Help with ACL

[matt95gsr]

I have a 2610 with the E1/0 port connected to the dsl modem.
Following is the acl that I need applied as a firewall, where x.x.x.x is my mail server, and y.y.y.y is my router's public ip. I need to block all incoming traffic other than that which is defined in the acl, and allow the internal networks 10.0.0.0 and 192.168.1.0 full access to the outside world. With the acl applied via ip access-group 105 in command in the e1/0 interface, I can ping to the outside of the router by IP, but not name. I have even tried adding permit statements to the acl specifying the IP's of my external dns servers as permitted to all internal hosts, but cannot seem to get any name resolution to work. What am I missing?!?!?


Extended IP access list 105
permit esp any any
permit udp any any eq isakmp (16 matches)
permit tcp any any established (34 matches)
permit ip any 10.0.0.0 0.255.255.255
permit ip any 192.168.1.0 0.0.0.255
permit tcp any host x.x.x.x eq smtp
permit icmp any any echo-reply
permit icmp any any packet-too-big
permit icmp any any traceroute
permit icmp any any time-exceeded
permit icmp any any net-unreachable
permit tcp any any eq 389
permit tcp any any eq 522
permit tcp any any eq 1503
permit tcp any any eq 1720
permit tcp any any eq 1731
permit tcp any host y.y.y.y eq telnet

Thanks,
Matt.

 

[ccie9545]

i would have to say that if the problem is with name resolution, and the name servers are on the outside of the network, then the problem is with the name resolution not with the ACL. Are you sure that there is an entry for the name that you are trying to ping? Erik Rudnick, CCIE No. 9545
mailto:erik@kuriosity.com

 

[matt95gsr]

Dolt!

I'm not sure what was going on, but if I add any/any permit statements for port 53:
access-list 105 permit tcp any any eq 53
access-list 105 permit udp any any eq 53
it works. Sometimes, you've gotta just step back and take another look I guess. Erik, thanks for your thoughts.

Matt.

 

[ccie9545]

i am pretty sure it is because you are applying the acccess-list in the inbound direction. Which is basically telling the router to filter all packets coming in from teh ethernet segment. Packets coming from a host destined to the DNS server will not have been established yet, therefore, they must have a specific permit statement. At least, that is what it looks like....let me know what you think.... Erik Rudnick, CCIE No. 9545
mailto:erik@kuriosity.com

 

[KSM]

Matt,
I believe you do NAT at your 2610. There is no way you should allow your private addresses coming in from internet.
Also you should not telnet to your router from internet. telnet is not secure protocol.
For domain name resolution, if you are not doing zone transfer, do not let tcp/53 coming in.
Also you should put some blockings at top of your acl.
remark Preventive protection of private addresses and bad addresses coming from internet
deny ip 192.168.0.0 0.0.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 224.0.0.0 31.255.255.255 any log
deny ip host 0.0.0.0 any log

Kyaw Moe

 

[matt95gsr]

Thank you Kyaw, I will do that.

 

[ccie9545]

haha....i definitely didn't get enough sleep....i misread and thought that the ethernet0/1 interface was connecting to the internal network not to the DSL router......oops....disregard most of what i said......and the reason that the dns didn't work is because of UDP, if you put a permit udp established the dns should work fine without opening port 53....try it out... Erik Rudnick, CCIE No. 9545
mailto:erik@kuriosity.com

 

[matt95gsr]

I'll try that here shortly, Erik. Thanks. Now that I think about it, that does make sense.