alt.certification.cisco - Question about access lists

Author

Question about access lists

Naamloos

2003-12-23, 10:25 am

Hi,

I recently bought a Cisco SOHO 91 router for my home so I could get some
hands on experience with IOS.
It comes with a statefull firewall that protects you from the internet.

When I look at the access lists, it doesn't seem like it's protecting much,
this is the output of the show ip access-lists:

nixon#show ip access-lists
Standard IP access list 23
10 permit 10.10.10.0, wildcard bits 0.0.0.255 (4 matches)
Extended IP access list 102
10 permit ip 10.10.10.0 0.0.0.255 any (25 matches)
Extended IP access list 111
permit udp host 195.130.130.5 eq domain host 213.118.79.152 eq 1023 (2
matches)
10 permit icmp any any administratively-prohibited
20 permit icmp any any echo (4 matches)
30 permit icmp any any echo-reply
40 permit icmp any any packet-too-big
50 permit icmp any any time-exceeded
60 permit icmp any any traceroute
70 permit icmp any any unreachable
80 permit udp any eq bootps any eq bootpc (4 matches)
90 permit udp any eq bootps any eq bootps
100 permit udp any eq domain any
110 permit esp any any
120 permit udp any any eq isakmp
130 permit udp any any eq 10000
140 permit tcp any any eq 1723
150 permit tcp any any eq 139
160 permit udp any any eq netbios-ns
170 permit udp any any eq netbios-dgm
180 permit gre any any
190 deny ip any any (6 matches)
nixon#

So if I'm correct, netbios is allow to the lan from the internet, that can't
be really secure now can it?
How would I go about removing entry 150, 160, 170 from the ACL's.

I would also like it that the router doesn't reply to ping requests.
How would I do that?

The router comes with the Cisco Router Web Setup and telnet access, now
these two are enabled on both interfaces (the one on the lan, but that's
normal I guess, and the one on the internet).
How would I stop the CRWS on the WAN interface?

Thank You.

2003-12-23, 2:25 pm

how is this applied to the interfaces...post a sh ip int
"Naamloos" <naamloos@msn.com> wrote in message
news:TkYFb.92921$B34.3933290@phobos.telenet-ops.be...
> Hi,
>
> I recently bought a Cisco SOHO 91 router for my home so I could get some
> hands on experience with IOS.
> It comes with a statefull firewall that protects you from the internet.
>
> When I look at the access lists, it doesn't seem like it's protecting
much,
> this is the output of the show ip access-lists:
>
> nixon#show ip access-lists
> Standard IP access list 23
> 10 permit 10.10.10.0, wildcard bits 0.0.0.255 (4 matches)
> Extended IP access list 102
> 10 permit ip 10.10.10.0 0.0.0.255 any (25 matches)
> Extended IP access list 111
> permit udp host 195.130.130.5 eq domain host 213.118.79.152 eq 1023
(2
> matches)
> 10 permit icmp any any administratively-prohibited
> 20 permit icmp any any echo (4 matches)
> 30 permit icmp any any echo-reply
> 40 permit icmp any any packet-too-big
> 50 permit icmp any any time-exceeded
> 60 permit icmp any any traceroute
> 70 permit icmp any any unreachable
> 80 permit udp any eq bootps any eq bootpc (4 matches)
> 90 permit udp any eq bootps any eq bootps
> 100 permit udp any eq domain any
> 110 permit esp any any
> 120 permit udp any any eq isakmp
> 130 permit udp any any eq 10000
> 140 permit tcp any any eq 1723
> 150 permit tcp any any eq 139
> 160 permit udp any any eq netbios-ns
> 170 permit udp any any eq netbios-dgm
> 180 permit gre any any
> 190 deny ip any any (6 matches)
> nixon#
>
> So if I'm correct, netbios is allow to the lan from the internet, that
can't
> be really secure now can it?
> How would I go about removing entry 150, 160, 170 from the ACL's.
>
> I would also like it that the router doesn't reply to ping requests.
> How would I do that?
>
> The router comes with the Cisco Router Web Setup and telnet access, now
> these two are enabled on both interfaces (the one on the lan, but that's
> normal I guess, and the one on the internet).
> How would I stop the CRWS on the WAN interface?
>
> Thank You.
>
>

