Help with configuring access list 1

[pgaliardo]

I am pretty inexperienced with creating and modifying access lists, and would appreciate in as much detail as possible, how to modify an exisiting list. Here is our current setup:

interface FastEthernet0/0
description connected to EthernetLAN
ip address 10.0.0.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip inspect Internal in
duplex auto
speed auto

access-list 100 permit tcp host 10.0.0.10 any eq www
access-list 100 permit tcp host 10.0.0.10 any eq 443
access-list 100 permit udp host 10.0.0.10 any eq 443
access-list 100 deny tcp any any eq www
access-list 100 deny tcp any any eq 443
access-list 100 deny udp any any eq 443
access-list 100 permit ip any any

10.0.0.10 is our proxy server and is the only server allowed out to the Internet. I need to add another proxy server, 10.0.0.19 out to the Internet.

I basically need the steps and the commands. I think I need to remove the access list from the interface first? I'm looking for as detailed info as possible.

Thanks in advance.

 

[anddaley]

Ok dont worry this is real easy.


A the prompt

Router# config t
Router(config)#access-list 100 permit tcp host 10.0.0.19 eq www

then hit enter you get back to this prompt then type the following:

Router(config)#access-list 100 permit tcp host 10.0.0.19 any eq 443

hit enter then type the following for UDP:

Router(config)#access-list 100 permit udp host 10.0.0.19 any eq 443

All this is doing is adding the new server to the access-list thats already there and configured on the ethernet 0/0 interface.

Done.

 

[anddaley]

If you want to remove the previous 10.0.0.10 entries for the access-list use the same commands, only you would put no before them

Router(config)#no access-list 100 permit tcp host 10.0.0.19 eq www

Router(config)#no access-list 100 permit tcp host 10.0.0.19 any eq 443

Router(config)#no access-list 100 permit udp host 10.0.0.19 any eq 443

You could also remove the entire access-list from the interface and create a diferent one but that isnt necessary so I didnt include info on that.

 

[JOAMON]

Keep in mind that once you enter a no access-list command it removes the entire access-list and not just one line. The best method in editing access-lists is to copy and paste them into notepad. Insert a new first line to read as no access-list ###. When finished editing copy and paste the new list back in. Remember that these access lists are order specific and if you put an allow after a deny any any your rule will not work. One further tip is to remove the access-group statement from the interface to avoid loosing connection when editing the access-list and replace the statement after you have the new access-list in place. If you leave access-group on interface and start to enter a new access-list what will happen after you enter the first permit is that that automatic last line is deny ip any any and you will kill all traffic inbound.

 

[JOAMON]

You might try copying the following if looks good to you:


conf t
interface FastEthernet0/0
no ip access-group 100 in
ex
no access-list 100
access-list 100 permit tcp host 10.0.0.10 any eq www
access-list 100 permit tcp host 10.0.0.19 any eq www
access-list 100 permit tcp host 10.0.0.10 any eq 443
access-list 100 permit tcp host 10.0.0.19 any eq 443
access-list 100 permit udp host 10.0.0.10 any eq 443
access-list 100 permit udp host 10.0.0.19 any eq 443
access-list 100 deny tcp any any eq www
access-list 100 deny tcp any any eq 443
access-list 100 deny udp any any eq 443
access-list 100 permit ip any any
interface FastEthernet0/0
ip access-group 100 in
ex



Remember to write config when finished

 

[pgaliardo]

Thanks for everyone's help. I have scheduled downtime tomorrow which will give me an opportunity to try this.

