Access-List issues

[MagnumVP]

Ok Here is what I current have as the Router configuration.

(All personal Public IP's have been changed to 1.1.1.1)

Building configuration...

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
enable secret 5 $1$SnEf$7OWjg84jnf9OoMWLKQKX1
!
!
!
!
!
ip subnet-zero
!
ip audit notify log
ip audit po max-events 100
!
!
!
interface FastEthernet0/0
description connected to Production
ip address 172.16.64.1 255.255.224.0
no ip directed-broadcast
ip nat inside
duplex auto
speed auto
!
interface Serial0/0
description connected to Internet
ip address 1.1.1.1 255.255.255.224
ip access-group 104 in
no ip directed-broadcast
ip nat outside
no ip mroute-cache
!
interface FastEthernet0/1
description connected to Classroom
ip address 172.16.96.1 255.255.255.0
ip access-group 101 in
no ip directed-broadcast
ip nat inside
duplex auto
speed auto
!
interface Ethernet1/0
description connected to DMZ
ip address 172.16.128.1 255.255.255.0
no ip directed-broadcast
ip nat inside
!
ip nat pool Router-natpool-1 1.1.1.2 1.1.1.30netmask 255.255.255.2
ip nat inside source list 1 pool Router-natpool-1 overload
ip nat inside source static 172.16.64.250 1.1.1.15
ip nat inside source static 172.16.64.200 1.1.1.20
ip nat inside source static 172.16.128.2 1.1.1.6
ip nat inside source static 172.16.128.6 1.1.1.8
ip nat inside source static 172.16.128.3 1.1.1.4
ip nat inside source static 172.16.128.4 1.1.1.7
ip nat inside source static 172.16.64.100 1.1.1.25
no ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
no ip http server
!
access-list 1 permit 172.16.96.0 0.0.0.255
access-list 1 permit 172.16.128.0 0.0.0.255
access-list 1 permit 172.16.64.0 0.0.31.255
access-list 101 permit tcp any host 172.16.96.1 eq telnet
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 3389
snmp-server engineID local 000000090200003094F73F40
snmp-server community public RO
!
line con 0
exec-timeout 0 0
password ??????
login
transport input none
line aux 0
password ??????
login
line vty 0 4
password ??????
login
!
no scheduler allocate
end

Here is what I am having issues with.

I want to implement an access list to the Serial0/0 connection that would prevent traffic from coming into the router. For tcp ports 25, 110 & 80 and I want allow to a particular server (172.16.128.2)

I also want to configure the router to send nothing back with an icmp packet is sent to it.

Here is what I have attempted.

<config>interface serial0/0
<config-if#>ip access-group 104 in
<config>access-list 104 permit tcp any host 172.16.128.2 eq 25
<config>access-list 104 permit tcp any host 172.16.128.2 eq 110
<config>access-list 104 permit tcp any host 172.16.128.2 eq 80


When I implement this scenario I can't even access the internet or ping a remote from INSIDE the router.

Anything would help

Thanks

MagnumVP

 

[hexn]

It makes perfect sense. When your packet goes out to the internet, it will return, and if it doesnt match what you have specified in access-list 104, it will be dropped.

Try adding this statement:

access-list 104 permit tcp any any established

This will make it so that any traffic that has left the router will be allowed back in. (established traffic)

Let me know, if that works. Im sure it will.

 

[MagnumVP]

I did what you recommended and it dtill doesn't work.

Maybe if I attempt to explain it a little better it might help.

I have a Cisco 2621 Router with 4 interfaces.

Serial0/0 (Internet 1.1.1.1 255.255.255.224)
FastE0/0 (Production 172.16.64.1 255.255.255.0)
FastE0/1 (Classroom 172.16.96.1 255.255.255.0)
Ether1/0 (DMZ 172.16.128.1 255.255.255.0)

Serial has numerous mappings to the webserver for Web Site hosting.

172.16.128.3 1.1.1.4
172.16.128.2 1.1.1.6
172.16.128.4 1.1.1.7
172.16.128.6 1.1.1.8


Production is where all the business workstation are located.
Workstations ranged from 172.16.64.100 to 172.16.64.150
Classroom is where all the student's computers are located.
Workstations range from 172.16.96.100 to 172.16.96.200
DMZ is where the E-mail and Web Server are located.
Email is 172.16.128.2
WebSrv is 172.16.128.3

Here is what I want to do at the Serial Connection.

Everything from the internal (Production, Classroom and DMZ) would like to have all ports open. We want to lock down the incomming traffic from the Internet (Serial0/0).

The ports that I want to open are 25, 110, 80 and 3389. I want ports 25 and 110 to be directed to the Email Server (172.16.128.2) and the rest to be open to everyone.

Any help would be appriciated.

Thanks

MagnumVP

 

[tschouten]

<config>access-list 104 permit tcp any host 172.16.128.2 eq 80

Your ACL is only letting your server 172.16.128.2 on the DMZ access to port 80.
If you want the other two to have access I would add in a permit statement for your production and classroom branches. Inikis is correct in one part on that command it will allow all traffic that has been established through. However, that would mean you would have to ping a specific website or use some other method of connection that isn't being blocked to create an established conective state with a specific IP address. The router would have to see an ack in order to log it as a true established connection. At this point you are sending out to the website just find but the response from the port 80 address is getting blocked so it never gets listed as a valid (or established) connection in your other two areas so they get dropped.

 

[tschouten]

P.S.> The command Inikis told you to use has some drawbacks security wise to it. After there has been an established state of connectivity for a specific IP address this command will allow any and all traffic through and pay no attention to any of the other ACL settings. This means if you blocked everything but FTP to website A.B.C.D and you make a connection using FTP the router has now listed it as having an established connection. Now you can use any form of connectivity to website A.B.C.D. That is of course until it times out (due to lack of use) from the table it is listed in for its' established state. But, until that occurs the door is open.

 

[tschouten]

Forget about my ps..that's with older models. Sorry about that.

 

[MagnumVP]

Thanks for the advice.

What is the easiest way to lock down all BUT 80 and 110 from the internet.

Every example that I have seen is;
ACL 1?? deny any host A.B.C.D eq <port>.
ACL 1?? permit ip any any

I want to do the reverse. I want to deny all UNLESS I give it PERMIT.

Something like this;

ACL 1?? permit tcp any any eq www
ACL 1?? permit udp any any eq 53

Assign to Internet Interface (Serial):
IP Access-group 1?? in


This should permit only tcp port 80 and udp port 53 from entering the router from the internet interface. I have not established an OUTBOUND connection on the Internet Interface so it should still allow all traffic going out.

Am I incorrect in thinking this should work?

Any thing will help

Thanks

MagnumVP

 

[tschouten]

Easiest way to think of this is there is an implicit deny at the end of every ACL (without you doing anything).
For instance your interface to the outside. You decide you only want all ICMP traffic to come through for everyone.

access-list 120 permit ICMP any any

you then apply it to your eth0 interface inbound
Every packet that comes accross interface eth0 from the outside will be examined. If it matches the access-list it is routed otherwise it is dropped.

So I would say yes your correct it would work.

 

[tschouten]

By the way you may want to apply service password-encrypt to your router (not that it makes THAT much more secure, but every little bit helps)

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption