Help! Why is my Access-List blocking all traffic?

[GeneralDzur]

These access-lists were applied for just under 3 minutes before they were removed. Why is it blocking all internet traffic?

FastEthernet 0/0 - LAN
Ethernet 1/0 - Internet-facing interface
logging source-interface FastEthernet0/0


917_gw_rtr(config)#int fa0/0
917_gw_rtr(config-if)#ip accounting access-violations
917_gw_rtr(config-if)#exit
917_gw_rtr(config)#exit
917_gw_rtr#copy run tftp

917_gw_rtr#show access-lists

Building...

Extended IP access list 101 - Applied to FastEthernet 0/0 outbound (leaving the LAN)

deny ip 63.250.215.0 0.0.0.255 any
deny ip 205.188.234.0 0.0.0.255 any
deny ip host 207.188.7.200 any
deny ip 63.251.52.0 0.0.0.255 any
deny ip host 216.130.180.165 any
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq smtp
permit tcp any any eq telnet
permit tcp any any range ftp-data ftp
permit udp any any eq 21
permit tcp any any eq 995
permit tcp any any eq 554
permit udp any any eq 1252
permit udp any any eq 7336
permit udp any any eq 50020
permit udp any any eq 3478
permit udp any any eq 370
permit tcp any any eq 3075
permit tcp any any eq domain
permit udp any any eq domain
permit tcp any any eq 22
permit tcp any any eq 123
permit udp any any eq ntp
permit tcp any any eq 465
permit tcp any any eq 69
permit udp any any eq tftp
permit tcp any any eq 6699
permit udp any any eq 6257
permit udp any any eq 9996
permit tcp any any eq 8080
deny ip any any (144 matches)


Extended IP access list 102 -- Applied to Ethernet 1/0 inbound (interet traffic inbound)

permit tcp any 192.168.7.0 0.0.0.255 established
deny ip 192.168.7.0 0.0.0.255 any
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any time-exceeded
deny icmp any any (11 matches)
permit tcp any any eq www
permit udp any any eq 80
permit tcp any any eq 443
permit udp any any eq 443
permit tcp any any eq 995
permit udp any any eq 995
permit tcp any any eq 554
permit udp any any eq 554
permit tcp any any eq 1734
permit tcp any any eq 1863
permit tcp any any eq 1755
permit udp any any eq 1252
permit udp any any eq 7336
permit udp any any eq 3478
permit tcp any any eq domain
permit udp any any eq domain
permit udp any any eq 370
permit tcp any any eq pop3
permit udp any any eq 110
permit tcp any any eq 3128
permit udp any any eq 3128
permit tcp any any eq smtp
permit udp any any eq 25
permit tcp any any eq 3075 established
permit tcp any any range ftp-data ftp
permit udp any any eq 20
permit tcp any any eq telnet established
permit tcp any any eq 522
permit tcp any any eq 1503
permit tcp any any eq 1720
permit tcp any any eq 1731
permit udp any any range 5004 5005
permit tcp any any range 8000 8003
permit tcp any any eq 8080
permit tcp any any eq 143
permit udp any any eq 143
permit tcp any any eq irc
permit udp any any eq 194
permit tcp any any eq 363
permit udp any any eq 363
permit tcp any any eq 389
permit tcp any any eq 2393
permit tcp any any eq 1434
permit udp any any eq 1434
permit tcp any any eq 537
permit tcp any any eq 6699 established
permit udp any any eq 6257
deny ip any any (4640 matches)
end

 

[chieftan999]

At the end of you access lists you have the following statement:-

deny ip any any

This will deny all traffic after the info has gone through the rest of the list.
The way an access list is produced is normally in the following format:-

All DENY statements at the top of the access list
All PERMIT statements below the deny statements
At the end of the access list you would normally place the following statement:-

permit ip any any

The access list then filters out the unwanted packets first, then the wanted, followed by the rest.

Give it a go

Reamin positive. The affect on those around you will amaze.

 

[Cluebird]

What are you trying to accomplish with these lists? What is your topology? A couple of things I've noticed:

First, on the LAN side, you're applying the access-list statements to the LAN interface as traffice exits the router on the LAN side. Is that intended?

Second, on the access-list inspecting from the Internet side. You're getting all the hits on the deny ip any any since the traffic is not being matched by any other statement in the list. Thus, the deny all is blocking all traffic coming from the Internet.

Generally, you want the most specific criteria (permits or denies) placed early in the access-list statements and more general statements at the end. Also any criteria you intend on applying the most should be early in the access-list. If you don't explicitly permit OR deny traffic, the final deny ip any any (implicit deny) drops all traffic.

HTH.

 

[GeneralDzur]

Here's what I'm trying to accomplish:

1) On the LAN side of the router (fa0/0) I was attempting to block outgoing requests for certain things, such as a few website IP ranges as you can see. But when I applied the list to fa0/0 inbound, it didn't stop the traffic like I thought it would, and when I applied it outbound, it started stopping traffic. I didnt understand why, but I went with it.

2) on the WAN side, (e1/0) I wanted to Allow by Exception - I.E. allow only traffic that we NEED and block every other port out there. Is there a way to block all those dangerous ports *without* manually entering them into a 3000+ entries ACL?

- stephan

 

[Cluebird]

What is the address space on the LAN? What is the address space you're trying to filter? Also, are you running a firewall feature set on the routers?

