Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

acl help on cisco 806

Status
Not open for further replies.
moogeboo

moogeboo

MIS
Aug 7, 2003
28
US
Hi,

i inherited a client's router environment, and on a cisco 806 router, i'm trying to prevent ports 135-139 on the exchange 2000 server ...however, it doesn't work! can anyone tell me why? thanks!

joe




here's the config:

version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname SF
!
enable secret 5 $1$3vXw$s.fEGf.nZuyjFeHPXmWvB1
!
ip subnet-zero
!
!
!
!
interface Tunnel0
ip address 192.168.20.2 255.255.255.0
tunnel source Ethernet1
tunnel destination 206.133.115.253
!
interface Ethernet0
ip address 192.168.2.1 255.255.255.0
ip access-group 102 in
ip nat inside
no cdp enable
hold-queue 100 out
!
interface Ethernet1
ip address 67.19.111.130 255.255.255.240
ip access-group 102 in
ip access-group 103 out
ip nat outside
no cdp enable
!
ip nat inside source list 1 interface Ethernet1 overload
ip nat inside source static tcp 192.168.2.2 110 interface Ethernet1 110
ip nat inside source static tcp 192.168.2.2 25 interface Ethernet1 25
ip nat inside source static 192.168.2.3 67.19.111.131
ip classless
ip route 0.0.0.0 0.0.0.0 67.19.111.129
ip route 192.168.1.0 255.255.255.0 Tunnel0
ip http server
ip pim bidir-enable
!
!
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 102 deny tcp any host 67.19.111.131 eq 135
access-list 102 deny udp any host 67.19.111.131 eq 135
access-list 102 deny udp any host 67.19.111.131 eq netbios-ss
access-list 102 permit ip any any
access-list 103 permit ip any any

line con 0
exec-timeout 120 0
stopbits 1
line vty 0 4
exec-timeout 0 0
password 7 095F4B08480C471C
login
!
scheduler max-task-time 5000
end
 
Sort by date Sort by votes
Hi,

When you post a config to the internet, NEVER leave the password hash intact - although it looks like the password is encrypted there are tools out there to convert that hash back into the plain text password!!

It is also good practice to change the IP Addresses as now anyone that reads your post knows the Internet IP Address of your router and the password to get into it!!

I suggest that the first thing you do is change the passwords. You could also consider using a username and password combination to add a little more complexity. You do this as follows:

username Admin password NewPassword
enable secret NewEnablePassword
line vty 0 5
no password
login local

To increase security even further you should enable an access-class for telnet connections. This basically restricts the IP Addresses that can telnet to you router. Do this as follows:

access-list 2 permit 192.168.2.0 0.0.0.255
access-list 2 permit OtherHosts/Networks
line vty 0 5
access-class 2 in

Access-list 2 will allow only your internal network (plus other hosts that you specify) to telnet to your router.

As far as your question goes, it seems that your access list should do what you want, from outside the router. It may seem like a silly question, but you aren't trying to connect from INSIDE the router to the Exchange server are you?

You have specified the same access-list as the inbound acl on both interfaces. This is not what you want to do. The acls are processed BEFORE NAT rules are applied. This means that you need to use the external address of your server for E1 inbound ACLs and the internal address for all other ACLs.

As a general rule when creating ACLs it is better to allow valid traffic and then block everything else, this will give you the best protection against hackers. Something like this:

no access-list 102
access-list 102 permit tcp any host 67.19.111.131 eq 25
access-list 102 deny tcp any host 67.19.111.131 eq 80
access-list 102 deny tcp any host 67.19.111.131 eq 445
access-list 102 deny udp any host 67.19.111.131 eq 135
access-list 102 deny udp any host 67.19.111.131 range 137 139
access-list 102 deny tcp any host 67.19.111.131 range 137 139
access-list 102 permit tcp any any established
access-list 102 deny ip any any log
int Ethernet0
no access-group 102 in

This allows incoming connections to the Exchange Server on port 25 (SMTP) denies all connections on the other common ports (WWW, and NetBIOS) and denies (but logs) all other packets unless they were initiated from inside your network.

If you enable this access-list you will need to watch your cisco log to see which packets are being denied. There will no doubt be other traffic that you will need to let through. It takes a considerable amount of time and effort to get this right, but it is worthwhile in the long run!

HTH,
Michael.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

CPM86
  • Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
361
CPM86
CPM86
Jared R
  • Locked
  • Question
Cisco UC320W Paging Help
Replies
0
Views
551
Jared R
Jared R
B
  • Locked
  • Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
224
badwolf1686
B
pbxcomm
  • Locked
  • Question
CISCO VG450
Replies
1
Views
580
nt8d09
nt8d09
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
571
madwok
madwok

Part and Inventory Search

Sponsor

Back
Top