Outside Interface Access-List

[quickconnect]

This is a fairly new setup for me aside from doing site-2-site 's. I have a router the is being used for one our our sites to use for internet access and DHCP & NAT. What I want to do is block internet traffic from my public network by appling an access-list on the outside(internet facing) interface to block all incoming traffic except from a certain IP and port 1352
What should my access-list look like?

I want to be able to send outbount traffic but block inbound internet traffic.. Please help me with the access-list

 

[chipk]

Well, you start out with gathering your IPs and ports that you want to allow, which you already seem to have. Then you make sure you are very careful and understand what you're applying before doing so because if not you could shut down your whole network.

You create your access list in global config by typing:

ip access-list extended [number or name]

You'll then be in the acl config. You'll then issue permit/deny statements to allow/block whatever you want, like so:

permit tcp host xxx.xxx.xxx.xxx eq 1352 any

Just remember that access lists are processed in order from top to bottom and there is an implicit deny at the end. So, if you wanted to allow anything else, you would have to permit it as well, otherwise, this is the only thing that will get through.

To apply this to an interface, you go into your interface config and type:

ip access-group [number or name of acl] in

 

[quickconnect]

Can you give me a good access-list to add which block all back internet traffic then I can add my allow's?

 

[chipk]

the implicit deny does what you want. If you just do your permit statements, anything else not specifically allowed will be blocked.

 

[quickconnect]

I am having a problem when I try to apply this access-list to my outside interface.. When I apply the ACL that site can lo longer get to the internet, when I remove the ACL they can.. What is wrong with this ACL?

access-list 101 permit icmp host 65.x.x.x host 82.206.x.x echo
access-list 101 permit icmp host 82.206.x.x host 65.x.x.x echo
access-list 101 permit icmp host 82.206.x.x any echo
access-list 101 permit icmp host 65.x.x.x host 82.206.x.x echo-reply
access-list 101 permit icmp host 82.206.x.x host 65.x.x.x echo-reply
access-list 101 permit icmp any host 82.206.x.x echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit tcp host 65.x.x.x host 82.206.x.x eq 22
access-list 101 deny ip any any

 

[quickconnect]

Here is my config for the serial interface and the outside interface

interface FastEthernet0/0
description connected to Internet
ip address 82.206.x.x 255.255.255.248
no ip proxy-arp
ip nat inside
ip inspect fw in
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
no ip mroute-cache
speed auto
no cdp enable
!
interface Serial0/0
bandwidth 128
ip unnumbered FastEthernet0/0
no keepalive
ignore dcd
no fair-queue
no cdp enable

 

[Ru55ell]

Which side of the serial interface are “they” on? Which side is the Internet on. Your access list looks like your only allowing icmp. IP is denied. TCP is denied.

Your access list lines only allows this site to “icmp” or ping
access-list 101 permit icmp host 65.x.x.x host 82.206.x.x echo
access-list 101 permit icmp host 82.206.x.x host 65.x.x.x echo
access-list 101 permit icmp host 82.206.x.x any echo
access-list 101 permit icmp host 65.x.x.x host 82.206.x.x echo-reply
access-list 101 permit icmp host 82.206.x.x host 65.x.x.x echo-reply
access-list 101 permit icmp any host 82.206.x.x echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable

This one allows host (1 host) 65.?.?.? to use TCP 22 to host (1 host) 82.206.?.?
access-list 101 permit tcp host 65.x.x.x host 82.206.x.x eq 22

This line is not necessary as it’s explicit to access lists. However some people use them to read access-lists easier. You can leave it.
access-list 101 deny ip any any

 

[quickconnect]

The way this setup is my ISP is a satellite connection (VSAT). My interface Serial0/0 is plugging into the satellite modem via a serial cable

So to answer your question the interface Serial0/0 is the interface the is directly connected to the modem but
interface FastEthernet0/0 is the one that is addresses with the public address.


Any ideas what im doing wrong?

 

[lgarner]

Add "permit tcp any any established" so that traffic for established sessions can get back in. You can alter it like any ACL if you only want web traffic, for example.

As a troubleshooting measure you can use "access-list 101 deny ip any any log" to log the hits.

