Internet Router Access-List Problem

[DionBr]

AS SOON AS I APPLY THIS TO MY INCOMING SERIAL INTERFACE I CANNOT SURF THE INTERNET ANYMORE. CAN SOMEONE PLEASE HELP ME.

ASSUMING THAT 197.20.115.137/29 IS MY PUBLIC ADDRESS ON MY ROUTER

I HAVE APPLIED THIS ACCESS LIST TO ALL TRAFFIC COMING IN FROM THE INTERNET INTO MY SERIAL INTERFACE
AT THIS STAGE NO ACCESS LIST HAS BEEN APPLIED TO THE ETHERNET INTERFACE RESTRICTING MY INTERNAL USERS.

access-list 100 deny ip 197.20.115.136 0.0.0.7 any log
access-list 100 deny ip host 197.20.115.137 host 197.20.115.137 log
access-list 100 deny ip 127.0.0.0 0.255.255.255 any log
access-list 100 deny ip 10.0.0.0 0.255.255.255 any log
access-list 100 deny ip 172.16.0.0 0.15.255.255 any log
access-list 100 deny ip 192.0.2.0 0.0.255.255 any log
access-list 100 deny ip 192.168.0.0 0.0.255.255 any log
access-list 100 deny ip 169.254.0.0 0.0.255.255 any log
access-list 100 deny ip 224.0.0.0 15.255.255.255 any log
access-list 100 deny ip 240.0.0.0 7.255.255.255 any log
access-list 100 deny ip 248.0.0.0 7.255.255.255 any log
access-list 100 deny ip 255.0.0.0 0.255.255.255 any log
access-list 100 deny ip host 0.0.0.0 any log
access-list 100 deny ip host 255.255.255.255 any log
access-list 100 deny ip 0.0.0.0 0.255.255.255 any log
access-list 100 deny ip any host 197.20.115.255 log
access-list 100 deny ip any host 197.20.115.0 log
access-list 100 deny icmp any any echo log
access-list 100 deny icmp any any redirect log
access-list 100 deny icmp any any mask-request log
access-list 100 permit icmp any 197.20.115.137 0.0.0.7
access-list 100 permit tcp any any established
access-list 100 permit tcp any any eq 80 log
access-list 100 permit tcp any any eq 53 log
access-list 100 permit udp any any eq 53 log
access-list 100 permit tcp any any eq 25 log
access-list 100 permit tcp any any eq 110 log
access-list 100 permit tcp any any eq 113 log
access-list 100 permit tcp any any eq 443 log
access-list 100 permit tcp any any eq 5631 log
access-list 100 permit tcp any any eq 5632 log
access-list 100 permit tcp any any eq 1352 log
access-list 100 permit tcp any any eq 1863 log
access-list 100 deny ip any any log

 

[marsd]

Advice:
Put your access list together one rule at a time.
Then test it.

 

[DionBr]

HI MARSD

EVEN IF I APPLY ONLY THE FOLLOWING I CANNOT BROWSE:-

access-list 100 permit tcp any any eq 80 log
access-list 100 permit tcp any any eq 53 log
access-list 100 permit udp any any eq 53 log
access-list 100 permit tcp any any eq 25 log
access-list 100 permit tcp any any eq 110 log

 

[sunyasee]

What access-group command are you using? You should apply the access-list to the serial interface as follows...


interface serial0
ip access-group 100 in

also what is showing up in the log?
----

Sunyasee B-)

 

[ChrisAC]

Your original ACL had the line ..

access-list 100 deny ip 0.0.0.0 0.255.255.255 any log

.. which blocks all ip traffic for a class A mask before anything is permitted.

On your second attempt, you're allowing ports 80, 53, 110 and 25 in and denyed everything else, therefore your outgoing connection will be blocked, or should I say the reply traffic will be blocked.

"EVEN IF I APPLY ONLY THE FOLLOWING I CANNOT BROWSE:-

access-list 100 permit tcp any any eq 80 log
access-list 100 permit tcp any any eq 53 log
access-list 100 permit udp any any eq 53 log
access-list 100 permit tcp any any eq 25 log
access-list 100 permit tcp any any eq 110 log"

Your outgoing traffic will have a source port greater than 1023, so if you connect to a web server for example the destination port will be 80 and the source port (your PC) will be say 1024. When the web server replies to your request it will send the traffic to your address on port 1024, which in this case is blocked by your ACL.

Chris.

************************
Chris Andrew, CCNA
chris@iproute.co.uk
************************

 

[OCiTiLLO]

instead of using command:
access-list 100 permit tcp any any eq 80 log


try the following:
access-list 100 permit tcp any any eq 80 established

 

[marsd]

iproute is correct here.
Allow unprivileged high ports inbound:
tcp/udp 1024-5900, 30000+ for starters, excepting
the high ports you have filtered in your
original list and others that cause you trouble.

 

[DionBr]

THANKS FOR THE RESPONSES

I HAVE APPLIED THE FOLLOWING ACCESS LIST TO MY SERIAL INTERFACE:-

access-list 100 permit tcp any any eq 80 established
access-list 100 permit tcp any any eq 53 log
access-list 100 permit udp any any eq 53 log
access-list 100 permit tcp any any eq 25 log
access-list 100 permit tcp any any eq 110 log
access-list 100 permit tcp any range 1024 5900 any range 1024 5900
access-list 100 permit tcp any range 30000 65000 any range 30000 65000

THIS STILL PREVENTS ME FROM BROWSING THE INTERNET. MY MAIN INTENTION IS TO SET THIS INTERNET CONNECTION TO BE AS SECURE AS POSSIBLE, PERHAPS SOMEONE HAS A GOOD INTERNET ACCESS LIST SAMPLE FOR INCOMING TRAFFIC

 

[OCiTiLLO]

I tried a portion of your ACL on my home lab and found that in order for this to work you must allow port ranges above 1023 like iproute suggested. I had 2 hangups, dns lookups and www. Try adding the following:

access-list 100 permit udp any any gt 1023

If that doesn't work, the best thing to do is remove all log statements in your ACL and add:

access-list 100 deny ip any any log

this will tell you what ip and port is being rejected and go from there

good luck

 

[DionBr]

HI OCTILLO,

HI OCTILLO THANKS FOR COMING BACK TO ME. I STILL DIDN'T HAVE ANY JOY BUT I HAVE INSTALLED THE FIREWALL FEATURE SET ON THE ROUTER. I HAVE CONFIGURED IT TO USE CBAC DYNAMIC ACCESS LISTS AND IT'S WORKING LIKE A BOMB.

THANKS FOR THE EFFORT ANYWAY GUYS, MUCH APPRECIATED!!