Cisco 2600 router ACL questions

[kaotik]

Hi all,
I've been told to add something to our router at work, only problem is I don't have a good understanding of ACL syntax. I understand it's principles and concept but I would just like someone to see if it's correct.

This is what I have entered into the router and it works fine, blocking access to ports on certain machines.

access-list 104 permit ip 192.168.1.0 0.0.0.255 any
access-list 104 permit tcp any XXX.XXX.XXX.0 0.0.0.31 established
access-list 104 permit tcp any host XXX.XXX.XXX.2 eq smtp
access-list 104 permit tcp any host XXX.XXX.XXX.2 eq ident
access-list 104 permit tcp any host XXX.XXX.XXX.2 eq pop3
access-list 104 permit tcp any host XXX.XXX.XXX.7 eq 7000
access-list 104 permit tcp any host XXX.XXX.XXX.7 eq 7001
access-list 104 permit tcp any host XXX.XXX.XXX.10 eq www
access-list 104 permit tcp any host XXX.XXX.XXX.10 eq ftp
access-list 104 permit tcp any host XXX.XXX.XXX.10 eq 1494
access-list 104 permit tcp any host XXX.XXX.XXX.10 eq 1604
access-list 104 permit tcp any host XXX.XXX.XXX.11 eq www
access-list 104 permit tcp any host XXX.XXX.XXX.11 eq 1494
access-list 104 permit tcp any host XXX.XXX.XXX.11 eq 1604
access-list 104 permit tcp any host XXX.XXX.XXX.13 eq www
access-list 104 permit tcp any host XXX.XXX.XXX.14 eq 300
access-list 104 permit tcp any host XXX.XXX.XXX.14 eq 360
access-list 104 permit tcp any host XXX.XXX.XXX.15 eq www
access-list 104 permit tcp any host XXX.XXX.XXX.15 eq smtp
access-list 104 permit tcp any host XXX.XXX.XXX.16 eq 22
access-list 104 permit tcp any host XXX.XXX.XXX.19 eq 300
access-list 104 permit ip any host XXX.XXX.XXX.20
access-list 104 permit tcp any host XXX.XXX.XXX.23 eq www
access-list 104 permit tcp any host XXX.XXX.XXX.23 eq 5800
access-list 104 permit tcp any host XXX.XXX.XXX.23 eq 5900
access-list 104 permit tcp any host XXX.XXX.XXX.24 eq www
access-list 104 permit tcp any host XXX.XXX.XXX.27 eq www
access-list 104 permit tcp any host XXX.XXX.XXX.28 eq www
access-list 104 permit tcp any host XXX.XXX.XXX.28 eq 90
access-list 104 permit ip any host XXX.XXX.XXX.30
access-list 104 permit udp XXX.XXX.XXX.0 0.0.0.15 any
access-list 104 permit icmp any any
access-list 104 deny ip any any log

Now I have been told to add the following to this list,

access-list 104 deny icmp any any echo
access-list 104 deny tcp any any eq 135
access-list 104 deny tcp any any eq 69
access-list 104 permit ip any any

Problem is, I have no idea what the top and bottom row's mean, any any echo and permit ip any any, I thought I denied all incoming ip traffic.

someone just take a stab at this one any nfo would probably get me started in the right direction. Possibly give me a run down of what this list is saying, in english if possible.

 

[ciscoexpert]

When configuring access-lists, you cannot add new lines to an existing access-list as the new lines are appended to the end of the list. So what you need to do, is ,

1. Copy the access-list into a notepad.(or file)
2. erase the access-list (no access-list <number>)
3. Recreate the new access-list by adding all the explicit permit/deny statements on the top and a permit all at the bottom.
4. Copy the new edited access-list back into the router.
5. Give a write mem to save the configs.


Your acl after editing should look like this.


access-list 104 permit ip 192.168.1.0 0.0.0.255 any
access-list 104 permit tcp any XXX.XXX.XXX.0 0.0.0.31 established
access-list 104 permit tcp any host XXX.XXX.XXX.2 eq smtp
access-list 104 permit tcp any host XXX.XXX.XXX.2 eq ident
access-list 104 permit tcp any host XXX.XXX.XXX.2 eq pop3
access-list 104 permit tcp any host XXX.XXX.XXX.7 eq 7000
access-list 104 permit tcp any host XXX.XXX.XXX.7 eq 7001
access-list 104 permit tcp any host XXX.XXX.XXX.10 eq www
access-list 104 permit tcp any host XXX.XXX.XXX.10 eq ftp
access-list 104 permit tcp any host XXX.XXX.XXX.10 eq 1494
access-list 104 permit tcp any host XXX.XXX.XXX.10 eq 1604
access-list 104 permit tcp any host XXX.XXX.XXX.11 eq www
access-list 104 permit tcp any host XXX.XXX.XXX.11 eq 1494
access-list 104 permit tcp any host XXX.XXX.XXX.11 eq 1604
access-list 104 permit tcp any host XXX.XXX.XXX.13 eq www
access-list 104 permit tcp any host XXX.XXX.XXX.14 eq 300
access-list 104 permit tcp any host XXX.XXX.XXX.14 eq 360
access-list 104 permit tcp any host XXX.XXX.XXX.15 eq www
access-list 104 permit tcp any host XXX.XXX.XXX.15 eq smtp
access-list 104 permit tcp any host XXX.XXX.XXX.16 eq 22
access-list 104 permit tcp any host XXX.XXX.XXX.19 eq 300
access-list 104 permit ip any host XXX.XXX.XXX.20
access-list 104 permit tcp any host XXX.XXX.XXX.23 eq www
access-list 104 permit tcp any host XXX.XXX.XXX.23 eq 5800
access-list 104 permit tcp any host XXX.XXX.XXX.23 eq 5900
access-list 104 permit tcp any host XXX.XXX.XXX.24 eq www
access-list 104 permit tcp any host XXX.XXX.XXX.27 eq www
access-list 104 permit tcp any host XXX.XXX.XXX.28 eq www
access-list 104 permit tcp any host XXX.XXX.XXX.28 eq 90
access-list 104 permit ip any host XXX.XXX.XXX.30
access-list 104 permit udp XXX.XXX.XXX.0 0.0.0.15 any
access-list 104 permit icmp any any
access-list 104 deny tcp any any eq 135
access-list 104 deny tcp any any eq 69
access-list 104 deny ip any any log



The last four lines were probably asked to add, because of the MSBlast worm attacks, off late.

Hope that helps.





Sankar Nair
General Datatech l.p.

http://www.generaldatatech.com

 

[kaotik]

Sankar,
Thank you for the info. I knew to replace the list, I just did not know where to put the extra 4 lines, thank you for clarifying the placement.

 

[dtabera]

Hi, another remark (I hope I am right)

I have been taking a look at the ACL and the changes you need to do. I think that the new line:

access-list 104 deny icmp any any echo

Should be placed BEFORE this one:

access-list 104 permit icmp any any

Because when router is checking an access-list, in the first match it does not look up any more.

Please anybody let me know if I am right.

D.