 

[quickconnect]

lgarner

So should my access-list 101 look like this

access-list 101 permit icmp host 65.x.x.x host 82.206.x.x echo
access-list 101 permit icmp host 82.206.x.x host 65.x.x.x echo
access-list 101 permit icmp host 82.206.x.x any echo
access-list 101 permit icmp host 65.x.x.x host 82.206.x.x echo-reply
access-list 101 permit icmp host 82.206.x.x host 65.x.x.x echo-reply
access-list 101 permit icmp any host 82.206.x.x echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit tcp host 65.x.x.x host 82.206.x.x eq 22
access-list 101 permit tcp any any established
access-list 101 deny ip any any

 

[UnaBomber]

A tip to get your acl correct is to use a

permit ip any any log

statement at the end, after you configure your ACL. Let it run for a couple of hours like this. Then do a

sh ip access-list

If you have any hits on your permit ip any any statement, do a

sh log

This will show you what traffic hit it, and enable you to make an informed decision on whether you will deny it.

I have to use this methodology because of the size of ACL's we use (100 of lines)

UnaBomber
ccnp mcse2k

 

[quickconnect]

So how should my ACL look like then? I thought that
access-list 101 permit tcp any any established allows connections from the inside to be returned.

look at my acl above and can you post what the ACL should look like?

Thanks

 

[UnaBomber]

You could do this with NAT AFAIK (But I havent tested it):

fa0/0: 
ip nat inside
s0/0
ip nat outside
!
ip nat outside source static 65.x.x.x 192.168.111.10
ip route 192.168.111.10 255.255.255.255  65.x.x.x
ip route 0.0.0.0 0.0.0.0 s0/0

So (in theory) a packet coming from 65.x.x.x destined for 82.206.x.x, will be translated on the outside int to 192.168.111.10.
It will then look for a route to 82.206.x.x, and will see its directly connected.

The interface will reply to the icmp reply request and send a packet towards 192.168.111.10 with a source of the fa0/0.
It will look in the routing table for a route to 192.168.111.10 and will see a static entry for 65.x.x.x

Then the router will look for 65.x.x.x in its routing table and will use the gateway of last resort (you can omit this if you dont need it, or are already routing fine) and send the packet back to where it came from.

The only problem i can see, is that the source on the way back will have been translated.

BTW:
My last posts was a description of how you can troubleshoot acl problems, it wasnt a solution to your problem.

UnaBomber
ccnp mcse2k

 

[UnaBomber]

Actually the source wont be translated, the destination will be on the way out, (will it?)

BTW you wont need any acl if you use this, and all traffic in bound will be stopped apart from established sessions or traffic that is specifically nated outside to in. Just be careful you dont create a black hole..

Good luck

UnaBomber
ccnp mcse2k

 

[quickconnect]

I currently already have this

!
ip nat pool natpool-0 82.206.x.x 82.206.x.x netmask 255.255.255.248
ip nat inside source list 1 pool natpool-0 overload


ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
no ip http server
ip pim bidir-enable


Is this correct? If so your saying I dont need and ACL on my interface?

The reason I need some kind of ACL is because at corporate we are going to do port 1352 Lotus Notes replication to this site so 65.221.x.x need to access the notes server internally so my ACL on the ourside interface needs to allow my server 65.221.x.x to access my internal server

I will have a staic translation to perform this something like this
ip nat inside source static 172.168.1.2 82.206.x.x

Thoughts sorry for all the questions.

 

[UnaBomber]

Are your inside address routable?

Post your running config removing passwords full ip's please

UnaBomber
ccnp mcse2k

 

[quickconnect]

