 description ISP
 ip address negotiated
 ip access-group 121 in
 no ip proxy-arp
 ip nat outside
 encapsulation ppp
 no ip split-horizon
 dialer pool 1
 dialer remote-name Cisco1
 dialer idle-timeout 300
 dialer string 08089916001 class DialClass
 dialer string 08440575000 class DialClass
 dialer hold-queue 10
 dialer load-threshold 10 either
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname hostnamehere
 ppp chap password 7 03005358535A375F4B1A09171E060F04
 ppp pap sent-username accountusername password 14131A5859513C382
3B23272B07031E
 ppp multilink
!
ip nat inside source list 18 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
!
!
!
map-class dialer DialClass
access-list 18 permit 192.168.0.0 0.0.0.255
access-list 23 permit 192.168.0.0 0.0.0.255
access-list 100 deny   tcp any host 192.168.0.1 eq telnet
access-list 101 deny   tcp any any eq www
access-list 121 deny   udp any eq netbios-dgm any
access-list 121 deny   udp any eq netbios-ns any
access-list 121 deny   udp any eq netbios-ss any
access-list 121 deny   tcp any eq 137 any
access-list 121 deny   tcp any eq 138 any
access-list 121 deny   tcp any eq 139 any
access-list 121 permit ip any any time-range TIME
access-list 121 deny   tcp any any eq telnet
access-list 121 deny   tcp any eq [URL unfurl="true"]www any[/URL]
dialer-list 1 protocol ip permit
!
line con 0
 exec-timeout 120 0
 stopbits 1
line vty 0 4
 access-class 23 in
 exec-timeout 0 0
!
no rcapi server
!
!
time-range TIME
 periodic daily 0:00 to 23:59
!
end

Am I applying it to the right interface as I'm confused with which interfaces I should be dealing with...?

Thanks and sorry to be a pain....

Dan

 

[DanielUK]

Revisiting this again after another break!

I've just thought -isn't the open incoming port 80 the web console for the router? That's probably what ShieldsUp! is telling me. How do I turn that off? The access-list 101 deny tcp any any eq 80 didn't work.

Thanks

Dan

 

[DanielUK]

Think I've figured it out, simply:

no ip http server

at the router(config)#prompt.

ShieldsUP is saying it's now closed.

Dan

 

[DanielUK]

OK, so ShieldsUP is telling me all my ports are either closed or stealthed but it's "failing" the test as it says:

Solicited TCP Packets: RECEIVED (FAILED) — As detailed in the port report below, one or more of your system's ports actively responded to our deliberate attempts to establish a connection

and I'm also replying to pings.

Should I be worried about these?

Dan