Help! Cisco ACL Wildcard Mask.

[seowh]

1st question:
I need to filter out 3 range of IP. Can anybody help with the ACL mask?

65.90.5.1 - 65.90.5.200 (Permit HTTP access)
65.90.5.100 - 65.90.5.200 (Permit FTP access)
65.90.5.201 - 65.90.5.255 (Permit UDP PORT 22 access)

2sd question:
Below is my access list: I aaply it to serial1 interface T1. Everything seem working axcept PC within my network 65.90.5.0 not able to resolve DNS? Did anybody how to correct my mistake?

Extended IP access list 101
deny ip 65.90.5.0 0.0.0.255 any
permit tcp any any established
deny ip 127.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip any 0.0.0.255 255.255.255.0
deny ip any 0.0.0.0 255.255.255.0
deny ip 255.0.0.0 0.255.255.255 any
deny ip 224.0.0.0 7.255.255.255 any
permit tcp any 65.90.5.0 0.0.0.255 eq www
permit tcp any 65.90.5.0 0.0.0.255 eq 443
permit udp any 65.90.5.0 0.0.0.255 eq 80
permit udp any 65.90.5.0 0.0.0.255 eq 443
permit tcp any host 65.90.5.55 eq smtp
permit tcp any host 65.90.5.5 eq smtp
permit tcp any host 216.140.16.254 eq domain
permit udp any host 216.140.16.254 eq domain
permit tcp any host 216.140.17.254 eq domain
permit udp any host 216.140.17.254 eq domain
permit tcp any host 65.90.5.2 eq domain
permit udp any host 65.90.5.2 eq domain
permit tcp any host 65.90.5.3 eq domain
permit udp any host 65.90.5.3 eq domain
permit tcp any host 65.90.5.4 eq domain
permit udp any host 65.90.5.4 eq domain
permit tcp any host 65.90.5.5 eq domain
permit udp any host 65.90.5.5 eq domain
permit tcp any 65.90.5.0 0.0.0.100 eq ftp-data
permit tcp any 65.90.5.0 0.0.0.100 eq ftp
deny tcp host 216.142.73.246 host 216.142.73.246
deny tcp host 65.90.5.1 host 65.90.5.1
permit icmp any any
permit udp any 65.90.5.0 0.0.0.255 eq 22
permit tcp any host 65.90.5.55 eq 110
permit tcp any host 65.90.5.5 eq 110
deny ip any any log
Extended IP access list 102
permit ip 65.90.5.0 0.0.0.255 any
deny ip any any


I added the following lines to the buttom of Access-list 101, and my network 65.90.5.0 can resolve DNS. Are this lines secure?

permit tcp any any eq domain
permit udp any any eq domain
permit udp any any range 1024 5999 (39 matches)

 

[rcasta]

Your task seems hard but is not. Please try to go ahead on the FTP and SSH config, let me help you with the HTTP access

65.90.5.1 - 65.90.5.200 (Permit HTTP access)
Divide it into 3 blocks:
65.90.5.0 - 65.90.5.127, wildcardmask 0.0.0.127
65.90.5.128-65.90.5.191, wildcardmask 0.0.0.63
65.90.5.192-65.90.5.200, wildcardmask 0.0.0.3

Just follow 2|2 patterns.

BWY
Is your DNS server in a different subnet ? I mean, does your traffic have to cross over the T1 link?

 

[routerman]

In Q1 I came up with 0.0.0.7 for the 3rd entry, not 0.0.0.3

As for Q2 remove the domain entries in the ACL and replace with


permit tcp any host eq domain 65.90.5.0 0.0.0.255
permit udp any host eq domain 65.90.5.0 0.0.0.255

The problem is that you send packets to the DNS port, and the replies come form that port, your source port is a (nearly) random one.

I think you'd be better splitting the ACL's into in and out directions, but try this first, see if it works.

Andy

 

[seowh]

Thank for the help guys,

Please verified if this access list below correct.

******Permit http access ip range 0-200 *****
permit tcp any 65.90.5.0 0.0.0.127 eq www
permit tcp any 65.90.5.128 0.0.0.63 eq WWW
permit tcp any 65.90.5.192 0.0.0.7 eq www
Did I need to allow udp access on 80 for http access?
permit udp any 65.90.5.0 0.0.0.127 eq www
permit udp any 65.90.5.128 0.0.0.63 eq WWW
permit udp any 65.90.5.192 0.0.0.7 eq www


******Permit ftp access ip range 100-200 *****
permit tcp any 65.90.5.100 0.0.0.100 eq ftp-data
permit tcp any 65.90.5.100 0.0.0.100 eq ftp


******Permit udp port 22 access ip range 201-255 *****
permit udp any 65.90.5.201 0.0.0.24 eq 22

 

[seowh]

BWY
Is your DNS server in a different subnet ? I mean, does your traffic have to cross over the T1 link?

