ACL problem

[GeneralDzur]

Hey me again. About to apply this acl. Would this block internet traffic? The xx.xx.195.242 /29 is the router's internet-facing interface. ACLs are applied before NAT is performed, right? Upgrading to a PIX firewall is not an option as the router does not have any internal flash memory.

- stephan



access-list 102 - Perimeter inbound (e1/0 in)

access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 169.254.0.0 0.0.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny udp any any range 135 139
access-list 102 deny tcp any any range 135 139
access-list 102 deny tcp any any range 8000 8001
access-list 102 deny tcp any any eq telnet
access-list 102 deny icmp any any

access-list 102 permit tcp any xx.xx.195.242/29 0.0.0.0
accecc-list 102 permit udp any xx.xx.195.242/29 0.0.0.0

access-list 102 permit tcp any any range 1024 4000 est


access-list 102 permit tcp any any eq 80
access-list 102 permit tcp any any eq 443
access-list 102 permit tcp any any eq 995
access-list 102 permit udp any any eq 995
access-list 102 permit tcp any any eq 554
access-list 102 permit udp any any eq 554
access-list 102 permit udp any any eq 7336
access-list 102 permit udp any any eq 34781
access-list 102 permit tcp any any eq 53
access-list 102 permit udp any any eq 53
access-list 102 permit udp any any eq 370
access-list 102 permit tcp any any eq 110
access-list 102 permit udp any any eq 110
access-list 102 permit tcp any any eq 25
access-list 102 permit tcp any any range 20 21
access-list 102 permit udp any any eq 20
access-list 102 permit tcp any any eq 23 est
access-list 102 permit tcp any any eq 522
access-list 102 permit udp any any range 5004 5005
access-list 102 permit tcp any any range 8002 8003
access-list 102 permit tcp any any eq 8080
access-list 102 permit tcp any any eq 143
access-list 102 permit udp any any eq 143
access-list 102 permit tcp any any eq 194
access-list 102 permit udp any any eq 194
access-list 102 permit tcp any any eq 363
access-list 102 permit udp any any eq 363
access-list 102 permit tcp any any eq 389
access-list 102 permit tcp any any eq 537

implicit deny

 

[watchguardmonkey]

access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 169.254.0.0 0.0.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any

are these the local LANS, if so then no trafic from them will be passed through the router and as you have declared,

access-list 102 - Perimeter inbound (e1/0 in)
what isthe address of this int?

other than apply the access-list to the Internet facing int the rest would do as you have specified.

 

[GeneralDzur]

Those are IANA reserved IP addresses. That list would be applied to e1/0 in (the 'net-facing interface), so obviously we wouldn't want any spoofed internal IP's coming in.

the address of the perimeter inbound is xx.xx.195.242

- stephan

 

[watchguardmonkey]

emmm think your getting a bit mixed up, is yes I know there IANA reserved addresses, these are usually the local LANS which get nated as they go through the router to the big bad world.
but the access list you are going to apply will block any of these address from entering that interface, now if this is the interface that the router sits on the LAN with, then when this access list is applied the only way that you will be able to access the router is by consol port.

what is the ip address of your pc on the LAN? ie the one you use to access the router.

to block spoofed address from the LAN simple declare no ip directed-broadcast.

sample config:

interface Ethernet0
description Cisco Ethernet RTP
ip address 195.95.95.1 255.255.255.0
no ip directed-broadcast
!

!--- Apply the access list to allow all legitimate traffic
!--- from inside network but prevent spoofing.

!
ip access-group 101 in
access-list 101 permit tcp 195.95.95.0 0.0.0.255 any
access-list 101 permit udp 195.95.95.0 0.0.0.255 any
access-list 101 permit icmp 195.95.95.0 0.0.0.255 any
access-list 101 deny ip any any

as you see you have a deny instead of permit



Bob

CCNP, CCSE, MSCE

 

[watchguardmonkey]

ps, even if you are not using a RFC1918 address then your access-list is missing the local LAN allow.

 

[GeneralDzur]

I ended up getting it working. I'll post a copy of the two ACL's applied to fa0/0 (LAN) inbound and e1/0 (Net) inbound.

- stephan

access-list 102 remark ***Perimeter Inbound***
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 169.254.0.0 0.0.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny udp any any range 135 139
access-list 102 deny tcp any any range 135 139
access-list 102 deny tcp any any range 8000 8001
access-list 102 deny tcp any any eq telnet
access-list 102 deny icmp any any
access-list 102 permit tcp any xx.xx.195.242 0.0.0.0
access-list 102 permit udp any xx.xx.195.242 0.0.0.0
access-list 102 permit ip any any
///////////////////////////////////////////////////////////
access-list 101 remark ***Outbound Requests***
access-list 101 deny ip any 66.115.191.225 0.0.0.0
access-list 101 deny ip any 69.42.77.102 0.0.0.255
access-list 101 deny ip any 66.203.115.26 0.0.0.0
access-list 101 deny ip any 207.188.7.200 0.0.0.0
access-list 101 deny ip any 203.123.13.72 0.0.0.255
access-list 101 deny ip any 66.250.188.23 0.0.0.0
access-list 101 deny ip any 63.250.215.0 0.0.0.255
access-list 101 deny ip any 205.188.234.0 0.0.0.255
access-list 101 deny ip any 63.251.52.75 0.0.0.255
access-list 101 deny ip any 216.130.180.165 0.0.0.0
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 169.254.0.0 0.0.255.255 any
access-list 101 permit ip 192.168.7.0 0.0.0.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 permit ip any any