Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Problems blocking ports using ACLs

Status
Not open for further replies.
chatridge

chatridge

MIS
Joined
Nov 14, 2002
Messages
30
Location
US
I am trying to implement our firewall using ACLs. I want to allow inbound traffic to LAN on certain ports to certain IPs and block all other inbound traffic. I want to allow our internal users to ftp, web browse, etc to outside sources on the internet with no problem. Just want to filter inbound traffic based on port/IP. I have applied the following extended named access-list inbound on our serial interface:

no ip access-list extended InboundToLAN
ip access-list extended InboundToLAN

permit tcp any host 192.168.0.2 eq 80
permit tcp any host 192.168.0.2 eq 443
permit tcp any host 192.168.0.3 eq 80
permit tcp any host 192.168.0.3 eq 443
permit tcp any host 192.168.0.4 eq 80
permit tcp any host 192.168.0.4 eq 443
permit tcp any host 192.168.0.5 eq 1494
permit udp any host 192.168.0.5 eq 1604
permit tcp any host 192.168.0.6 eq 1494
permit udp any host 192.168.0.6 eq 1604
permit tcp any host 192.168.0.7 range 20 21
permit tcp any host 192.168.0.8 eq 25
permit tcp host 206.183.224.11 host 192.168.0.2
permit tcp any host 192.168.0.9 eq 8100
permit tcp any host 192.168.0.9 eq 80

I want to allow ONLY the above traffic InBound. When I apply this to my serial interface using the following command:
ip access-group InBoundToLAN in

After I apply the access-list I run a port scan on my IPs and they show more ports open than I have allowed TCP and UDP. I know there is an implicit deny all at the end of the list that doesn't need to be added. Is this correct. What I am doing wrong? THanks!!
 
Sort by date Sort by votes
Could you show how you have applied this to the interface? If you are allowing your users to do everything going out of the LAN wouldn't this open those ports?
 
Upvote 0 Downvote
Where exactly did you run this port scan? If you ran it from your internal network, you would have bypassed the ACL. You will need to run the scan from the "public side" of the router's serial interface....
 
Upvote 0 Downvote
I am running the port scan from outside our network via a modem. I dont' have any outbound access-lists - only this inbound. The command I applied to the serial interface was

ip access-group inboundtolan in

This router is running a firewall feature set. I was able to get the access-list working properly after I added ip inspect statements to both the ethernet and serial interfaces. Any idea why the ip inspect statements were needed in order to get this working properly?? This is the access list I used to get it working:

no ip access-list extended inboundtolan
ip access-list extended inboundtolan

permit tcp any host 192.168.0.2 eq 80
permit tcp any host 192.168.0.2 eq 443

permit tcp any host 192.168.0.3 eq 80
permit tcp any host 192.168.0.3 eq 443

permit tcp any host 192.168.0.4 eq 80
permit tcp any host 192.168.0.4 eq 443

permit tcp any host 192.168.0.5 eq 1494
permit udp any host 192.168.0.5 eq 1604

permit tcp any host 192.168.0.6 eq 1494
permit udp any host 192.168.0.6 eq 1604

permit tcp any host 192.168.0.7 range 20 21
permit tcp any host 192.168.0.7 gt 1023

permit tcp any host 192.168.0.8 eq 25

permit tcp any host 192.168.0.9 eq 25
permit tcp host 206.183.224.11 host 192.168.0.9

permit tcp any host 192.168.0.10 eq 8100
permit tcp any host 192.168.0.10 eq 80

permit esp host 65.241.249.242 any
permit ahp host 65.241.249.242 any

deny ip any any

This is the ip inspect statements I added:

ip inspect audit-trail
ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
ip inspect dns-timeout 7
ip inspect name Ethernet_0_0 tcp
ip inspect name Ethernet_0_0 udp
ip inspect name Ethernet_0_0 cuseeme
ip inspect name Ethernet_0_0 ftp
ip inspect name Ethernet_0_0 h323
ip inspect name Ethernet_0_0 rcmd
ip inspect name Ethernet_0_0 realaudio
ip inspect name Ethernet_0_0 smtp
ip inspect name Ethernet_0_0 streamworks
ip inspect name Ethernet_0_0 vdolive
ip inspect name Ethernet_0_0 sqlnet
ip inspect name Ethernet_0_0 tftp
ip inspect name Serial_0_0 tcp
ip inspect name Serial_0_0 udp
ip audit notify log
ip audit po max-events 100

I added applied the ip inspect statements like this:

int e0/0
ip inspect Ethernet_0_0 in

int s0/0
ip inspect Serial_0_0 in

We were running ip finger and ip cef - I removed these statements before applying the ip inspect. Any ideas or explanations on why the ip inspect needed to be added in order for my access-list to work? We added ip cef as a performance booster - but obviosly it broke something.

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

jobsp90
  • Locked
  • Question Question
I have a issue in my office hospital network regarding using IPPBX software.
Replies
2
Views
523
DavetheChef
DavetheChef
BleuBell
  • Locked
  • Question Question
Command Rejected : Exceeded NNI ports Allowed
Replies
0
Views
325
BleuBell
BleuBell
Collab_Guy
  • Locked
  • Question Question
Anyone using automation with their CUCM?
Replies
1
Views
407
kyle555
kyle555
mrdom
  • Locked
  • Question Question
RV325: Accessing LAN and WAN resources using the same hostname ...
Replies
0
Views
325
mrdom
mrdom
netguy2000
  • Locked
  • Question Question
C2960TTL multiple Trunk ports with same VLAN
Replies
1
Views
334
chieftan
chieftan

Part and Inventory Search

Sponsor

Back
Top