Thanks,
Phil

 

[pgaliardo]

Thanks guys. I tried what JOAMON suggested but still having problems accessing the Internet. I think the problem lies now on the WAN interface which also has an access list and is using NAT. If I am reading it correctly, it looks like

http://www traffic

is only allowed back in on 1 public IP address which has NAT to 10.0.0.10.
Take a look at the config and please advise. What can I do short of removing the access list from the WAN Interface, which I can't do because it opens our network up from the outside.

ip nat inside source static 10.0.0.20 141.150.147.88
ip nat inside source static 10.0.0.11 141.150.147.87
ip nat inside source static 10.0.0.10 141.150.147.86
ip nat inside source static 10.0.0.40 141.150.147.85
ip classless
ip route 0.0.0.0 0.0.0.0 141.150.5.89

access-list 1 permit any
access-list 100 permit tcp host 10.0.0.10 any eq www
access-list 100 permit tcp host 10.0.0.10 any eq 443
access-list 100 permit udp host 10.0.0.10 any eq 443
access-list 100 deny tcp any any eq www
access-list 100 deny tcp any any eq 443
access-list 100 deny udp any any eq 443
access-list 100 permit ip any any
access-list 102 permit tcp any host 141.150.147.86 eq www
access-list 102 permit tcp any host 141.150.147.86 eq smtp
access-list 102 permit tcp any host 141.150.147.87 eq 1494
access-list 102 permit tcp any host 141.150.147.88 eq nntp
snmp-server community public RO

Our WAN interface has access list 102 assigned to it.

Thanks.

 

[JOAMON]

Do you should have the following statement in your router
ip nat inside source list 102 interface FastEthernet0/1 overload?

It would be helpful to see the entire config if possible with passwords erased.

Also to add the second proxy looks like you would also need
ip nat inside source static 10.0.0.19 141.150.147.86
as well as
access-list 100 permit tcp host 10.0.0.10 any eq www
access-list 100 permit tcp host 10.0.0.19 any eq www
access-list 100 permit tcp host 10.0.0.10 any eq 443
access-list 100 permit tcp host 10.0.0.19 any eq 443
access-list 100 permit udp host 10.0.0.10 any eq 443
access-list 100 permit udp host 10.0.0.19 any eq 443
access-list 100 deny tcp any any eq www
access-list 100 deny tcp any any eq 443
access-list 100 deny udp any any eq 443
access-list 100 permit ip any any

 

[pgaliardo]

Here is the whole config:

Current configuration : 4363 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug datetime
service timestamps log datetime
service password-encryption
!
hostname HACKENSACK_2620
!
logging rate-limit console 10 except errors
no logging console
!
ip subnet-zero
!
!
no ip finger
no ip domain-lookup
ip host medford 172.16.1.2
ip host wcald 172.16.1.6
ip host prospect 172.16.1.10
ip host franklin 172.16.1.18
ip host regent 172.16.1.14
!
ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
ip inspect name Internal tcp
ip inspect name Internal udp
ip inspect name Internal cuseeme
ip inspect name Internal ftp
ip inspect name Internal h323
ip inspect name Internal rcmd
ip inspect name Internal realaudio
ip inspect name Internal smtp
ip inspect name Internal streamworks
ip inspect name Internal vdolive
ip inspect name Internal sqlnet
ip inspect name Internal tftp
ip inspect name Internet smtp
ip inspect name Internet tcp
ip audit notify log
ip audit po max-events 100
!
!
controller T1 0/0
framing esf
linecode b8zs
channel-group 2 timeslots 1-24 speed 64
!
controller T1 0/1
framing esf
clock source internal
linecode b8zs
channel-group 0 timeslots 1-24 speed 64
!
controller T1 0/2
framing esf
linecode b8zs
cablelength short 133
channel-group 1 timeslots 1-12 speed 64
!
controller T1 0/3
!
!
interface Loopback0
no ip address
shutdown
!
interface FastEthernet0/0
description connected to EthernetLAN
ip address 10.0.0.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip inspect Internal in
duplex auto
speed auto
!
interface Serial0/0:2
no ip address
encapsulation frame-relay
no fair-queue
frame-relay lmi-type ansi
!
interface Serial0/0:2.1 point-to-point
description connected to Franklin_1720
ip address 172.16.1.17 255.255.255.252
ip nat inside
frame-relay interface-dlci 100
!
interface Serial0/0:2.2 point-to-point
description connected to W_Caldwell_1720
ip address 172.16.1.5 255.255.255.252
ip nat inside
ip inspect Internal in
frame-relay interface-dlci 103
!
interface Serial0/0:2.3 point-to-point
description connected to Regent
ip address 172.16.1.13 255.255.255.252
ip nat inside
ip inspect Internal in
frame-relay interface-dlci 102
!
interface Serial0/0:2.4 point-to-point
description connected to Prospect_1720
ip address 172.16.1.9 255.255.255.252
ip nat inside
ip inspect Internal in
frame-relay interface-dlci 101
!
interface Serial0/0:2.5 point-to-point
description connected to Medford
ip address 172.16.1.1 255.255.255.252
ip nat inside
ip inspect Internal in
frame-relay interface-dlci 104
!
interface Serial0/1:0
description connected to warehouse
ip address 10.0.7.2 255.255.255.0
!
interface Serial0/2:1
bandwidth 768
ip address 141.150.5.90 255.255.255.252
ip access-group 102 in
ip nat outside
ip inspect Internet in
!
ip nat inside source static 10.0.0.20 141.150.147.88
ip nat inside source static 10.0.0.11 141.150.147.87
ip nat inside source static 10.0.0.10 141.150.147.86
ip nat inside source static 10.0.0.40 141.150.147.85
ip classless
ip route 0.0.0.0 0.0.0.0 141.150.5.89
ip route 10.0.1.0 255.255.255.0 172.16.1.2
ip route 10.0.2.0 255.255.255.0 172.16.1.18
ip route 10.0.3.0 255.255.255.0 172.16.1.6
ip route 10.0.4.0 255.255.255.0 172.16.1.10
ip route 10.0.5.0 255.255.255.0 172.16.1.14
ip route 10.0.6.0 255.255.255.0 10.0.7.1
no ip http server
!
access-list 1 permit any
access-list 100 permit tcp host 10.0.0.10 any eq www
access-list 100 permit tcp host 10.0.0.10 any eq 443
access-list 100 permit udp host 10.0.0.10 any eq 443
access-list 100 deny tcp any any eq www
access-list 100 deny tcp any any eq 443
access-list 100 deny udp any any eq 443
access-list 100 permit ip any any
access-list 100 permit tcp host 10.0.0.62 eq