Hi BWY,
The 216.140.16.254 and 216.140.17.254 DNS server is not in my network. That should be removed from my ACLs, right?

My DNS server is at 65.90.5.2 - 65.90.5.5 which is inside my 65.90.5.0 network.

 

[rcasta]

A couple of pointers>


As routerman said, the 3rd block on Q1 is 0.0.0.7, nevertheless the range covered is 65.90.5.192 to 65.90.5.199. (Rembember dividing into consecutive 2^2 blocks)

Therefore it is as follows:

a) 65.90.5.1 - 65.90.5.200 (Permit HTTP access)
Divide it into 4 blocks:
65.90.5.0 - 65.90.5.127, wildcardmask 0.0.0.127
65.90.5.128-65.90.5.191, wildcardmask 0.0.0.63
65.90.5.192-65.90.5.199, wildcardmask 0.0.0.7
65.90.5.200 , wildcardmask 0.0.0.0

The rest of blocks are like this: (seowh, remember using wildcard masks properly, for instance, if your mask is 255.255.255.252 (Bin 11111111.11111111.11111111.11111100), turn on and off bits conversely, so in this case, the wildcard mask would be 0.0.0.3 or 0.0.0.00000011)

b) 65.90.5.100 - 65.90.5.200 (Permit FTP access)
Divide it into 6 blocks
65.90.5.100 - .103, wildcardmask 0.0.0.3
65.90.5.104 - .111, wildcardmask 0.0.0.7
65.90.5.112 - .127, wildcardmask 0.0.0.15
65.90.5.128 - .191, wildcardmask 0.0.0.63
65.90.5.192 - .199, wildcardmask 0.0.0.7
65.90.5.200 , wildcardmask 0.0.0.0

c)65.90.5.201 - 65.90.5.255 (Permit UDP PORT 22 access)
Divide it into 6 blocks
65.90.5.201 , wildcardmask 0.0.0.0
65.90.5.202 , wildcardmask 0.0.0.0
65.90.5.203 , wildcardmask 0.0.0.0
65.90.5.204 - .207, wildcardmask 0.0.0.3
65.90.5.208 - .223, wildcardmask 0.0.0.15
65.90.5.224 - .255, wildcardmask 0.0.0.31

Q2

** How is your ACL being applyied on the T1 link? (inbound or outbound)
** Remember that the fixed www, ftp, etc fixed ports, are DESTINATION ports. This means that your ACL should look, if put as "ip access-group 101 out", like this:_
permit ip 65.90.5.X 0.0.0.XX ANY eq www
This line allows traffic coming from your network (65.90.5.X) to access HTTP outside servers.

Let me know if still need help.

cheers,

 

[seowh]

First of all,
I want to thank Rcasta for the help.

I apply the ACLs to my serial interface which is a T1 connection.

ip access 101 in
ip access 102 out
no ip source-route


Below is my lattest ACLs:

Extended IP access list 101 (in) (apply to T1 serial0)
acc 101 deny ip 65.90.5.0 0.0.0.255 any
acc 101 permit tcp any any established
acc 101 deny ip 127.0.0.0 0.255.255.255 any
acc 101 deny ip 10.0.0.0 0.255.255.255 any
acc 101 deny ip 172.16.0.0 0.15.255.255 any
acc 101 deny ip 192.168.0.0 0.0.255.255 any
acc 101 deny ip any 0.0.0.255 255.255.255.0
acc 101 deny ip any 0.0.0.0 255.255.255.0
acc 101 deny ip 255.0.0.0 0.255.255.255 any
acc 101 deny ip 224.0.0.0 7.255.255.255 any
acc 101 deny tcp host 216.142.73.246 host 216.142.73.246
acc 101 deny tcp host 65.90.5.1 host 65.90.5.1

******Permit http access ip range 0-200 *****

acc 101 permit tcp any 65.90.5.0 0.0.0.127 eq www
acc 101 permit tcp any 65.90.5.128 0.0.0.63 eq WWW
acc 101 permit tcp any 65.90.5.192 0.0.0.7 eq www
acc 101 permit tcp any 65.90.5.200 0.0.0.0 eq www

acc 101 permit udp any 65.90.5.0 0.0.0.127 eq www
acc 101 permit udp any 65.90.5.128 0.0.0.63 eq WWW
acc 101 permit udp any 65.90.5.192 0.0.0.7 eq www
acc 101 permit udp any 65.90.5.200 0.0.0.0 eq www

acc 101 permit tcp any 65.90.5.0 0.0.0.127 eq 443
acc 101 permit tcp any 65.90.5.128 0.0.0.63 eq 443
acc 101 permit tcp any 65.90.5.192 0.0.0.7 eq 443
acc 101 permit tcp any 65.90.5.200 0.0.0.0 eq 443

acc 101 permit udp any 65.90.5.0 0.0.0.127 eq 443
acc 101 permit udp any 65.90.5.128 0.0.0.63 eq 443
acc 101 permit udp any 65.90.5.192 0.0.0.7 eq 443
acc 101 permit udp any 65.90.5.200 0.0.0.0 eq 443