Using the established keyword helps only with TCP sessions. Unless you're using CBACs, you'll have difficulty with UDP. There is just not enough information here to give you a good answer.

 

[GeneralDzur]

While reading through Cisco material as I do every day, I read yesterday on Auto-Secure, and it mentioned CBACs. Unfortunatly, I have no idea what it is.

Would you recommend using Auto Secure?

I'm attempting to block all traffic except that which I allow through. I don't understand what you mean by address space.

- stephan

 

[BuckWeet]

You're trying to use 'firewall' features with regular access lists..


Each outbound connection has a dynamic source port, when you get a response back to the source port, its not matching your ACL and getting blocked..

You need firewall IOS or get a real firewall...


BuckWeet

 

[GeneralDzur]

Unfortunatly the Army won't get us one so I'm stuck with what I have.

You're telling me that it's impossible to Allow by Exception (block all except what I specify)?? I'm pretty sure you're wrong there. I've seen it done before.

- stephan

 

[lgarner]

By "address space", what is the LAN and Internet addressing? Where is NAT being done? If eth1/0 is the public interface and is handling NAT, then the first lines of acl 102 should probably referenct "any" or the global address rather than 192.16.7, which appears to be the internal address. ACLs are evaluated before NAT is done.

 

[GeneralDzur]

NAT setup

e1/0 - NAT outside

fa0/0 - NAT inside. Our internal range is 102.168.7.xxx

First lines of ACL 102 should say "deny ip 192.168.0.0 0.0.255.255 any"?

 

[themut]

BuckWeet is right! One a client starts a connection with a server it always uses a random port greater than 1024 on the PC (client), the packet is destined for a well known port (depending on the service). For example, for an SMTP connection:

The client starts the connection on a TCP port greater than 1024 (chosen at random) and it sends the packet to the server on TCP port 25. The server replies using TCP port 25 as the source port and destined to the TCP port chosen at random by the client when it initiated the connection.

As you can see, you are permitting the well known ports on the ACL applied Ethernet 1/0 inbound but blocking all high ports (greater than 1024) which is where the replies will come destined to. What you need is to allow TCP and UDP ports greater than 1024 in order for the client-server applications to work. As BuckWeet also mentioned it would be better if you get IOS Firewall installed on the router.

 

[GeneralDzur]

Here is the list with the changes I've made. Is this better?
Notice that i've allowed connections from 1024 and Above for a little while. Should I put 'est' for Established connections on the end of that entry?

- stephan



access-list 102 - Perimeter inbound (e1/0 in)


access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 169.254.0.0 0.0.255.255 any
access-list 102 deny udp any any range 135 139
access-list 102 deny tcp any any range 135 139
access-list 102 deny tcp any any range 8000 8001
access-list 102 deny tcp any any eq telnet

This is our router's WAN IP \/
access-list 102 permit tcp any xxx.xxx.xxx.242/29 0.0.0.0
accecc-list 102 permit udp any xxx.xxx.xxx.242/29 0.0.0.0
access-list 102 permit ip any


><><><><OMITTED><><><>< access-list 102 permit tcp any 192.168.7.1 0.0.0.255 est



access-list 102 permit tcp any any range 1024 3500 est

access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any unreachable
access-list 102 permit icmp any any time-exceeded
access-list 102 deny icmp any any

access-list 102 permit tcp any any eq 80

access-list 102 permit tcp any any eq 443

access-list 102 permit tcp any any eq 995
access-list 102 permit udp any any eq 995

access-list 102 permit tcp any any eq 554
access-list 102 permit udp any any eq 554

omitted **access-list 102 permit tcp any any eq 1734**

access-list 102 permit tcp any any eq 1863
access-list 102 permit tcp any any eq 1755

access-list 102 permit udp any any eq 1252
access-list 102 permit udp any any eq 7336
access-list 102 permit udp any any eq 34781


access-list 102 permit tcp any any eq 53 Domain Name server
access-list 102 permit udp any any eq 53 Domain Name server


access-list 102 permit udp any any eq 370

access-list 102 permit tcp any any eq 110
access-list 102 permit udp any any eq 110

access-list 102 permit tcp any any eq 3128
access-list 102 permit udp any any eq 3128
access-list 102 permit tcp any any eq 25

access-list 102 permit tcp any any eq 3075 est Orbix locator established connection

access-list 102 permit tcp any any range 20 21 FTP Data and stream control
access-list 102 permit udp any any eq 20 FTP data

access-list 102 permit tcp any any eq 23 est established Telnet sessions


>>>NetMeeting ports<<<
access-list 102 permit tcp any any eq 522
access-list 102 permit tcp any any eq 1503
access-list 102 permit tcp any any eq 1720
access-list 102 permit tcp any any eq 1731
access-list 102 permit udp any any range 5004 5005

access-list 102 permit tcp any any range 8000 8003

access-list 102 permit tcp any any eq 8080



access-list 102 permit tcp any any eq 143
access-list 102 permit udp any any eq 143

access-list 102 permit tcp any any eq 194
access-list 102 permit udp any any eq 194

access-list 102 permit tcp any any eq 363
access-list 102 permit udp any any eq 363

access-list 102 permit tcp any any eq 389

access-list 102 permit tcp any any eq 2393

access-list 102 permit tcp any any eq 1434
access-list 102 permit udp any any eq 1434

access-list 102 permit tcp any any eq 537

access-list 102 permit tcp any any eq 6699 est
access-list 102 permit udp any any eq 6257 est

implicit deny