Access Lists and multiple networks

[clgtech]

***WARNING: Long Post. ***

I am looking to tighten up my network. I currently run a 2611 with 4 interfaces: 3 ethernet and 1 serial.

I would like to be able to restrict the acess of 1 of the ethernet interfaces (Ethernet1/0).

Ethernet0/0 - Internal Network
Ethernet0/1 - Altiga VPN (which then connect to Internal Network)
Ethernet1/0 - Client Access Network
Serial0/1 - Internet

Ethernet1/0 is a network I added so that our clients can use our supplied PC in the lounge or bring their laptops in and have internet connectivity. I don't want that network to access the main network but I do however want to allow that network to access our e-mail server (located on Ethernet0/0) via ports 510 or 3000 and if possible be able to VPN into our network.

Current Config:
!
version 12.1
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname Firewall
!
logging buffered 4096 debugging
enable secret 5 asdf
enable password 7 asdf
!
!
clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
no ip source-route
ip cef
no ip finger
no ip domain-lookup
ip domain-name mycompany.com
ip name-server x.x.x.x
!
ip inspect audit-trail
ip inspect tcp idle-time 14400
ip inspect name fwcbac ftp
ip inspect name fwcbac http
ip inspect name fwcbac realaudio
ip inspect name fwcbac smtp
ip inspect name fwcbac tcp
ip inspect name fwcbac udp
!
ip audit notify log
ip audit po max-events 100
!
!
interface Ethernet0/0
description Internal Network
ip address 192.168.1.100 255.255.255.0
ip access-group

http://www-block

in
ip nat inside
no cdp enable
ntp broadcast

!
interface Serial0/1
description Internet
ip address x.x.x.33 255.255.255.240
ip access-group fwcbac-in in
ip nat outside
ip inspect fwcbac out
no ip directed-broadcast
encapsulation ppp
no ip mroute-cache
no fair-queue
service-module t1 remote-alarm-enable
!
interface Ethernet0/1
description DMZ for Altiga VPN
ip address 192.168.8.254 255.255.255.0
ip access-group

http://www-block

in
ip nat inside
no cdp enable
!
interface Ethernet1/0
description DMZ For Client Access
ip address 192.168.11.1 255.255.255.0
ip access-group

http://www-block

in
ip nat inside
no cdp enable
no ip directed-broadcast
!
router rip
version 2
passive-interface Serial0/1
network 192.168.1.0
no auto-summary
!
ip nat pool CLG x.x.x.37 x.x.x.38 netmask 255.255.255.240
ip nat inside source list NAT1 pool CLG overload
ip nat inside source static 192.168.1.95 x.x.x.34
ip nat inside source static 192.168.8.1 x.x.x.35
ip nat inside source static 192.168.1.93 x.x.x.36
ip nat inside source static 192.168.1.2 x.x.x.43
ip nat inside source static 192.168.9.14 x.x.x.44
ip nat inside source static 192.168.1.89 x.x.x.45
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/1
no ip http server
!
!
ip access-list extended NAT1
permit ip host 192.168.1.3 any
permit ip host 192.168.1.4 any
--<alot more addresses>--
permit ip host 192.168.3.105 any
permit ip host 192.168.3.106 any
permit ip host 192.168.3.108 any
permit ip host 192.168.3.110 any
permit ip host 192.168.3.112 any
permit ip host 192.168.3.115 any
permit ip host 192.168.3.116 any
remark ----DMZ For Customer Lounge----
permit ip host 192.168.11.10 any
remark ----Other company----
permit ip host 192.168.9.10 any
permit ip host 192.168.9.11 any
permit ip host 192.168.9.12 any
permit ip host 192.168.9.13 any
!
ip access-list extended fwcbac-in
deny ip host 255.255.255.255 any log-input
deny ip 127.0.0.0 0.255.255.255 any log-input
deny ip 10.0.0.0 0.255.255.255 any log-input
deny ip 172.16.0.0 0.0.255.255 any log-input
deny ip 192.168.0.0 0.0.255.255 any log-input
remark ----Allow some ICMP traffic----
permit icmp any any echo-reply
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any traceroute
permit icmp any any unreachable
permit udp any host x.x.x.43 gt 1023
remark ----Allow Any traffic to DEMO SERVER----
permit icmp any host x.x.x.45 echo
permit icmp any host x.x.x.45 echo-reply
permit icmp any host x.x.x.45 traceroute
permit tcp any host x.x.x.45 eq www
permit tcp any host x.x.x.45 eq smtp
permit tcp any host x.x.x.45 eq ftp
permit tcp any host x.x.x.45 eq ftp-data
remark Allow

