Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ACL Question

Status
Not open for further replies.
yemaya

yemaya

Technical User
Sep 13, 2006
140
CA
Hi Guys,

I have these ACL in my router and i can not go to internet, but if i change this got internet:
Code: 
access-list 101 deny   ip any any
for this:
Code: 
access-list 101 permit   ip any any

here is what i have:
Code: 
interface Ethernet0/0
 description " WAN "
 ip access-group 101 in



interface Ethernet0/1
 description "LAN"
 ip access-group 100 in


access-list 1 remark *******NAT*******
access-list 1 permit 192.168.1.0 0.0.255.255
access-list 100 remark *******LAN*******
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark *******WAN*******
access-list 101 deny   ip 192.168.1.0 0.0.0.255 any
access-list 101 permit tcp any any eq 1723
access-list 101 permit tcp any any eq 4577
access-list 101 permit udp any any eq 42337
access-list 101 permit gre any any
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny   ip 0.0.0.0 0.255.255.255 any
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 169.254.0.0 0.0.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 224.0.0.0 0.15.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip any any log

Which one do i have to put there, permit or deny, i put permit and went to check my ports and all are close and the 23 is complete open, this router is running a firewall,.

Thanks in advance
 
Sort by date Sort by votes
Well, if you want to deny telnet and allow everything else, the first thing is that ip is layer 3, tcp, udp are layer 4---ip has nothing to do with ports, including 23 (telnet). To deny telnet and permit everything else, an extended acl would be the thing you need, and would look like this...
router(config)#access-list 102 deny tcp any any eq telnet
router(config)#access-list 102 permit tcp any any
Then you would apply the acl inbound to the interface facing the internet...in this example, let's say you use dsl...the interface would be dialer 1...so...
router(config)#int di1
router(config-if)#ip access-group 102 in
like that. If you did in fact need another statement added to acl group 101, you would have to erase the whole acl and start all over. The only way to keep an acl intact is tohave what is called a named access-list---if you had this, you could simply add statements and delete statements (with the "no" form of the command). Hope this can help.

Burt
 
Upvote 0 Downvote
Hi burtsbees;

Change the ACL is not a problem, the thing is a soon i entry the inbound (WAN) ACL i lost connection to internet, here is the modified ACL's:

Code: 
interface Ethernet0/0
 description " WAN "
 ip access-group WAN in

Code: 
interface Ethernet0/1
 description "LAN"
 ip access-group LAN in
Code: 
!
ip access-list extended LAN
 deny   ip host 255.255.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 permit ip any any
!
ip access-list extended WAN
 permit tcp any any eq 1723 log-input 
 permit tcp any any eq 4577
 permit udp any any eq 42337
 permit gre any any
 permit udp any eq bootps any eq bootpc
 permit icmp any any echo-reply
 permit icmp any any time-exceeded
 permit icmp any any unreachable
 deny icmp any any
 deny ip 0.0.0.0 0.255.255.255 any log-input
 deny ip 10.0.0.0 0.255.255.255 any log-input
 deny ip 127.0.0.0 0.255.255.255 any log-input
 deny ip 169.254.0.0 0.0.255.255 any log-input
 deny ip 172.16.0.0 0.15.255.255 any log-input
 deny ip 192.168.0.0 0.0.255.255 any log-input
 deny ip 224.0.0.0 15.255.255.255 any log-input
 deny ip host 255.255.255.255 any log-input
 deny ip host 0.0.0.0 any log-input
 deny ip 192.168.1.0 0.0.0.255 any log-input
 deny ip any any log-input


 
Upvote 0 Downvote
Looks like you are only permitting tcp on two ports only...an implicit "deny tcp/udp/gre/icmp/ip any any" exists at the end of the list, since you have introduced these protocols in the first place.

Burt
 
Upvote 0 Downvote
Hi,

What do you suggest me to do it in this case ?, i just want to block all the bad things from internet, and keep away instruders from my internal network.

Thanks.
 
Upvote 0 Downvote
Well, do you have Cisco SDM? It does that for you. If not, you can Google a good firewall config, one that may suit your needs...there are really too many dynamics to go over on the forum...and it depends on the image you have on the router. Firewall configs go beyond the acl's---they involve the "ip inspect" commands, and logging as well, not to mention the incorporation of AAA. When I have a bit of time, perhaps I can give you the config I use, but it will take a day or two...I have 2 boys in diapers...help...me...so...tired...fa..d...i..n..g...lol

Burt
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Zero6
  • Locked
  • Question
question about cisco cbs 350-12xs 12 port 10g sfp+
Replies
0
Views
343
Zero6
Zero6
Mogles49
  • Locked
  • Question
Firewall ACL question
Replies
1
Views
278
burtsbees
burtsbees
acabezas2014
  • Locked
  • Question
Create ACL for ip range
Replies
2
Views
266
acabezas2014
acabezas2014
mkc1962
  • Locked
  • Question
Cisco 2602e connection question
Replies
0
Views
169
mkc1962
mkc1962
azrael2000
  • Locked
  • Question
quick question...re layer 3 with routing
Replies
1
Views
266
chieftan
chieftan

Part and Inventory Search

Sponsor

Back
Top