ACL blocking all traffic going out!

[ohif]

I am trying to set up a ACL that restricts traffic comming into the network through serial 0. I am using a cisco 1721 router with the IOS firewall feature set. When I implemented the ACL below it blocked all traffic going out. I could not even ping out of the network. I don't see what is wrong with it. Please help me find the flaws because I am lost. And other pointers on the ACL would be appreciated also. The ip's and subnet have been changed.

This is exactly how I typed it in....


configure terminal
access-list 101 permit tcp any any eq established
access-list 101 deny ip 92.92.92.0 0.0.0.45 any
access-list 101 permit tcp any 92.92.92.0 0.0.0.45 eq 1494
access-list 101 permit udp any 92.92.92.0 0.0.0.45 eq domain
access-list 101 permit tcp any 92.92.92.0 0.0.0.45 eq www
access-list 101 permit udp any 92.92.92.0 0.0.0.45 eq 443
access-list 101 permit tcp any 92.92.92.0 0.0.0.45 eq smtp
access-list 101 permit udp any 92.92.92.0 0.0.0.45 eq login
access-list 101 permit tcp any 92.92.92.0 0.0.0.45 eq 10000
access-list 101 permit tcp any 92.92.92.0 0.0.0.45 eq bgp
access-list 101 permit tcp any 92.92.92.5 0.0.0.45 eq 110
access-list 101 permit tcp any 92.92.92.5 0.0.0.45 eq 143
access-list 101 permit tcp any 92.92.92.0 0.0.0.45 eq 22
access-list 101 deny ip any any
end

configure terminal
interface serial 0
ip access-group 101 in
end

Thanks for any help!!!

 

[gconnect]

first off, whats up with your subnet masks?

anyway
if you have the firewall feature set then some rules (at least generic tcp/udp) take those 1st 2 lines out and do your acl like this

ip inspect name MYRULES tcp
ip inspect name MYRULES udp

access-list 101 permit tcp any 92.92.92.0 0.0.0.45 eq 1494
access-list 101 permit udp any 92.92.92.0 0.0.0.45 eq domain
access-list 101 permit tcp any 92.92.92.0 0.0.0.45 eq www
access-list 101 permit udp any 92.92.92.0 0.0.0.45 eq 443
access-list 101 permit tcp any 92.92.92.0 0.0.0.45 eq smtp
access-list 101 permit udp any 92.92.92.0 0.0.0.45 eq login
access-list 101 permit tcp any 92.92.92.0 0.0.0.45 eq 10000
access-list 101 permit tcp any 92.92.92.0 0.0.0.45 eq bgp
access-list 101 permit tcp any 92.92.92.5 0.0.0.45 eq 110
access-list 101 permit tcp any 92.92.92.5 0.0.0.45 eq 143
access-list 101 permit tcp any 92.92.92.0 0.0.0.45 eq 22
access-list 101 deny ip any any


configure terminal
interface serial 0
ip access-group 101 in
ip inspect MYRULES out
end

there will be no need for the established acl rule because CBAC will take care of that.

also i would make the src ports allowed from any all greater than 1023 so that you do not open yourself up to DoS or Information theft (i.e. - DNS transfers, etc)

access-list 199 permit udp any gt 1023 92.92.92.0 0.0.0.45 eq domain





i use cbac and acls at our remote sites
here is a snippet of a config


version 12.2

service timestamps debug datetime msec
service timestamps log datetime msec
service sequence-numbers

ip inspect udp idle-time 15
ip inspect dns-timeout 7
ip inspect tcp finwait-time 1
ip inspect tcp max-incomplete host 100 block-time 1
ip inspect name FWRULES tcp
ip inspect name FWRULES udp
ip inspect name FWRULES ftp timeout 3600
ip inspect name FWRULES h323 timeout 3600
ip inspect name FWRULES http timeout 3600
ip inspect name FWRULES netshow timeout 3600
ip inspect name FWRULES rcmd timeout 3600
ip inspect name FWRULES realaudio timeout 3600
ip inspect name FWRULES rtsp timeout 3600
ip inspect name FWRULES smtp timeout 3600
ip inspect name FWRULES sqlnet timeout 3600
ip inspect name FWRULES streamworks timeout 3600
ip audit attack action alarm drop reset
ip audit notify log
ip audit po max-events 100
ip audit smtp spam 30
ip audit name IDSTRIGGERS info action alarm
ip audit name IDSTRIGGERS attack action alarm drop reset

interface Ethernet1
!description outside interface
ip address dhcp client-id Ethernet1
ip access-group 166 in
no ip redirects
no ip unreachables
ip accounting access-violations
ip inspect FWRULES out
ip audit IDSTRIGGERS in
!
!
logging facility local4
logging source-interface Ethernet0
logging X.X.X.X

access-list 166 deny udp any any eq netbios-ns
access-list 166 deny ip 224.0.0.0 31.255.255.255 any log
access-list 166 deny ip 127.0.0.0 0.255.255.255 any log
access-list 166 deny ip 10.0.0.0 0.255.255.255 any log
access-list 166 deny ip 192.168.0.0 0.0.255.255 any log
access-list 166 deny ip 172.16.0.0 0.15.255.255 any log
access-list 166 deny ip 192.0.2.0 0.0.0.255 any log
access-list 166 deny ip any any log


cbac will dynamically create acl entries to allow for return traffic

show access-list

Extended IP access list 166
permit tcp host 216.109.125.65 eq

http://www host

X.X.X.X eq 1039 (7 matches)
permit tcp host 66.218.68.246 eq

http://www host

X.X.X.X eq 1060 (9 matches)
deny udp any any eq netbios-ns (3068 matches)
deny ip 224.0.0.0 31.255.255.255 any log
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.0.2.0 0.0.0.255 any log
deny ip any any log (543 matches)



here are some CBAC notes from my web site

CONFIGURATION

http://www.www.getconnected-it.com/cbac.html

THEORY

http://www.getconnected-it.com/tcp-udp-fw-mgnt.html

p.s. always put this rule first and DO NOT log the violators, or you will be sorry
access-list 166 deny udp any any eq netbios-ns