Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Blocking only incoming traffic

Status
Not open for further replies.
supergino

supergino

Technical User
Apr 16, 2005
48
CA
Hey Guys, I'm kinda stuck on how to allow all outgoing traffic and block incoming traffic to my network (except for SMTP, FTP and other protocol specific traffic). I tried using this access list but if I omit the last part, no traffic passes except my protocol specific traffic.

heres my access list Im using....


Building configuration...

Current configuration : 2405 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname internet
!
logging queue-limit 100
enable secret 5 $1$DnXI$WelTSjtYJg6cj2HJDzTot1
!
ip subnet-zero
!
!
ip domain lookup source-interface Dialer1
ip domain name testdomain.net
ip name-server xx.xx.xx.xx
!
ip audit notify log
ip audit po max-events 100
vpdn enable

vpdn-group Internet
accept-dialin
protocol pppoe
virtual-template 1
!
vpdn-group pppoe
!
!
!
!
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
mta receive maximum-recipients 0
!
!
!
!
interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
half-duplex
!
interface Serial0/0
no ip address
shutdown
!
interface Ethernet0/1
no ip address
no ip route-cache
no ip mroute-cache
half-duplex
pppoe enable
pppoe-client dial-pool-number 1
!
ip address negotiated
ip access-group internet in
ip mtu 1495
ip nat outside
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer idle-timeout 2147483
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username XXXXXXX password 0 XXXXXXX
!
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.254 21 interface Dialer1 21
ip nat inside source static tcp 192.168.1.254 443 interface Dialer1 443
ip nat inside source static tcp 192.168.1.254 80 interface Dialer1 80
ip nat inside source static tcp 192.168.1.254 25 interface Dialer1 25
ip nat inside source static tcp 192.168.1.254 3389 interface Dialer1 3389
ip nat inside source static tcp 192.168.1.254 6881 interface Dialer1 6881
ip nat inside source static udp 192.168.1.254 6881 interface Dialer1 6881
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip dns server
!
!
ip access-list extended internet
permit tcp any host 192.168.1.254 eq smtp
permit tcp any host 192.168.1.254 eq www
permit tcp any host 192.168.1.254 eq 443
permit tcp any host 192.168.1.254 eq ftp
permit ip any any
!
access-list 1 permit 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
!
call rsvp-sync
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
!
line con 0
password XXXXXXX
login
line aux 0
line vty 0 4
password XXXXXXX
login
!
!
end

Thanks in advance.

SG
 
Sort by date Sort by votes
Ok, I think I've figured it out, at least partly.

Your access-list 'Internet' is applied INBOUND to your Internet-Facing interface, correct?

Problem - the outside world can't see your internal IP addresses, such as 192.168.1.254. Remember, ACL's are evaluated BEFORE NAT. This means that your ACL will check the packets for a destination of 192.168.1.254, which doesn't exist. It only exists AFTER NAT is applied.

Solution: This means, I think, that you need to say:

permit tcp any [Public IP address] eq ftp

If you don't have a static IP address (I see it says "IP negotiated" on your e0/1 interface) I'm not sure how you could work around this. The only thing I could think of is using

permit tcp any host [RouterName] eq ftp

But I'm not sure that would work either, unless your router was publicly registered with that DNS name(?) Just randomly guessing here. Not sure if that's possible.


One final thought:
----------------------------
We've setup our router to only allow traffic IN from certain ports, and we're using Dynamic NAT (no static entries like you). Here's an example line:

permit tcp any eq 80 [routers public IP] 0.0.0.0 gt 1023

The logic is as follows:

'permit any TCP traffic coming from Port 80 and going to the router's Public IP on any port greater than 1023.' 1023 and above are the ports used by dynamic NAT.

Webservers ORIGINATE their traffic on port 80. The traffic's source port is 80, but it's DESTINATION port is completely random - it's based on whatever port your router chose for that connection. Hence the packet will resemble this:

Source: 1.1.1.1:80
Destination: 2.2.2.2:[random port above 1023]

I hope that helps, and I apologize if you already knew all that.

- stephan
 
Upvote 0 Downvote
Hey Stephan, thanks alot...should have thought of that because youre right! Its looking at it before the nat and the ACL is not looking at those rules.
My IP is static so I wont run into that issue but I will do that. Let you know how it turns out.

Thanks very much for your response.

Steve
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Willi DB
  • Locked
  • Question
Polycom410 Forward an incoming call
Replies
0
Views
244
Willi DB
Willi DB
quazimotto
  • Locked
  • Question
Cisco ASA_5505 VPN to Juniper_SRX210 VPN IS UP_ No Traffic!!!!!!
Replies
0
Views
258
quazimotto
quazimotto
steel_bender
  • Locked
  • Question
Allow HTTPS TCP Traffic through ASA5525
Replies
1
Views
294
Mogles49
Mogles49
acabezas2014
  • Locked
  • Question
Need to create QoS for SNMP and Radius traffic on Cisco 4948 Switches
Replies
0
Views
245
acabezas2014
acabezas2014
rejackson
  • Locked
  • Question
Traffic shaping - how much memory is required
Replies
0
Views
179
rejackson
rejackson

Part and Inventory Search

Sponsor

Back
Top