http://www traffic

to FM Pro Server
permit tcp any host x.x.x.36 eq www
remark ----Allow Internet hosts to ping Altiga 3005 VPN Concentrator----
permit icmp any host x.x.x.35 echo
permit icmp any host x.x.x.35 echo-reply
permit icmp any host x.x.x.35 traceroute
remark ----Allow VPN access to the Altiga 3005----
permit esp any host x.x.x.35
permit udp any host x.x.x.35 eq isakmp
permit udp any eq 10000 host x.x.x.35 eq 10000
remark ----Allow selected ports to the mailserver----
permit icmp any host x.x.x.34 echo
permit icmp any host x.x.x.34 echo-reply
permit icmp any host x.x.x.34 traceroute
permit tcp any host x.x.x.34 eq www
permit tcp any host x.x.x.34 eq smtp
permit tcp any host x.x.x.34 eq pop3
permit tcp any host x.x.x.34 eq ftp
permit tcp any host x.x.x.34 eq ftp-data
permit tcp any host x.x.x.34 range 5000 5999
permit tcp any host x.x.x.34 eq 510
permit tcp any host x.x.x.34 eq 3000
permit udp any host x.x.x.34 eq 810
remark ----Allow selected ports for other company----
permit tcp any host x.x.x.44 eq www
permit tcp any host x.x.x.44 eq smtp
permit tcp any host x.x.x.44 eq ftp
permit icmp any host x.x.x.44 echo
permit icmp any host x.x.x.44 echo-reply
permit icmp any host x.x.x.44 traceroute
remark ----Allow NTP from somewhere.com to S0/0 of router----
permit ip host x.x.x.x host x.x.x.33 log-input
deny ip any any log-input
!
ip access-list extended

http://www-block

permit tcp any host 192.168.11.10 eq 510
permit tcp any host 192.168.11.10 eq 3000
deny ip any 192.168.11.0 0.0.0.255 log-input
deny ip any host 152.163.180.56 log-input
deny ip any host 161.58.148.4 log-input
deny ip any host 199.172.158.95 log-input
deny ip any host 199.172.158.96 log-input
deny ip any host 199.172.158.97 log-input
deny ip any host 199.172.158.98 log-input
deny ip any host 199.172.158.128 log-input
deny ip any host 199.172.158.160 log-input
deny ip any host 199.172.158.166 log-input
deny ip any host 199.172.158.167 log-input
deny ip any host 205.188.161.249 log-input
deny ip any host 209.145.150.30 log-input
deny ip any host 209.239.37.100 log-input
deny ip any host 210.174.136.51 log-input
deny ip any host 216.133.237.162 log-input
deny ip any host 216.204.75.203 log-input
deny ip any 63.250.208.0 0.0.0.255 log-input
deny ip any 63.250.210.0 0.0.0.255 log-input
deny ip any 64.12.151.0 0.0.0.255 log-input
deny ip any 209.187.174.0 0.0.0.255 log-input
permit ip any any
!
logging history size 16
logging trap debugging
logging facility local5
logging 192.168.1.84
!
access-list 2 permit 192.168.1.2
access-list 2 permit 192.168.1.84
access-list 2 permit 192.168.1.101
no cdp run
!
menu update title 
TFTP config upload
menu update text 1 Upload config to server
menu update command 1 copy running-config tftp:
menu update text 2 Download config from server
menu update command 2 copy tftp: startup-config
menu update text 3 Reboot after upload
menu update command 3 reload
menu update text 4 Exit
menu update command 4 menu-exit
!
snmp-server engineID local 00000009020000B06433E660
snmp-server community snmp RO
snmp-server packetsize 2048
snmp-server location Somewhere
snmp-server contact Frank Rizzo,xxx-xxx-xxx,frankrizzo@mycompany.com
!
banner exec 
#################################################
## ##
## My Company, Inc. ##
## ##
## Unauthorized Access Prohibited ##
## ##
#################################################

!
line con 0
password 7 asdf
login
transport input none
line aux 0
line vty 0 4
access-class 2 in
exec-timeout 30 0
password 7 asdf
login
!
ntp clock-period 17208426
ntp server x.x.x.x
no scheduler allocate
end

----

The client network is connected to the 2611 via a linksys router using 199.168.11.10 and is currently the only device on that network. As it stands it works to block access from that network but I can't get it to allow traffic to my mail server.

Thanks for any advice. Also accepting on any other advice to streamline, optimize or clean up my config.

Jeff

 

[TravisM]

I'm a little confused here. First, is the Linksys router nating these addresses? In your access list you have allow 192.168.11.10, later you say the linksys router is address 199.168.11.10. If it's natting it's not going to work, if it's not natting, then the only host that's going to get through is 192.168.11.10.

What you need is a rule in

http://www-block

like;
permit tcp any host x.x.x.x eq 510
permit tcp any host x.x.x.x eq 3000

Where x.x.x.x is the ip address of your mail server. If you want the list to be tighter change the any to a specific range of ip addresses...

At least I think.

 

[clgtech]

Thanks for the reply. Sorry for the confusion. I may have provided too much information or not enough...

The line runs like this:

2611 (Ethernet1/0) ------------- LinkSys --------------- USERS
192.168.11.1 192.168.11.10

The only device on subnet 192.168.11.0 is the Linksys device. Anyone who accesses that network will do so through the Linksys which was a cheap way for me to get DHCP for that area. The Linksys is actually nating subnet 192.168.12.0.

Access List

http://www-block

is used on all 3 of my Ethernet interfaces. I want to block 192.168.11.0 from accessing the other interfaces except for ports 510 and 3000 to my mail server.

Would I need to add both the linksys and the mail server to the

http://www-block

access list? I'll try it with both of them and see what happens.

Thanks.