Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

More ACL fun

Status
Not open for further replies.

McCisco

Technical User
Oct 29, 2006
81
US
If I apply any one of these ACL to my f0/0 interface - pointed toward the internet, I instantly can't ping past the router in or out.

I apply the ACL to the f0/0 interface - "in"
> ip access-group 102 in
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
access-list 102 deny tcp any any eq ftp
access-list 102 deny tcp any any eq ftp-data
access-list 102 deny tcp any any eq 23
access-list 102 deny tcp any any eq 25
access-list 102 deny tcp any any eq 22
access-list 102 deny tcp any any eq 110
access-list 102 deny tcp any any eq 143
access-list 102 deny udp any any eq 69
access-list 102 deny icmp any any echo
access-list 102 deny icmp any any fragments
access-list 102 permit icmp any any source-quench
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any packet-too-big
access-list 102 permit icmp any any echo-reply
access-list 102 deny icmp any any
access-list 102 permit tcp any any established
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
ACL runs in sequential order you are denying ping in the list before anything else so it won't work.
 
ok, i sorta understand, so how would I order it , so it would work? Does Ping use a certain port that I an blocking?
 
access-list 102 deny icmp any any echo is screwing you up. Permit all of your icmp conditions before the deny statement mentioned.

Tim
 
thanks Tim , I will give it a try
 
thanks - This seemed to work. Is there anything else you can think of I should do before i put this guy online facing the internet as my firewall router. I am currently reading about the cbac stuff - it looks pretty good.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
access-list 102 deny tcp any any eq ftp
access-list 102 deny tcp any any eq ftp-data
access-list 102 deny tcp any any eq 23
access-list 102 deny tcp any any eq 25
access-list 102 deny tcp any any eq 22
access-list 102 deny tcp any any eq 110
access-list 102 deny tcp any any eq 143
access-list 102 deny udp any any eq 69
access-list 102 permit icmp any any source-quench
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any packet-too-big
access-list 102 permit icmp any any echo-reply
access-list 102 deny icmp any any fragments
access-list 102 deny icmp any any echo
access-list 102 permit tcp any any established
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
bet you knew this was coming. Ping now works but I can't browse the web.

ACL is going to kill me - I am going to pull out my hair
:)
 
access-list 102 permit any any
Remember, once you build the list, it will permit what you have left after the deny statements. Then, after it goes thru the list, it implicitely denies everything else, which includes http since you did not include this in the permit statements. The permit any any will solve this.

Tim
 
I want you to know, you saved a life today :)

Thanks

anything else for acl\firewall\router hardening before I turn this thing toward the internet
 
so all the deny should go at the top and all the permit should go at the bottom

deny
deny
deny
permit
permit
permit
 
Not knowing your setup its hard to say , hopefully if this is router is directly attached to your network you have like NAT setup .
 
cool, i will check out hte links.

Also is there a way to log the traffic and look at it to see what is hitting the router
 
Also, I am going to set up nat, I just haven't got to it yet.
 
where can I download the Cisco IOS firewall feature set?
 
ok,I looked through the docs I could find, and never really saw anything that said it was the firewall feature set, unless it was the one, I tried to load before you gave me, that is to big
 
The bottom file inside each folder is a brief description of all the ios's in the folder. The ios feature set is fairly large.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top