Extended ACL Help

[skk391]

Hi All,

I trying to write what I thought was a simple ACL but its all going very wrong in my head.

I have a router with a ATM interface providing internet connection ( static ip x.x.x.x ) to a network of int fa 0/0.
( 192.168.0.0)

I have a remoting software located on a external network address y.y.y.y trying to connect to a server on the internal network 192.168.0.1

Was a little unsure of the ACL either ....

config t
ip access-list extended 102
permit ip host y.y.y.y host x.x.x.x

OR

config t
ip access-list extended 102
permit ip host y.y.y.y host 192.168.0.1

int fa 0/0
ip access-group 102 in

But both do not allow the connection from y.y.y.y to the server 192.168.0.1 ???

Ran a couple of logging commands and after a little playing got it to connect using the following ACL

config t
ip access-list extended 102
permit ip host 192.168.0.1 host y.y.y.y

int fa 0/0
ip access-group 102 in


Sorry just not getting this.


The above ACL is telling the router to accept any ip packets FROM 192.168.0.1 to y.y.y.y. But I am making my remote connection FROM y.y.y.y and applying the ACL to Int fa 0/0 inbound.

Hope this makes sense and that someone can help me understand it.


Many Thanks

 

[imbadatthis]

1) is there nat involved? im assuming that the remote connection is coming through the ATM interface?
if yes then the acl 102 should be applied to your atm** interface as IN...

2)

ip access-group 102 in

will match traffic coming IN to the router from 192.168.0.0/24 network, thats why your third try works. because its allowing response FROM 192.168.0.1 TO your y.y.y.y connection.
you should be applying the ACL to the atm** interface.

ip access-list extended 102
permit ip host y.y.y.y host 192.168.0.1

interface atm0.1
ip access-group 102 in

**its usually dialer interface; however depends on your config, you might just have a atm subinterface configured and not be using dialer interfaces...



We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.

 

[SweetRevelation]

The packet flow for the connection will be as follows:

S: y.y.y.y D: 192.168.0.1 IN ATM
S: y.y.y.y D: 192.168.0.1 OUT F0

Now the return traffic

S: 192.168.0.1 D: y.y.y.y IN F0
S: 192.168.0.1 D: y.y.y.y OUT ATM

So to ACL the incoming traffic the ACL should be applied on ATM in the in direction but can also be seen to be placed on F0 in the OUT direction.

Return traffic, the ACL reversed would be able to be placed on F0 in the in direction or ATM in the out direction.

I hope that makes it easier to understand.

 

[skk391]

Thanks for the reply,

To answer your question yes I am using NAT and I was applying the ACL to the wrong interface and have made changes so that I now apply it to the the dialer1 int....But I am still having a few issues . I have posted my config if you could take a look i would very grateful.

The network is not a production network at the moment, but will be soon and I can carry out some testing etc.

I had a single user on 192.168.0.30 using the Internet so I used ACL 102 and added an entry to allow that host all ip access out. But the user could not get out to the Internet, It was only when I entered in line 5 permit ip any any that the Internet started working.

I know that there is something wrong somewhere my ACL's arent getting processed correctly. Can you help??

Is my PAT config correct?

Its the first time that I setup the ATM and dialer interfaces after a little research on this forum and on-line I got it to work but an a little unsure of the logic, could someone please give me a little background on the relationship between the ATM and dialer1 int and what is going on?


Many thanks

----------------CONFIG------------------------------------
Router>enable
Router#show config
Using 2369 out of 57336 bytes
!
! Last configuration change at 10:15:59 UTC Wed Mar 16 2011
! NVRAM config last updated at 10:16:27 UTC Wed Mar 16 2011
!
version 12.4
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging console
!
no aaa new-model
!
resource policy
!
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.20
!
ip dhcp pool ********
network 192.168.0.0 255.255.255.192
domain-name ********
dns-server 208.67.222.222
default-router 192.168.0.5
lease 4
!
!
ip name-server 208.67.222.222
!
!
!
!
!
!
!
!
!
interface ATM0/0
mtu 1500
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0/0
ip address 192.168.0.5 255.255.255.192
ip accounting output-packets
ip accounting access-violations
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
duplex auto
speed auto
!
interface Dialer1
description **ADSL ON BT 12415454515155 **
ip address <45.45.45.45 255.255.255.254
ip access-group 102 in
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname blahblah.btclick.com
ppp chap password 0 blahblah
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 192.168.0.1 8745 interface Dialer1 8745
ip nat inside source static tcp 192.168.0.10 25 45.45.45.45 25 extendable
!