http://www any

access-list 100 permit tcp host 10.0.0.62 any
access-list 102 permit tcp any host 141.150.147.86 eq www
access-list 102 permit tcp any host 141.150.147.86 eq smtp
access-list 102 permit tcp any host 141.150.147.87 eq 1494
access-list 102 permit tcp any host 141.150.147.88 eq nntp
snmp-server community public RO
!
line con 0
exec-timeout 0 0
logging synchronous
login
transport input none
line aux 0
password 7 01100F175804
login
line vty 0 4
login
!
no scheduler allocate
end

HACKENSACK_2620#

 

[JOAMON]

Hmmm...

Noticed one thing right off...

access-list 100 permit tcp host 10.0.0.10 any eq www
access-list 100 permit tcp host 10.0.0.10 any eq 443
access-list 100 permit udp host 10.0.0.10 any eq 443
access-list 100 deny tcp any any eq www
access-list 100 deny tcp any any eq 443
access-list 100 deny udp any any eq 443
access-list 100 permit ip any any
access-list 100 permit tcp host 10.0.0.62 eq

http://www any

access-list 100 permit tcp host 10.0.0.62 any

Anyone alse agree with this?


This extended access-list is order specific and I beleive last two lines are invalid because they fall after a deny rule. Might work better as follows:

access-list 100 permit tcp host 10.0.0.10 any eq www
access-list 100 permit tcp host 10.0.0.10 any eq 443
access-list 100 permit udp host 10.0.0.10 any eq 443
access-list 100 permit tcp host 10.0.0.62 any
access-list 100 deny tcp any any eq www
access-list 100 deny tcp any any eq 443
access-list 100 deny udp any any eq 443
access-list 100 permit ip any any

 

[pgaliardo]

You're right, but I don't think that is the issue. That was a test that was put in there. 10.0.0.62 has been taken out of the access list. There is no need for that address to access the Internet.

Thanks.

 

[JOAMON]

Hello.....

Need some help here.....

