More ACL fun

[McCisco]

If I apply any one of these ACL to my f0/0 interface - pointed toward the internet, I instantly can't ping past the router in or out.

I apply the ACL to the f0/0 interface - "in"
> ip access-group 102 in
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
access-list 102 deny tcp any any eq ftp
access-list 102 deny tcp any any eq ftp-data
access-list 102 deny tcp any any eq 23
access-list 102 deny tcp any any eq 25
access-list 102 deny tcp any any eq 22
access-list 102 deny tcp any any eq 110
access-list 102 deny tcp any any eq 143
access-list 102 deny udp any any eq 69
access-list 102 deny icmp any any echo
access-list 102 deny icmp any any fragments
access-list 102 permit icmp any any source-quench
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any packet-too-big
access-list 102 permit icmp any any echo-reply
access-list 102 deny icmp any any
access-list 102 permit tcp any any established
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

[vipergg]

ACL runs in sequential order you are denying ping in the list before anything else so it won't work.

 

[McCisco]

ok, i sorta understand, so how would I order it , so it would work? Does Ping use a certain port that I an blocking?

 

[castlesmadeofsand]

access-list 102 deny icmp any any echo is screwing you up. Permit all of your icmp conditions before the deny statement mentioned.

Tim

 

[McCisco]

thanks Tim , I will give it a try

 

[McCisco]

thanks - This seemed to work. Is there anything else you can think of I should do before i put this guy online facing the internet as my firewall router. I am currently reading about the cbac stuff - it looks pretty good.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
access-list 102 deny tcp any any eq ftp
access-list 102 deny tcp any any eq ftp-data
access-list 102 deny tcp any any eq 23
access-list 102 deny tcp any any eq 25
access-list 102 deny tcp any any eq 22
access-list 102 deny tcp any any eq 110
access-list 102 deny tcp any any eq 143
access-list 102 deny udp any any eq 69
access-list 102 permit icmp any any source-quench
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any packet-too-big
access-list 102 permit icmp any any echo-reply
access-list 102 deny icmp any any fragments
access-list 102 deny icmp any any echo
access-list 102 permit tcp any any established
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

[McCisco]

bet you knew this was coming. Ping now works but I can't browse the web.

ACL is going to kill me - I am going to pull out my hair

 

[vipergg]

No where are you allowing

http://WWW ,

if its not matched in the ACL it is explicitly denied at the end .

 

[castlesmadeofsand]

access-list 102 permit any any
Remember, once you build the list, it will permit what you have left after the deny statements. Then, after it goes thru the list, it implicitely denies everything else, which includes http since you did not include this in the permit statements. The permit any any will solve this.

Tim

 

[castlesmadeofsand]

Oh---the permit tcp any any and permit ip any any goes at the end.

Tim

 

[McCisco]

I want you to know, you saved a life today

Thanks

anything else for acl\firewall\router hardening before I turn this thing toward the internet

 

[McCisco]

so all the deny should go at the top and all the permit should go at the bottom

deny
deny
deny
permit
permit
permit

 

[vipergg]

Not knowing your setup its hard to say , hopefully if this is router is directly attached to your network you have like NAT setup .

 

[castlesmadeofsand]

firewall? You should Google some setups, because firewall statements usually begin with
ip inspect-name real-audio
and such.

http://www.akadia.com/services/cisco_router_firewall.html

http://www.cisco.com/en/US/tech/tk648/tk361/tech_configuration_examples_list.html

http://www.mtiweb.com/isp/ciscoacc.html

http://www.informit.com/bookstore/product.asp?isbn=1587131595&rl=1

 

[McCisco]

cool, i will check out hte links.

Also is there a way to log the traffic and look at it to see what is hitting the router

 

[McCisco]

Also, I am going to set up nat, I just haven't got to it yet.

 

[McCisco]

where can I download the Cisco IOS firewall feature set?

 

[castlesmadeofsand]

The ftp site I gave you.

 

[McCisco]

ok,I looked through the docs I could find, and never really saw anything that said it was the firewall feature set, unless it was the one, I tried to load before you gave me, that is to big

 

[castlesmadeofsand]

The bottom file inside each folder is a brief description of all the ios's in the folder. The ios feature set is fairly large.