****** Permit ftp access ip range 100-200 *****

acc 101 permit tcp any 65.90.5.100 0.0.0.3 eq ftp-data
acc 101 permit tcp any 65.90.5.104 0.0.0.7 eq ftp-data
acc 101 permit tcp any 65.90.5.112 0.0.0.15 eq ftp-data
acc 101 permit tcp any 65.90.5.128 0.0.0.63 eq ftp-data
acc 101 permit tcp any 65.90.5.192 0.0.0.7 eq ftp-data
acc 101 permit tcp any 65.90.5.200 0.0.0.0 eq ftp-data

acc 101 permit tcp any 65.90.5.100 0.0.0.3 eq ftp
acc 101 permit tcp any 65.90.5.104 0.0.0.7 eq ftp
acc 101 permit tcp any 65.90.5.112 0.0.0.15 eq ftp
acc 101 permit tcp any 65.90.5.128 0.0.0.63 eq ftp
acc 101 permit tcp any 65.90.5.192 0.0.0.7 eq ftp
acc 101 permit tcp any 65.90.5.200 0.0.0.0 eq ftp


****** Permit udp port 22 access ip range 201-255 *****
acc 101 permit udp any 65.90.5.201 0.0.0.0 eq 22
acc 101 permit udp any 65.90.5.202 0.0.0.0 eq 22
acc 101 permit udp any 65.90.5.203 0.0.0.0 eq 22
acc 101 permit udp any 65.90.5.204 0.0.0.3 eq 22
acc 101 permit udp any 65.90.5.208 0.0.0.15 eq 22
acc 101 permit udp any 65.90.5.224 0.0.0.31 eq 22


****** Permit POP3 and SMTP ip 55 and 5 *****
acc 101 permit tcp any host 65.90.5.55 eq smtp
acc 101 permit tcp any host 65.90.5.5 eq smtp
acc 101 permit tcp any host 65.90.5.55 eq 110
acc 101 permit tcp any host 65.90.5.5 eq 110


****** Permit DNS *****
acc 101 permit tcp any host 65.90.5.2 eq domain
acc 101 permit udp any host 65.90.5.2 eq domain
acc 101 permit tcp any host 65.90.5.3 eq domain
acc 101 permit udp any host 65.90.5.3 eq domain
acc 101 permit tcp any host 65.90.5.4 eq domain
acc 101 permit udp any host 65.90.5.4 eq domain
acc 101 permit tcp any host 65.90.5.5 eq domain
acc 101 permit udp any host 65.90.5.5 eq domain


****** Permit ICMP *****
access-list 103 permit icmp any 65.90.5.0 0.0.0.255 3 0 ! net-unreachable
access-list 103 permit icmp any 65.90.5.0 0.0.0.255 3 1 ! host-unreachable
access-list 103 permit icmp any 65.90.5.0 0.0.0.255 3 3 ! port-unreachable
access-list 103 permit icmp any 65.90.5.0 0.0.0.255 3 4 ! packet-too-big
access-list 103 permit icmp any 65.90.5.0 0.0.0.255 3 13 ! administratively-prohibited
access-list 103 permit icmp any 65.90.5.0 0.0.0.255 4 ! source-quench
access-list 103 permit icmp any 65.90.5.0 0.0.0.255 11 0 ! ttl-exceeded


acc 101 deny ip any any log



Extended IP access list 102 (Out) (apply to T1 serial0)
acc 102 deny ip 192.168.0.0 0.0.255.255 any
acc 102 deny ip 172.16.0.0 0.15.255.255 any
acc 102 deny ip 10.0.0.0 0.255.255.255 any
acc 102 deny ip any 192.168.0.0 0.0.255.255
acc 102 deny ip any 172.16.0.0 0.15.255.255
acc 102 deny ip any 10.0.0.0 0.255.255.255
acc 102 deny icmp any any log
acc 102 permit ip 65.90.5.0 0.0.0.255 any
acc 102 deny ip any any




Apply to T1 interface

int s0
ip access 101 in
ip access 102 out
no ip source-route

What is this below? Where did I apply them?
no ip directed-broadcast
no ip proxy-arp
no ip unreachables
ntp disable

 

[seowh]

My ICMP ACLs should be all 101 not 103

 

[rcasta]