Access-list 102 is an incoming rule
access-list 102 reads:
access-list 102 permit tcp any host 141.150.147.86 eq www
access-list 102 permit tcp any host 141.150.147.86 eq smtp
access-list 102 permit tcp any host 141.150.147.87 eq 1494
access-list 102 permit tcp any host 141.150.147.88 eq nntp

Extended access-lists (if memory serves) list the source first and then the destination. If this is true then should access-list 102 read as:

access-list 102 permit tcp host 141.150.147.86 eq

http://www any

eq www
access-list 102 permit tcp host 141.150.147.86 eq smtp any eq smtp
access-list 102 permit tcp host 141.150.147.87 eq 1494 any eq 1494
access-list 102 permit tcp host 141.150.147.88 eq nntp any eq nntp

outside in.....

 

[lgarner]

Is this a new question?

Assuming so, you are correct. Extended ACLs are:

<src_addr> <src_port> <dst_addr> <dst_port>

For an incoming ACL, your first example is usually correct. This allows any internet host to contact 171.150.147.86 for web, e-mail, news, and whatever listens on 1494.

Your second example almost certainly won't work for you. Rarely is incoming and outbound communication via the same port. NTP is an exception. In this case, you're allowing web traffic, but only if the source port is 80, and the same idea for the others.

 

[JOAMON]

Take a look at pgaliardo's configuration post. I still think that list 102 has source and destination in the wrong order.

 

[anddaley]

I agree with JOAMON unless those ips belong to a mail and a web server on the inside of the network which pgaliardo wants the whole world to access, then ACL 102 makes no sense.

 

[pgaliardo]

Just to clarify, each of these public addresses do NAT to an internal address. One is a mail server, one is a Citrix server (port 1494). We don't have a web server, it was in there when I took over this network. It may have been in anticipation of adding a web server later.

Everything is working fine, except that I can't access the Internet without going through our 1 proxy server. I would like to add a second, and nothing seems to work.

Thanks.

 

[JOAMON]

Take a look at this....

ADD:

ip nat inside source static 10.0.0.19 141.150.147.86

Modify to read :

access-list 100 permit tcp host 10.0.0.10 any eq www
access-list 100 permit tcp host 10.0.0.19 any eq www
access-list 100 permit tcp host 10.0.0.10 any eq 443
access-list 100 permit tcp host 10.0.0.19 any eq 443
access-list 100 permit udp host 10.0.0.10 any eq 443
access-list 100 permit udp host 10.0.0.19 any eq 443
access-list 100 deny tcp any any eq www
access-list 100 deny tcp any any eq 443
access-list 100 deny udp any any eq 443
access-list 100 permit ip any any

 

[JOAMON]

Remember that extended access-list are order specific so it should read in the order as posted. First remove the access list for the interface, then remove the access-list with the "no access-list 100" command, then copy and paste the new list in and replace it on the interface. If you just enter that new lines in place they will go to the bottom of the list after the deny rule whcih will come first and therefore your proxy will not work. Hope this helps.

 

[pgaliardo]

Thanks Joaman. I will try that. One thing I am curious about. Using this config, I will have 1 outside address(141.150.147.86) that NATS to 2 internal addresses (10.0.0.10 and 10.0.0.19). Is that OK? I was under the impression that NAT can only be one to one. Thanks for the help.

 

[JOAMON]

Think you are right....
Is there antoher address in the 141.150.147.XX block available. If so then could you not add:
ip nat inside source static 10.0.0.19 141.150.147.89 (for example)
Add to access-list 102
access-list 102 permit tcp any host 141.150.147.89 eq www
access-list 102 permit tcp any host 141.150.147.89 eq smtp
And modify access-list 100 so it reads as follows:
access-list 100 permit tcp host 10.0.0.10 any eq www
access-list 100 permit tcp host 10.0.0.19 any eq www
access-list 100 permit tcp host 10.0.0.10 any eq 443
access-list 100 permit tcp host 10.0.0.19 any eq 443
access-list 100 permit udp host 10.0.0.10 any eq 443
access-list 100 permit udp host 10.0.0.19 any eq 443
access-list 100 deny tcp any any eq www
access-list 100 deny tcp any any eq 443
access-list 100 deny udp any any eq 443
access-list 100 permit ip any any