Naamloos

2003-12-23, 6:24 pm

"SD" <diesel7108@NOSPAM.sympatico.ca> wrote in message
news:An%Fb.6881$d%1.1501231@news20.bellglobal.com...
> how is this applied to the interfaces...post a sh ip int

Ethernet0 is up, line protocol is up
Internet address is 10.10.10.1/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is disabled
IP Feature Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is enabled, interface in domain inside
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
Ethernet1 is up, line protocol is up
Internet address is 213.118.79.152/24
Broadcast address is 255.255.255.255
Address determined by DHCP
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 111
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is disabled
IP Feature Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is enabled, interface in domain outside
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
Outgoing inspection rule is myfw

2003-12-23, 7:25 pm

You're statements are correct. The way the ACL is applied is permiting
everything in the acl 111 on incoming traffic from the net. ACL 111 is the
only one is use. In this case. Unless you have something applied to the
vty/con interfaces, but I can't see that from what is posted here..

access-list 111 deny icmp any any would be used to block ping. But do you
want it blocked everywhere?
I would redo the acl altogether.As it's not really practical.
to remove only the lines you specified, you could specify that line. But in
your case, just remove everything and rewrite it.

Reply with what you want here and myself or another reader could write out
the script you need. Or you could search cisco.com and learn ACL's.

or post a sho run, and mask your personal information.

"Naamloos" <naamloos@msn.com> wrote in message
news:TkYFb.92921$B34.3933290@phobos.telenet-ops.be...
> Hi,
>
> I recently bought a Cisco SOHO 91 router for my home so I could get some
> hands on experience with IOS.
> It comes with a statefull firewall that protects you from the internet.
>
> When I look at the access lists, it doesn't seem like it's protecting
much,
> this is the output of the show ip access-lists:
>
> nixon#show ip access-lists
> Standard IP access list 23
> 10 permit 10.10.10.0, wildcard bits 0.0.0.255 (4 matches)
> Extended IP access list 102
> 10 permit ip 10.10.10.0 0.0.0.255 any (25 matches)
> Extended IP access list 111
> permit udp host 195.130.130.5 eq domain host 213.118.79.152 eq 1023
(2
> matches)
> 10 permit icmp any any administratively-prohibited
> 20 permit icmp any any echo (4 matches)
> 30 permit icmp any any echo-reply
> 40 permit icmp any any packet-too-big
> 50 permit icmp any any time-exceeded
> 60 permit icmp any any traceroute
> 70 permit icmp any any unreachable
> 80 permit udp any eq bootps any eq bootpc (4 matches)
> 90 permit udp any eq bootps any eq bootps
> 100 permit udp any eq domain any
> 110 permit esp any any
> 120 permit udp any any eq isakmp
> 130 permit udp any any eq 10000
> 140 permit tcp any any eq 1723
> 150 permit tcp any any eq 139
> 160 permit udp any any eq netbios-ns
> 170 permit udp any any eq netbios-dgm
> 180 permit gre any any
> 190 deny ip any any (6 matches)
> nixon#
>
> So if I'm correct, netbios is allow to the lan from the internet, that
can't
> be really secure now can it?
> How would I go about removing entry 150, 160, 170 from the ACL's.
>
> I would also like it that the router doesn't reply to ping requests.
> How would I do that?
>
> The router comes with the Cisco Router Web Setup and telnet access, now
> these two are enabled on both interfaces (the one on the lan, but that's
> normal I guess, and the one on the internet).
> How would I stop the CRWS on the WAN interface?
>
> Thank You.
>
>

Naamloos

2003-12-24, 4:25 am

First of all, thank you for helping me out here!

"SD" <diesel7108@NOSPAM.sympatico.ca> wrote in message
news:W94Gb.7554$d%1.1672599@news20.bellglobal.com...
> You're statements are correct. The way the ACL is applied is permiting
> everything in the acl 111 on incoming traffic from the net. ACL 111 is
the
> only one is use. In this case. Unless you have something applied to the
> vty/con interfaces, but I can't see that from what is posted here..
>
> access-list 111 deny icmp any any would be used to block ping. But do you
> want it blocked everywhere?