Seowh,

** I would suggest re-building ACL 101. Apply it outboundwise.

RE-BUILT ACL 101 (with some comments written in between)

!what's the purpose of next two lines???! (take them off!)
acc 101 deny tcp host 216.142.73.246 host 216.142.73.246
acc 101 deny tcp host 65.90.5.1 host 65.90.5.1

******Permit http access ip range 0-200 *****
!Unless your network is a farm of http, ftp, and so
!forth servers my ACL is useless, otherwise, is sound.
!The following lines state traffic going to DESTINATION
!port HTTP will be allowed.

acc 101 description OUTBOUND ACL
acc 101 permit tcp 65.90.5.0 0.0.0.127 any eq www
acc 101 permit tcp 65.90.5.128 0.0.0.63 any eq www
acc 101 permit tcp 65.90.5.192 0.0.0.7 any eq www
acc 101 permit tcp 65.90.5.200 0.0.0.0 any eq www

acc 101 permit udp 65.90.5.0 0.0.0.127 any eq www
acc 101 permit udp 65.90.5.128 0.0.0.63 any eq www
acc 101 permit udp 65.90.5.192 0.0.0.7 any eq www
acc 101 permit udp 65.90.5.200 0.0.0.0 any eq www

acc 101 deny udp any any eq www
acc 101 deny tcp any any eq www

acc 101 permit tcp 65.90.5.0 0.0.0.127 any eq 443
acc 101 permit tcp 65.90.5.128 0.0.0.63 any eq 443
acc 101 permit tcp 65.90.5.192 0.0.0.7 any eq 443
acc 101 permit tcp 65.90.5.200 0.0.0.0 any eq 443

acc 101 permit udp 65.90.5.0 0.0.0.127 any eq 443
acc 101 permit udp 65.90.5.128 0.0.0.63 any eq 443
acc 101 permit udp 65.90.5.192 0.0.0.7 any eq 443
acc 101 permit udp 65.90.5.200 0.0.0.0 any eq 443

acc 101 deny udp any any eq 443
acc 101 deny tcp any any eq 443

****** Permit ftp access ip range 100-200 *****

acc 101 permit tcp 65.90.5.100 0.0.0.3 any range ftp-data ftp
acc 101 permit tcp 65.90.5.104 0.0.0.7 any range ftp-data ftp
acc 101 permit tcp 65.90.5.112 0.0.0.15 any range ftp-data ftp
acc 101 permit tcp 65.90.5.128 0.0.0.63 any range ftp-data ftp
acc 101 permit tcp 65.90.5.192 0.0.0.7 any range ftp-data ftp
acc 101 permit tcp 65.90.5.200 0.0.0.0 any range ftp-data ftp

acc 101 deny tcp any any range ftp-data ftp

****** Permit udp port 22 access ip range 201-255 *****
acc 101 permit udp 65.90.5.201 0.0.0.0 any eq 22
acc 101 permit udp 65.90.5.202 0.0.0.0 any eq 22
acc 101 permit udp 65.90.5.203 0.0.0.0 any eq 22
acc 101 permit udp 65.90.5.204 0.0.0.3 any eq 22
acc 101 permit udp 65.90.5.208 0.0.0.15 any eq 22
acc 101 permit udp 65.90.5.224 0.0.0.31 any eq 22

acc 101 deny udp any any eq 22

****** Permit POP3 and SMTP ip 55 and 5 *****
!Set first your primary POP3/SMTP server
acc 101 permit tcp any host 65.90.5.55 eq smtp
acc 101 permit tcp any host 65.90.5.55 eq 110
acc 101 permit tcp any host 65.90.5.5 eq smtp
acc 101 permit tcp any host 65.90.5.5 eq 110


****** Permit DNS *****
acc 101 permit udp any host 65.90.5.2 eq domain
acc 101 permit udp any host 65.90.5.3 eq domain
acc 101 permit udp any host 65.90.5.4 eq domain
acc 101 permit udp any host 65.90.5.5 eq domain

acc 101 permit tcp any host 65.90.5.2 eq domain
acc 101 permit tcp any host 65.90.5.3 eq domain
acc 101 permit tcp any host 65.90.5.4 eq domain
acc 101 permit tcp any host 65.90.5.5 eq domain

acc 101 deny icmp any any log
acc 101 permit ip 65.90.5.0 0.0.0.255 any
acc 101 deny ip any any

!int ser0
!ip access-group 101 out

ACL 102 (INBOUND)

Unless in your Edge router, try adding the suggested ACL lines(look at Cisco's site) for preventing W32Blaster/Nichi and so forth worms.

Q2
no ip directed-broadcast, no ip proxy-arp, no ip unreachables, ntp disable are some default settings. Consider keeping them in the configuration since they help preventing smurf, icmp storm replying and things like that.


Hope it helped,

cheers,