Here you go

Current configuration : 3838 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname RTR01
!
boot-start-marker
boot-end-marker
!
enable secret XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
username admin password XXXXXXXXXXXXXXXXXXXXXXXXXXX
memory-size iomem 15
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login userauthen group tacacs+
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
!
!
!
ip cef
ip domain name xxx.corp.com
no ip bootp server
ip inspect name fw cuseeme timeout 3600
ip inspect name fw ftp timeout 3600
ip inspect name fw h323 timeout 3600
ip inspect name fw http timeout 3600
ip inspect name fw rcmd timeout 3600
ip inspect name fw realaudio timeout 3600
ip inspect name fw smtp timeout 3600
ip inspect name fw sqlnet timeout 3600
ip inspect name fw streamworks timeout 3600
ip inspect name fw tcp timeout 3600
ip inspect name fw tftp timeout 30
ip inspect name fw udp timeout 15
ip inspect name fw vdolive timeout 3600
ip ips po max-events 100
ip ssh time-out 30
no ftp-server write-enable
password encryption aes
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description Connected To The Internet
ip address 82.206.136.177 255.255.255.248
no ip proxy-arp
ip nat outside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
no ip mroute-cache
speed auto
no cdp enable
!
interface Serial0/0
bandwidth 128
ip unnumbered FastEthernet0/0
no keepalive
ignore dcd
no fair-queue
no cdp enable
!
interface Ethernet1/0
description Connected To The Inside
ip address 172.16.1.1 255.255.255.0
ip access-group 102 in
no ip proxy-arp
ip nat inside
ip inspect fw in
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
no ip mroute-cache
half-duplex
no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
no ip http server
no ip http secure-server
!
ip nat pool natpool-0 82.206.136.177 82.206.136.177 netmask 255.255.255.248
ip nat inside source list 1 pool natpool-0 overload
!
!
access-list 1 permit 172.16.0.0 0.0.255.255
access-list 101 permit icmp host 65.221.183.30 host 82.206.136.177 echo
access-list 101 permit icmp host 82.206.136.177 host 65.221.183.30 echo
access-list 101 permit icmp host 82.206.136.177 any echo
access-list 101 permit icmp host 65.221.183.30 host 82.206.136.177 echo-reply
access-list 101 permit icmp host 82.206.136.177 host 65.221.183.30 echo-reply
access-list 101 permit icmp any host 82.206.136.177 echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit tcp host 65.221.183.30 host 82.206.136.177 eq 22
access-list 101 deny ip any any
access-list 102 permit ip 172.16.0.0 0.0.255.255 any
access-list 102 deny icmp any any redirect
access-list 102 deny ip host 127.0.0.0 any
access-list 102 deny ip 224.0.0.0 31.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log
no cdp run
!
!
control-plane
!
banner motd ^CCC
**********************************************************
This system is to be used only by specifically authorized
personnel. Any unauthorized use of the system is unlawful,
and may be subject to civil and/or criminal penalties. Any
use of this system may be logged or monitored without
further notice, and that the resulting logs may be used as
evidence in court.
**********************************************************
^C
!
line con 0
line aux 0
exec-timeout 5 0
password XXXXXXXXXXXXXX
modem InOut
modem autoconfigure type usr_sportster
transport input all
stopbits 1
speed 115200
flowcontrol hardware
line vty 0 4
exec-timeout 5 0
password XXXXXXXXXXXXXXX
logging synchronous
transport input ssh
!
scheduler allocate 30000 2000
end

RTR01#

 

[UnaBomber]

OK, your inside network is not routable from the outside, so you dont need to prevent access from outside to inside, it is already done for you.

Anyway I think this is what you need to do:

ip nat outside source static 65.221.183.30 192.168.1.2
ip nat inside source static 192.168.1.1 82.206.36.172

ip route 192.168.1.1 255.255.255.255 172.16.1.2
ip route 192.168.1.2 255.255.255.255 65.221.183.30

Test it before you go live, because I havent...

What this does is if a packet with SA 65.001.183.30 hits the outside int with DA of 82.206.36.172 the SA is translated to 192.168.1.2 and the DA is translated to 192.168.1.1. The router will see a route for 192.168.1.1 and send it to 172.16.1.2. On the way back the notes server will send a pack to 192.168.1.2 (SA on the way in) the router will see a route for that to 65.221.183.30 and send it there.

BTW

Your access-list 102 has 1 permit statement then lots of deny statements, this isnt needed because at the end of every acl is a deny ip any any, that being said you can remove:

access-list 102 deny   icmp any any redirect

access-list 102 deny   ip host 127.0.0.0 any

access-list 102 deny   ip 224.0.0.0 31.255.255.255 any

access-list 102 deny   ip host 0.0.0.0 any

access-list 102 deny   ip any any log

Also your group command is "in" so you are allowing anything from 172.16.0.0 0.0.255.255 to anywhere. why?

UnaBomber
ccnp mcse2k

 

[fartingfrog]

Now I have a headache. You should read up on CBAC's, or Context Based Access Control lists.

Tim

 

[UnaBomber]

lol me too...

UnaBomber
ccnp mcse2k