I would like it blocked on the WAN interface only (ie coming from the
internet to the router), not on the LAN.

> Reply with what you want here and myself or another reader could write out
> the script you need. Or you could search cisco.com and learn ACL's.
>

I guess the learning curve for creating ACL's could be a bit steep at the
moment.

I would like to do the following:
Deny everything from the WAN (ping, netbios, telnet, http, ...) only allow
statefull traffic to pass back in and allow for the router to obtain it's ip
address via dhcp.
Allow everything from the LAN to the WAN (could it be possible to setup a
vpn connection with a remote site using this setup?)

As for the moment port 23 and 80 (CRWS) are accessible from the WAN side
(nmap said so), I would like them only accessible from the LAN side.

> or post a sho run, and mask your personal information.
>

How do I edit ACL's? (any link to a document on cisco.com)
Do I just tftp them to a server and edit them by hand there, uploading them
again, or can I do it directly?

Current configuration : 2865 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname nixon
!
logging queue-limit 100
no logging buffered
enable secret 5 ***************************
!
username ********** password 7 ******************
username CRWS_Santhosh privilege 15 password 7 ****************************
ip subnet-zero
ip name-server 195.130.130.5
ip name-server 195.130.130.133
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.10.1 10.10.10.99
ip dhcp excluded-address 10.10.10.200 10.10.10.254
!
ip dhcp pool CLIENT
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
domain-name *****************
lease 0 2
!
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
!
!
!
interface Ethernet0
ip address 10.10.10.1 255.255.255.0
ip nat inside
no cdp enable
hold-queue 32 in
hold-queue 100 out
!
interface Ethernet1
ip address dhcp client-id Ethernet1
ip access-group 111 in
ip nat outside
ip inspect myfw out
duplex auto
no cdp enable
!
ip nat inside source list 102 interface Ethernet1 overload
ip classless
ip http server
no ip http secure-server
!
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 deny ip any any
no cdp run
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class 23 in
exec-timeout 120 0
login local
length 0
!
scheduler max-task-time 5000
!
end

Naamloos

2003-12-24, 6:24 am

2003-12-24, 2:24 pm

K, below is a basic extended access list denying what you specified. As far
as allowing everything from the LAN to the WAN, this is accomplished based
on the ip access-group command and how it is implemented. We are going to
apply this to the Ethernet1 *INcoming* interfaces. Thus, anything coming IN
from the net hitting the ethernet1 (inbound) interface is filtered based on
the ruleset 111. With the below access list, this can be done the other way
around. thus permitting ONLY what you want and then denying everything else,
as in the original acl. Again thought, there are so many protocols, you
should know what you want to permit and what you want to deny. Some ppl
prefer to permit 1 or 2 ports, and deny everything else, some prefer to deny
traffic from the start and permit everything else, it really depends on the
needs and security required..

!
conf t
no access-list 111
access-list 111 deny icmp any any
access-list 111 deny udp any any eq netbios-ns
access-list 111 deny udp any any eq netbios-dgm
access-list 111 deny udp any any eq netbios-ss
access-list 111 deny tcp any any eq telnet
access-list 111 deny tcp any any eq www
access-list 111 permit ip any any
interface ethernet1
ip access-group 111 in
end
!

OR
your original ACL slightly modified.

!
conf t
no access-list 111
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit gre any any
access-list 111 deny udp any any eq netbios-ns
access-list 111 deny udp any any eq netbios-dgm
access-list 111 deny udp any any eq netbios-ss
access-list 111 deny tcp any any eq www
access-list 111 deny tcp any any eq telnet
access-list 111 deny icmp any any
access-list 111 deny ip any any
interface ethernet1
ip access-group 111 in
end
!

to apply these acl's just get to your router in enable mode and copy/paste
them in from to top exclamation mark(!) to the below one

in the above ACL, i've added the deny statements manually so you could see
the hits if any when doing a sho ip access-list, but technically, your deny
ip any any, should deny all other traffic should it be tcp/udp
etc..Generally, ACL's are something you play with until you hit the right
cocktail especially if you are implementing them for multiple protocols at
once..