!
logging source-interface Dialer1
access-list 1 permit 192.168.0.0 0.0.0.255


access-list 102 permit ip host 192.168.0.30 any log
access-list 102 permit ip any any log
access-list 102 permit tcp any any eq

http://www log

access-list 102 permit tcp any any eq domain log
access-list 102 permit udp any any eq domain log

!
!
!
!
control-plane
!
!
!
!
line con 0
password
line aux 0
line vty 0 4
password
no login
!
!
end

 

[imbadatthis]

2 things:

1) setup password for your enable.
2) when you use the 'log' attribute on your access-list it will considerably reduce performance as CEF will not be working.
3) your first ACL statement is in the wrong direction. When you are writing ACLs you have to keep in mind the direction of the packet its source IP address, and Dest IP address.

interface Dialer1
description **ADSL ON BT 12415454515155 **
ip address <45.45.45.45 255.255.255.254
ip access-group 102 in
...
access-list 102 permit ip host 192.168.0.30 any log

a packet coming INTO the router will get rejected as the source IP address is NOT 192.168.0.30. this ACL is really allowing an outside source to spoof an internal IP address and possibly launch attacks on your network.

See below, by no means am i suggesting this is the best way to go about it- Im sure there are people on this forum that can find faults w/in my ACL, however it should help you define your own a bit better.

Notice how I am denying all the private IP address ranges from coming in.

the established option basically tells the router that if the packet is in a response to a request from inside the network (doesn't matter what port) let it in.

show access-list 101
Extended IP access list 101
    10 permit udp any any eq non500-isakmp (189233 matches)
    20 permit tcp any any eq 3784
    30 permit udp any any eq 3784
    40 permit ip host 207.6.146.72 any
    50 deny ip 10.254.0.0 0.0.255.255 any
    60 deny ip host 172.16.1.1 any
    70 deny ip host 255.255.255.255 any
    80 deny ip 127.0.0.0 0.255.255.255 any
    90 permit tcp any any eq 22 (53370 matches)
    100 permit tcp any any established (92145056 matches)
    110 permit tcp any any eq telnet (7 matches)
    120 permit tcp any any eq 2710
    130 permit tcp any any eq 1863
    140 permit tcp any any eq 2910
    150 permit tcp any any eq 57462
    160 permit tcp any any eq 57463 (8 matches)
    170 permit tcp any any eq 57464
    180 permit tcp any any eq 57465 (926673 matches)
    190 permit udp any any eq 5060
    200 permit udp any any eq 5004
    210 permit udp any any eq 10000
    220 permit udp any any eq 16348
    230 permit udp any any (82115996 matches)
    240 permit icmp any any unreachable (3625719 matches)
    250 permit 41 any any (234 matches)
    259 permit gre any any (296967 matches)
    260 deny ip any any (41774 matches)

4) Your nat statement is fine. However since you are defining 192.168.0.0/255.255.255.192 as your network, maybe you should keep the NAT statements within the same subnet

access-list 1 permit 192.168.0.0 0.0.0.63

as for the ATM / Dialer thing, as I mentioned i've seen it done both ways, with all the configuration under an ATM subinterface. The Dialer I've seen being used when there is authentication required to connected to the ISP's network. So you are Good on that.

another thing - and I LOVE using CLI - you can download SDM which will make your job considerably easier. there is also the wonderful CISCO comment auto secure which is run from the privilage exec mode (thats when you are in enable)

//sorry if its TLDR.


We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.

 

[skk391]

Thank you very much for your help with this, Yes I got it all muddled up in my head. I have got it working now. I am using an ACL to block incoming traffic and opening a couple of ports to use with my remote admin program.

One of the mistakes that I was making was that the remote admin program uses port 8745 so I was writing an ACL like .....

config t
ip access-list ext 105
permit tcp host < source > eq 8745 host <dest> eq 8745

this was not allowing my connection, because even through the destination port was 8745 the port used by the source to start the connection was a completly randon one and thus didnt match the ACL.

permit tcp host <source> host <dest> eq 8745 sorted that out.

I am using ip inspection rules and have placed it on my external interface OUT.

Many Thanks for your help again.

 

[imbadatthis]

glad to hear its working.

also if you feel like having some fun check out ZBF; zone based firewall ..

We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.

 

[skk391]

Funny you say that, just reading up about them.
Zones, c3pk & class maps!

Studying for my ccna security so probadly have more questions later.