Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Need Help To Stop External IP's From Getting inside Network...

Status
Not open for further replies.
FastHackem

FastHackem

IS-IT--Management
Aug 16, 2001
19
US
Alright I will try to keep this as logical as I can. We have entered the following extended access-list on fa 0/0.100:

access-list 120 permit ip any any
access-list 120 deny ip 12.0.0.0 0.255.255.255 any log
access-list 120 deny ip 24.0.0.0 0.255.255.255 any log
access-list 120 deny ip 63.0.0.0 0.255.255.255 any log
access-list 120 deny ip 64.0.0.0 0.255.255.255 any log
access-list 120 deny ip 192.215.0.0 0.0.255.255 any log
access-list 120 deny ip 140.0.0.0 0.255.255.255 any log
access-list 120 deny ip 204.0.0.0 0.255.255.255 any log
access-list 120 deny ip 205.0.0.0 0.255.255.255 any log
access-list 120 deny ip 206.0.0.0 0.255.255.255 any log
access-list 120 deny ip 208.0.0.0 0.255.255.255 any log
access-list 120 deny ip 209.0.0.0 0.255.255.255 any log
access-list 120 deny ip 213.0.0.0 0.255.255.255 any log
access-list 120 deny ip 216.0.0.0 0.255.255.255 any log
access-list 120 deny ip 217.0.0.0 0.255.255.255 any log

Our problem is:

We are getting hit from various external IP's. We have a router on the outside of our internal school network. Somehow packets are passing thru our IP's deisgnated for NAT/PAT use something to the effect of (one example entry):

192.140.100.10 ----> 1xx.blah.blah.blah(our external network designated for NAT/PAT use) 1 packet

We are getting hit by hundreds of these, from different IP's. The above access-list seems to deny them from passing into us, but it also blocks us from getting out anywhere on the net. What is going on??? We are not blocking TCP, only IP. Help please!!

-Eric, CCNA, Net+, A+, APS, BrainBench
 
Sort by date Sort by votes
I also found out from logs that not only are they coming in, they are also exiting through our email back out of the NAT/PAT's. This is crazy!! Any thoughts???
 
Upvote 0 Downvote
access-list 120 deny ip 12.0.0.0 0.255.255.255 any log
access-list 120 deny ip 24.0.0.0 0.255.255.255 any log
access-list 120 deny ip 63.0.0.0 0.255.255.255 any log
access-list 120 deny ip 64.0.0.0 0.255.255.255 any log
access-list 120 deny ip 192.215.0.0 0.0.255.255 any log
access-list 120 deny ip 140.0.0.0 0.255.255.255 any log
access-list 120 deny ip 204.0.0.0 0.255.255.255 any log
access-list 120 deny ip 205.0.0.0 0.255.255.255 any log
access-list 120 deny ip 206.0.0.0 0.255.255.255 any log
access-list 120 deny ip 208.0.0.0 0.255.255.255 any log
access-list 120 deny ip 209.0.0.0 0.255.255.255 any log
access-list 120 deny ip 213.0.0.0 0.255.255.255 any log
access-list 120 deny ip 216.0.0.0 0.255.255.255 any log
access-list 120 deny ip 217.0.0.0 0.255.255.255 any log
access-list 120 permit ip any any

Router see your ACL from UP to DOWN
 
Upvote 0 Downvote
We have tried both ways, with same results, it seems to block them, but also blocks us. I am not sure if these are the symptoms of a virus gone awry. The hits seem to be using others sites to hit us. Any ideas??
 
Upvote 0 Downvote
Another option that Cisco offers that works in conjunction with ACLs is Context-Based Access Control (CBAC). This link describes it an how to configure it.


It may or may not be available for your router but it is worth looking into. I am using it as perimeter security and it seems to work pretty well.

Bluecrack
 
Upvote 0 Downvote
Make sure the access list is applied to the INBOUND side of the interface facing the outside world. You want to stop it at the interface before anything else.

It DOES make a difference up down... the last line should be your permit(s) since there is a deny all even if it's not said. The access list is processed one line at a time, once a match occurs, it drops out of the list so put the commonly matches at the top.. this will ease the processing time for each packet.

access-list 107 deny ip 10.0.0.0 0.255.255.255 any log
access-list 107 deny ip 172.0.0.0 0.255.255.255 any log
access-list 107 deny ip 127.0.0.0 0.255.255.255 any log
access-list 107 deny ip 255.0.0.0 0.255.255.255 any log
access-list 107 deny ip 224.0.0.0 0.255.255.255 any log
access-list 107 deny ip 192.168.50.0 0.0.0.255 any log
access-list 107 deny icmp any any echo log
access-list 107 deny tcp any any eq finger
access-list 107 permit ip any any

This is a list I run and it works fine.. INBOUND on the interface

MikeS "Diplomacy; the art of saying 'nice doggie' till you can find a rock" Wynn Catlin
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Luzbel
  • Locked
  • Question
Connecting HVAC controller to network
Replies
0
Views
146
Luzbel
Luzbel
Jared R
  • Locked
  • Question
Cisco UC320W Paging Help
Replies
0
Views
206
Jared R
Jared R
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
204
madwok
madwok
WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat
Replies
1
Views
148
BIS
BIS
DTGMI
  • Locked
  • Question
Moving from Juniper SRX-240 to Cisco ??
Replies
0
Views
115
DTGMI
DTGMI

Part and Inventory Search

Sponsor

Back
Top