Walk me through something simple please... 1

[GeneralDzur]

Alright guys, I'm still pretty new to Cisco routers, but I do have an understanding of ACL's, static routes and other basic stuff. What I want is to close off certain ports (0 and 23 for starters) on the WAN side of our gateway router to prevent any incoming connections to them. I've been reading up on the router, but I'd appreciate a quick answer.

 

[ADB100]

I assume you mean TCP in this instance (port 23?).

access-list 101 deny tcp any any eq 23
access-list 101 deny tcp any any eq 0
access-list 101 permit ip any any

interface serial0
ip access-group 101 in


There is always an implicit deny at the end of an ACL so you need to allow other traffic or else it all gets dropped.

Andy

 

[GeneralDzur]

Port 23 is Telnet, according to Shields UP!! ports probe listing.

Question - why does the access-list say "deny tcp any any eq 23". Why the "deny tcp" part? I've never understood what the 'eq [xx]' part meant in relation to the 'deny [whatever] thing.

thanks again

 

[ADB100]

Yes TCP port 23 is Telnet, hence why I said 'I assume you mean TCP' as it could also be UDP or any other IP Protocol....

This is an extended IP access list, you have the options of specifying either the source and destination IP addresses or the source and destination IP addresses and the source and destination layer-4 port numbers. You can also specify things like DSCP or IP Precedence values etc.

The logic is as follows:

access-list 101 - this is the ACL number, 1-99 are standard IP ACLs and you can only specify the source IP address, 100-199 are extended IP ACLs and allow you to specify source & destination IP addresses as well as layer-4 information

deny - you want to block access so you must use the keyword deny

tcp - the layer-4 protocol you want to deny is a TCP based one (telnet)

any - this is the source IP address; any literally means that - any. You can optionally add a layer-4 port number here, this would be the source port number, with none specified it means any port number

any - this is the destination I address, you could set this to be a host or a subnet, it depends on your requirements

eq 23 - this is the destination port number


Normally you would have much more listed in an ACL, especially an internet facing router such as:

access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 169.254.0.0 0.0.255.255 any
access-list 101 deny udp any any range 135 139
access-list 101 deny tcp any any range 135 139
access-list 101 deny tcp any any eq 23
access-list 101 deny tcp any any eq 445
access-list 101 deny tcp any any range 0 1
access-list 101 deny tcp any any eq 389
access-list 101 deny tcp any any eq 1080



Andy

 

[GeneralDzur]

Here is the configuration. I'm a little concerned because Shields UP!!'s port scan still shows 0 and 23 as being open.

nipr_gateway#show access-lists
Standard IP access list 4
deny 63.250.215.0, wildcard bits 0.0.0.255 log
permit any
Standard IP access list 7
permit 192.168.7.0, wildcard bits 0.0.0.255
Extended IP access list 101
deny tcp any any eq telnet
deny tcp any any eq 0
permit ip any any (14766 matches)
Extended IP access list 125
deny tcp any any eq 135 (197 matches)
deny udp any any eq 135 (14 matches)
permit ip any any (144639528 matches)
Extended IP access list 150
permit ip 192.168.7.0 0.0.0.255 any
deny ip any any

 

[ADB100]

What interface have you got this applied to?

Andy

 

[GeneralDzur]

it is applied to Ethernet1/0 in. FastEthernet0/0 is the LAN connection

 

[ADB100]

Looking at the counters for the ACL it is showing none have matched telnet & TCP port 0. The ACL looks OK though?

It may be worth listing your config (remove or change the addressing etc)

Andy

 

[GeneralDzur]

Building configuration...

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname xxxxx_gateway
!
enable secret 5 $1$i/RX$5rHfrz6JBvoOqP3Nxh7bk1
enable password xxx
!
!
!
!
!
memory-size iomem 15
ip subnet-zero
ip name-server x.x.x.x
!
!
!
!
!
!
interface FastEthernet0/0
description Internal LAN
ip address 192.168.7.1 255.255.255.0
no ip directed-broadcast
ip nat inside
duplex auto
speed auto
!
interface Ethernet1/0
description Tachyon
ip address 81.xxx.xxx.xxx 255.xxx.xxx.xxx
ip access-group 2 in
ip access-group 125 out
no ip unreachables
no ip directed-broadcast
ip nat outside
!
ip nat pool warheroes 81.xx.xxx.xxx 81.xx.xxx.xxx prefix-length 29
ip nat inside source list 7 pool warheroes overload
ip classless
ip route 0.0.0.0 0.0.0.0 81.31.xxx.xxx
no ip http server
!
access-list 2 deny 63.250.215.0 0.0.0.255
access-list 2 permit any
access-list 7 permit 192.168.7.0 0.0.0.255
access-list 101 deny tcp any any eq telnet
access-list 101 deny tcp any any eq 0
access-list 101 permit ip any any
access-list 125 deny tcp any any eq 135
access-list 125 deny udp any any eq 135
access-list 125 permit ip any any
access-list 150 permit ip 192.168.7.0 0.0.0.255 any
access-list 150 deny ip any any
!
line con 0
access-class 150 in
transport input none
line aux 0
line vty 0 4
password xxx
absolute-timeout 10000
login
!
end

