Access-List anyone?

[hereigns]

Got a Cisco 1601 on a Frame-Relay Internet connection and am attempting to add a access-list to the router. What is the correct way to implement the access-list?

I created an outbound access-list that basically states to let any internal traffic pass to the internet and added it to the serial interface.

Then I created one for inbound traffic that states only to allow certain ports on specific public systems then I added the list to the ethernet interface. When I add the list all outbound traffic stops flowing.

Below is a sample of the inbound access-list.
x.x.x.x = public host

access-list 100 permit ip x.x.x.x 0.0.0.15 any
access-list 100 permit tcp any host x.x.x.x eq 80
access-list 100 permit tcp any host x.x.x.x eq 53 log
access-list 100 permit tcp any any established

 

[sobak]

If you want all traffic from inside to go out why apply the access list at all. I would remove the outbound access-list and just use the inbound one.

I've also been told that you need to enable UDP for port 53, I have yet to see that affect anything, I use TCP and have no problem at all.

One other question

Also at the end of both lists you can place

access-list 100 deny any any log

This will show you what is stopping the packet from going through by reviewing what is being denied.



david e
*end users are just like computers, some you can work with...others just need a simple reBOOTing to fix their problems.*

 

[ChrisAC]

In which direction on the ethernet interface did you add this list, in or out?

Also, to see why traffic has stopped look at your logs. This will show you the denied traffic with the dest IP address and port.

Chris.
**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[hereigns]

Thanks for the suggestions! This is a dumb question - I'm a newbie, please excuse...what log should I be looking for?

 

[ccie9545]

you should probably place this access-list on the serial interface that connects to the internet. and do so in the inbound direction. this will allow packets destined for your web and dns servers, and will allow all packets in which the data stream was initiated from within your network. The only thing that would have to change is the first entry in the access-list. If your intention is to allow anyone on the internal network to initiate communication with anybody on the external network you can simply remove the entry.....

If your intentions were to restrict internet access to a specific group of computers, then you could either change the last line where you are permitting established traffic to only permit established traffic destined for the group of computers desired. Or you could create a different access-list and apply it to the ethernet interface in the inbound direction Erik Rudnick, CCIE No. 9545
mailto:erik@kuriosity.com

 

[hereigns]

Erik,
Your comments make sense...I tried configuring s0 with the access-list and as soon as I applied it all outbound traffic stopped. After reading through several postings it appears access-lists stump a lot of folk. Below is the access-list I tried applying for specific resources on our public infrastructure. Still not sure what log(s) to peak at...

access-list 101 permit tcp any x.x.x.x 0.0.0.15 ack
access-list 101 permit tcp any x.x.x.x 0.0.0.0 eq smtp log
access-list 101 permit udp any x.x.x.x 0.0.0.0 eq domain log
access-list 101 permit tcp any x.x.x.x 0.0.0.0 eq 22 log
access-list 101 permit tcp any x.x.x.x 0.0.0.0 eq smtp log
access-list 101 permit udp any x.x.x.x 0.0.0.0 eq domain log
access-list 101 permit tcp any x.x.x.x 0.0.0.0 eq www
access-list 101 permit tcp any x.x.x.x 0.0.0.0 eq pop3 log
access-list 101 permit tcp any x.x.x.x 0.0.0.0 eq www
access-list 101 permit tcp any x.x.x.x 0.0.0.0 eq www
access-list 101 permit tcp any x.x.x.x 0.0.0.0 eq www
access-list 101 permit tcp any x.x.x.x 0.0.0.0 eq

http://www log

access-list 101 permit tcp any x.x.x.x 0.0.0.0 eq 22 log
access-list 101 permit tcp any x.x.x.x 0.0.0.0 eq smtp log
access-list 101 permit tcp any x.x.x.x 0.0.0.0 eq smtp log
access-list 101 permit tcp any x.x.x.x 0.0.0.0 eq 143 log
access-list 101 permit tcp 208.125.104.2 0.0.0.0 x.x.x.x

 

[stoney66]

The logs will go where u tell it to go... console, buffer, syslog.

 

[hereigns]

Could this be the answer to my problem? I added the following line at the end of my access-list.

#access-list 100 permit ip any any

I read somewhere that stated since at the end of the access-list is a "deny all" and that you must use the line to allow all other traffic to pass. Any access-list experts out there who care to submit his/her thoughts? I did apply the aforementioned line in the access-list and now traffic is passing.

 

[hexn]

With the permit ip any any at the end you may as well not even have the access-list. Cause you aren't denying anything at this point. You have a whole bunch of permit statements, and then at the end, you permit everything anyway....

What are you trying to accomplish with the access-list?