ACL's can be modified directly in the router. Just copy the current acl to a
notepad or something and edit. Don't forget to remove the old acl with the
no access-list 111 command before implementing the new one. I'm assuming
with everything i've done above that you have enable access on your router
and that you have proper rights to make changes.

let me know how this works out.

"Naamloos" <naamloos@msn.com> wrote in message
news:creGb.94178$%s5.4192284@phobos.telenet-ops.be...
> First of all, thank you for helping me out here!
>
> "SD" <diesel7108@NOSPAM.sympatico.ca> wrote in message
> news:W94Gb.7554$d%1.1672599@news20.bellglobal.com...
> the
you
>
> I would like it blocked on the WAN interface only (ie coming from the
> internet to the router), not on the LAN.
>
>
out[color=blue]
>
> I guess the learning curve for creating ACL's could be a bit steep at the
> moment.
>
> I would like to do the following:
> Deny everything from the WAN (ping, netbios, telnet, http, ...) only allow
> statefull traffic to pass back in and allow for the router to obtain it's
ip
> address via dhcp.
> Allow everything from the LAN to the WAN (could it be possible to setup a
> vpn connection with a remote site using this setup?)
>
> As for the moment port 23 and 80 (CRWS) are accessible from the WAN side
> (nmap said so), I would like them only accessible from the LAN side.
>
>
> How do I edit ACL's? (any link to a document on cisco.com)
> Do I just tftp them to a server and edit them by hand there, uploading
them
> again, or can I do it directly?
>
> Current configuration : 2865 bytes
> !
> version 12.2
> no service pad
> service timestamps debug uptime
> service timestamps log uptime
> service password-encryption
> !
> hostname nixon
> !
> logging queue-limit 100
> no logging buffered
> enable secret 5 ***************************
> !
> username ********** password 7 ******************
> username CRWS_Santhosh privilege 15 password 7
****************************[c
olor=blue]
> ip subnet-zero
> ip name-server 195.130.130.5
> ip name-server 195.130.130.133
> ip dhcp excluded-address 10.10.10.1
> ip dhcp excluded-address 10.10.10.1 10.10.10.99
> ip dhcp excluded-address 10.10.10.200 10.10.10.254
> !
> ip dhcp pool CLIENT
> import all
> network 10.10.10.0 255.255.255.0
> default-router 10.10.10.1
> domain-name *****************
> lease 0 2
> !
> !
> ip inspect name myfw cuseeme timeout 3600
> ip inspect name myfw ftp timeout 3600
> ip inspect name myfw rcmd timeout 3600
> ip inspect name myfw realaudio timeout 3600
> ip inspect name myfw smtp timeout 3600
> ip inspect name myfw tftp timeout 30
> ip inspect name myfw udp timeout 15
> ip inspect name myfw tcp timeout 3600
> ip inspect name myfw h323 timeout 3600
> !
> !
> !
> interface Ethernet0
> ip address 10.10.10.1 255.255.255.0
> ip nat inside
> no cdp enable
> hold-queue 32 in
> hold-queue 100 out
> !
> interface Ethernet1
> ip address dhcp client-id Ethernet1
> ip access-group 111 in
> ip nat outside
> ip inspect myfw out
> duplex auto
> no cdp enable
> !
> ip nat inside source list 102 interface Ethernet1 overload
> ip classless
> ip http server
> no ip http secure-server
> !
> access-list 23 permit 10.10.10.0 0.0.0.255
> access-list 102 permit ip 10.10.10.0 0.0.0.255 any
> access-list 111 permit icmp any any administratively-prohibited
> access-list 111 permit icmp any any echo
> access-list 111 permit icmp any any echo-reply
> access-list 111 permit icmp any any packet-too-big
> access-list 111 permit icmp any any time-exceeded
> access-list 111 permit icmp any any traceroute
> access-list 111 permit icmp any any unreachable
> access-list 111 permit udp any eq bootps any eq bootpc
> access-list 111 permit udp any eq bootps any eq bootps
> access-list 111 permit udp any eq domain any
> access-list 111 permit esp any any
> access-list 111 permit udp any any eq isakmp
> access-list 111 permit udp any any eq 10000
> access-list 111 permit tcp any any eq 1723
> access-list 111 permit tcp any any eq 139
> access-list 111 permit udp any any eq netbios-ns
> access-list 111 permit udp any any eq netbios-dgm
> access-list 111 permit gre any any
> access-list 111 deny ip any any
> no cdp run
> !
> line con 0
> exec-timeout 120 0
> no modem enable
> stopbits 1
> line aux 0
> stopbits 1
> line vty 0 4
> access-class 23 in
> exec-timeout 120 0
> login local
> length 0
> !
> scheduler max-task-time 5000
> !
> end
>
>
>