- The ACL 2 blocks any Yahoo! LaunchCast music streaming servers. Question: What does the (200 matches) thing mean? Also, we are falling in on this setup from someone else, and I have no idea what an IP NAT pool is

 

[ADB100]

Looking at your configuration you are only denying the Yahoo! stuff (63.250.215.0/24) from entering your Ethernet1/0 interface, everything else is allowed.
You also have ACL 125 applied outbound on your Ethernet1/0 interface - this ACL just blocks TCP & UDP ports 135, and allows everything else....

If you want to combine your current inbound ACL with the one I suggested to block telnet and TCP port 0 as well as the Yahoo stuff then you should change ACL 101 as follows:

access-list 101 deny ip 63.250.215.0 0.0.0.255 any
access-list 101 deny tcp any any eq 0
access-list 101 deny tcp any any eq 23
access-list 101 permit ip any any

interface Ethernet1/0
ip access-group 101 in



You are performing NAT on traffic from your Ethernet0/0 interface (ip nat inside) going through your Ethernet1/0 interface (ip nat outside). The IP addresses your sources get translated to are from the pool 'warheroes 81.xx.xxx.xxx 81.xx.xxx.xxx'


You also have an Access Class applied to your console port that only allows access from source IP's 192.168.7.0/24; although this is pretty pointless unless you are using reverse telnet.....


Andy

 

[GeneralDzur]

wow...you know your stuff. Please keep it coming.

The console port's AC uses .0-.24 because those are our 'trusted' server/network infrastructure internal IP's.

Here is the most recent updated ACL.

router#sho access-list

Standard IP access list 7
permit 192.168.7.0, wildcard bits 0.0.0.255
Extended IP access list 101
deny ip 63.250.215.0 0.0.0.255 any
deny ip 205.188.234.0 0.0.0.255 any
deny tcp any any eq 0
deny tcp any any eq telnet
permit ip any any (301 matches)
Extended IP access list 125
deny tcp any any eq 135 (270 matches)
deny udp any any eq 135 (14 matches)
permit ip any any (145186393 matches)
Extended IP access list 150
permit ip 192.168.7.0 0.0.0.255 any
deny ip any any

So as for NAT, what you're saying is that when our internal systems/computers need net access, they get assigned a routable IP address from the 'warheroes' pool?

 

[ADB100]

I mentioned the stuff regarding the Console ACL because the console is the physical port on the router, applying an access-class to this is only relevent for reverse telnet connections, hence won't stop anyone telnet'ing to the router. You must apply the access-class to the VTY lines for this to be effective; in reality you only need a standard ACL for this function:

access-list 10 perit 192.168.7.0 0.0.0.255
!
line vty 0 4
access-class 4 in


Yes on the NAT question. If you type 'show ip nat translations' you should see the internal IP addresses and the relevent NAT'd address.

Andy

 

[GeneralDzur]

Hey, thanks a lot for your help...i've really learned a lot from your posts.

One last question (promise): would it be advisable to apply an ACL to the VTY lines to prevent external Telnet, since I have all telnet blocked on the interface that connects to the Internet anyway?

- stephan

 

[ADB100]

Its a Belt & Braces approach but won't harm anything - go for it.....

In the Enterprise you would generally have many IP networks/subnets making up your network but you would only have certain 'trusted' networks who you would want to be telnet'ing to routers & switches etc (Network Management?). This is why you would apply an access-class to your VTY lines; you wouldn't want 'normal' users potentially changing router configs would you?

Andy

 

[GeneralDzur]

well, obviously the router has passwords assinged, but I still see what you're saying. Thanks again for all your help