help with access list - Please 1

[fonegirl]

OK - I am sure it's something stupid that I am missing but when I apply the following access list to my Cisco 1720 we lose the ability to browse the Internet.

Any ideas?

access-list 101 permit tcp any any established
access-list 101 permit udp any any eq 22
access-list 101 permit tcp any any eq 22
access-list 101 permit tcp any any eq telnet
access-list 101 permit udp any any eq 23
access-list 101 permit tcp any any eq smtp
access-list 101 permit udp any any eq 25
access-list 101 permit tcp any any eq 47
access-list 101 permit udp any any eq 47
access-list 101 permit tcp any any eq 50
access-list 101 permit udp any any eq 50
access-list 101 permit tcp any any eq www
access-list 101 permit udp any any eq 80
access-list 101 permit tcp any any eq pop3
access-list 101 permit udp any any eq 110
access-list 101 permit tcp any any eq 443
access-list 101 permit udp any any eq 443
access-list 101 permit tcp any any eq 500
access-list 101 permit udp any any eq 500
access-list 101 permit tcp any any gt 1023
access-list 101 permit udp any any gt 1023
access-list 101 permit tcp any any gt 1723
access-list 101 permit udp any any gt 1723
access-list 101 permit tcp any any gt 3389
access-list 101 permit udp any any gt 3389
access-list 101 permit tcp any any eq 5405
access-list 101 permit tcp any any eq 5407
access-list 101 permit tcp any any eq 5408

Thanks!

 

[fmonteiro]

It depends where you are applying your access-list. It should work if applied to the serial link connecting to the Internet, as input. In this case it would permit established connections (connectiosn established from inside), matching the first access-list statement. Would you confirm where you are applying the access-list?

 

[fonegirl]

Here is where the list is applied - thanks for your help.

interface Serial1.579 point-to-point
description Link to remote site via T1
ip address 172.25.35.66 255.255.255.252
ip access-group 101 in
ip nat outside
frame-relay interface-dlci 579

 

[fmonteiro]

Is everything else working?
Where is located your DNS?

 

[fonegirl]

we have an internal dns server 10.0.0.3 and the dns server is config's with forwarders to Bellsouth's dns servers

 

[fmonteiro]

I am sorry, I do not know what is hapenning. I was thinking you have been blocking the DNS responses. If you would want to check this you should include the following line in your access-list:
access-list 101 permit udp any eq 53 any

Note this: I am matching a port 53 from any source ip address. When using &quot;any any eq <port>&quot; you are matching the destination port number.

If you could do a test in a very restricted environment (I mean after hours with only a minimal number of users) include a &quot;accees-list 101 deny ip any any&quot; as the last line of your access-list, and also inclide a &quot;log&quot; option for every access-list statement, for example: access-list 101 deny ip any any log. This should help you in debugging what is happening. Also try the &quot;sh access-list 101&quot; command to check the hit count.

 

[fonegirl]

I configred it with the log as you suggested and I can see that the IP addresses that are having the problem are the Bellsouth DNS servers but how can I tell what port I need to open that is currently preventing the DNS servers from communicating.

I did update the access list to permit port 53

Thanks

 

[fmonteiro]

Well, lets try. Which address and port are you blocking? Could you post the access-list log just for this message?

 

[fonegirl]

Here it is

1700#show ip accounting access-violations
Source Destination Packets Bytes ACL
195.158.148.199 65.82.34.28 1 48 100
195.158.148.199 65.82.34.18 1 48 100
195.158.148.199 65.82.34.17 1 48 100
195.158.148.199 65.82.34.10 1 48 100
207.69.188.185 65.82.34.10 11 1314 100
207.69.188.187 65.82.34.10 11 1314 100
207.69.188.186 65.82.34.10 11 1314 100
68.40.184.35 65.82.34.4 1 48 100
68.40.184.35 65.82.34.12 1 48 100
68.40.184.35 65.82.34.22 1 48 100
68.40.184.35 65.82.34.23 1 48 100
68.40.184.35 65.82.34.20 1 48 100
68.40.184.35 65.82.34.21 1 48 100
68.40.184.35 65.82.34.18 1 48 100
68.40.184.35 65.82.34.19 1 48 100
68.40.184.35 65.82.34.17 1 48 100
68.40.184.35 65.82.34.28 1 48 100
68.40.184.35 65.82.34.26 1 48 100
68.40.184.35 65.82.34.27 1 48 100
68.40.184.35 65.82.34.24 1 48 100
68.40.184.35 65.82.34.25 1 48 100

 

[fmonteiro]

If 68.40.184.35 is the DNS server you may try to use the following statement:
access-list 101 permit udp host 68.40.184.35 any
(you may be more restrictively later).

Please, double check the command syntax. I am not accessing a router right now.

Why the ACL is 100? Shouldn't it be 101?

 

[fonegirl]

Well that fixed the browsing problem - How can I figure out what ports they are coming in on so I can be more restrictive.

I was so frustrated with access-list 101 that I just threw it out and changed everything to 100.

 

[fmonteiro]

Good to know!
Please, include a &quot;log&quot; clausule in that statement only and send me two or three log messages.
I am going out for lunch but I will be back in one hour.

 

[fonegirl]

Thanks again for your help -

I put the 'log' clause in but I am unsure of the command to show the log.

 

[FANCYpete]

well, what device are you logging it to, usually a UNIX based SYSLOG server

I'm the Fanciest of the Fancy...INDEED

 

[fonegirl]

well that could be the problem - this is a windows 2000 environment, no Unix server

Any suggestions?

 

[fmonteiro]

How are you accessing the router? Telnet or a console directly connected to the router? If using Telnet you must enter the &quot;terminal monitor&quot; command. Log should be automatically displayed in your terminal.

 

[fonegirl]

that worked:

6w1d: %SEC-6-IPACCESSLOGP: list 100 permitted udp 207.69.188.187(53) -> 65.82.34
.10(1104), 6 packets
1700#
6w1d: %SEC-6-IPACCESSLOGP: list 100 permitted udp 207.69.188.185(53) -> 65.82.34
.10(1104), 83 packets

 

[fmonteiro]

You see, 53 is the port. I do not understand why that our first filter did not work. So, to permit only this access from that router you should modify our command as follow:
access-list 101 permit udp host 68.40.184.35 eq 53 any .
By the way, your access-list is too permissible. Is that what you really want to do?
With the first statement you permit only established connections, than you permit &quot;any&quot; access to www, and &quot;any&quot; access to Telnet. Perhaps you should be more restrictive in allowing access to your router.

 

[fonegirl]

Thanks for all your help -

I opened up port 1104 and that enabled browsing - don't know why it's going out port 53 and coming in 1104?

fonegirl

 

[fmonteiro]

This is how it works. It opens a connection to a well known port (53 in this case). The destination host responds with its own port as source and to a user port as destination (1104). The user port (the 1104) could change from user to user. It is better to filter on the well know port (the low order port numbers: ftp(21), telnet(23)...).