 

[hereigns]

Hmmm - Not to dispute inikis comments but - obviously we have varying degrees of understanding how access-lists work. My understanding is - as the list is read it's read from top to bottom. So - any packet that meets any of the criteria as it's being read the router will immediately discard the packet. Since I've placed what I want to block outsiders to see at the topmost of the access-list I've basically created a firewall. Since I can not possibly nor do I want to define what other packets will be blocked I must add then permit all other packets to pass through that do not meet the obove criteria. Otherwise I might as well just add the line #access-list deny ip any any and go on my merry way?

Right?????? Or is my understanding screwed up?

 

[hexn]

You are 100% correct. I was looking at the above access-lists and didnt see any deny statements.

If you put all your deny statments at the top, you wont need all those permit statements. You could just do the permit ip any any.

 

[hexn]

I think what we need is kind of a primer on access-lists. If not, just ignore this post.

When the statement includes the permit command, this means that the packet will be allowed. If the statement inculdes a deny command, this means the packet will be denied. Then, if there is no match in the access-list at all, the packet will be denied by default. If you choose to let it be allowed by default, you add a permit ip any any at the end.

Then you decide wether you want to apply the list to packets entering the router (in) or packets leaving the router (out)

So basically, you need to decide if you want to write an access-list to:

1. block specific things and allow everything else
2. allow specific things and block everything else

Once that has been decided, writing an access-list is MUCH easier.

 

[hereigns]

Hmmm - now that I think about it - Inikis you are correct. I have basically added a permit ip any any anyway. My goal is to only allow (advertise) very specific ip addresses on specific ports and then block all other inbound traffic. I have not accomplished my goal. Sorry for the confusion :'(

 

[hexn]

Here is my office network's access-list

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
access-list 105 permit tcp any any eq ftp
access-list 105 permit tcp any any eq ftp-data
access-list 105 permit tcp any any eq smtp
access-list 105 permit tcp any any eq pop3
access-list 105 permit tcp any any eq www
access-list 105 permit tcp any any eq telnet
access-list 105 permit tcp any any eq 22
access-list 105 permit tcp any any eq 3389
access-list 105 permit tcp any any eq 90
access-list 105 permit tcp any any eq whois
access-list 105 permit tcp any any established
access-list 105 permit icmp any any
access-list 105 deny ip any any log
!
interface Serial0
description T1 to Internet
ip access-group 105 in
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


This is traffic entering my office. I have specifically stated what I want to allow into my network and then denied everything else. It is true that the deny statement does not have to be there, but since I want the denied packets sent to my log server, I put it there with the log keyword.

Maybe that helps.

 

[hexn]

ok, here is like my millionth post.

here is a little php script I wrote a year or so ago to help with my access-lists, now I dont use it anymore.

http://giglink.com/old/cisco/ccs/access-lists/extended/basic/

You just fill in the blanks, and it will write the access-list for you.

 

[hereigns]

First of all, thank you Inikis for your patience and persistence! Now I think I've finally got it working. Since the access-list is an extended list I placed it closest to the source = ethernet interface (inbound). Here's what it looks like:

access-list 101 permit tcp any x.x.x.x 0.0.0.15 ack
access-list 101 permit tcp any x.x.x.x 0.0.0.0 eq smtp log
access-list 101 permit udp any x.x.x.x 0.0.0.0 eq domain log
access-list 101 permit tcp any x.x.x.x 0.0.0.0 eq 22 log
access-list 101 permit tcp any x.x.x.x 0.0.0.0 eq smtp log
access-list 101 permit udp any x.x.x.x 0.0.0.0 eq domain log
access-list 101 permit tcp any x.x.x.x 0.0.0.0 eq www
access-list 101 permit tcp any x.x.x.x 0.0.0.0 eq pop3 log
access-list 101 permit tcp any x.x.x.x 0.0.0.0 eq www
access-list 101 permit tcp any x.x.x.x 0.0.0.0 eq www
access-list 101 permit tcp any x.x.x.x 0.0.0.0 eq www
access-list 101 permit tcp any x.x.x.x 0.0.0.0 eq

http://www log

access-list 101 permit tcp any x.x.x.x 0.0.0.0 eq 22 log
access-list 101 permit tcp any x.x.x.x 0.0.0.0 eq smtp log
access-list 101 permit tcp any x.x.x.x 0.0.0.0 eq smtp log
access-list 101 permit tcp any x.x.x.x 0.0.0.0 eq 143 log
access-list 101 permit tcp (host address) 0.0.0.0 x.x.x.x
access-list 101 deny ip any any log

The problem I was running into was I also added a outbound access-list 102 to filter some outbound traffic and allow the rest - but I did NOT add the permit any any at the end of the list. So from inside looking out I could not touch anything.

Bottom-line the inbound access-list was working fine it was the outbound list that was causing the problem.

YEAH!!!!! Very good learning experience for me - one I will NEVER forget!