Naamloos

2003-12-25, 7:24 pm

access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 deny icmp any any
access-list 111 deny tcp any any
access-list 111 deny udp any any
access-list 111 deny ip any any

I changed it a bit to this: only allow dhcp to get a lease (with the first
two statements I believe).
Allow for clients behind the router to setup a VPN connection with a remote
site (lines 3 through 5).
Deny everything else.

It still doesn't seem to do it's job however, I can still ping the router
(despite the deny icmp any any rule), I can still telnet and browse to the
router from the WAN (tested from a friend's linux box).
I got the same result using your two access lists and my example.

Then I searched the sh run output for answers, could it be this:
interface Ethernet1
ip address dhcp client-id Ethernet1
ip access-group 111 in
ip nat outside
ip inspect myfw out
duplex auto
no cdp enable
!
ip nat inside source list 102 interface Ethernet1 overload
ip classless
ip http server
no ip http secure-server

What's the ip inspect myfw out rule about?
What are the last four lines about?

Could this be the reason why 23 and 80 are still accessible from the web?

When I do an sh access-lists I get this:
Standard IP access list 23
10 permit 10.10.10.0, wildcard bits 0.0.0.255 (2 matches)
Extended IP access list 102
10 permit ip 10.10.10.0 0.0.0.255 any (24 matches)
Extended IP access list 111
10 permit udp any eq bootps any eq bootpc (4 matches)
20 permit udp any eq bootps any eq bootps
30 permit esp any any
40 permit udp any any eq isakmp
50 permit udp any any eq 10000
60 deny icmp any any (2 matches)
70 deny tcp any any
80 deny udp any any
90 deny ip any any

What are the (x matches) about?

Season's greetings from Belgium ;-)

"SD" <diesel7108@NOSPAM.sympatico.ca> wrote in message
news:gVkGb.10453$d%1.2137060@news20.bellglobal.com...
> K, below is a basic extended access list denying what you specified. As
far
> as allowing everything from the LAN to the WAN, this is accomplished based
> on the ip access-group command and how it is implemented. We are going to
> apply this to the Ethernet1 *INcoming* interfaces. Thus, anything coming
IN
> from the net hitting the ethernet1 (inbound) interface is filtered based
on
> the ruleset 111. With the below access list, this can be done the other
way
> around. thus permitting ONLY what you want and then denying everything
else,
> as in the original acl. Again thought, there are so many protocols, you
> should know what you want to permit and what you want to deny. Some ppl
> prefer to permit 1 or 2 ports, and deny everything else, some prefer to
deny
> traffic from the start and permit everything else, it really depends on
the
> needs and security required..
>
> !
> conf t
> no access-list 111
> access-list 111 deny icmp any any
> access-list 111 deny udp any any eq netbios-ns
> access-list 111 deny udp any any eq netbios-dgm
> access-list 111 deny udp any any eq netbios-ss
> access-list 111 deny tcp any any eq telnet
> access-list 111 deny tcp any any eq www
> access-list 111 permit ip any any
> interface ethernet1
> ip access-group 111 in
> end
> !
>
>
> OR
> your original ACL slightly modified.
>
> !
> conf t
> no access-list 111
> access-list 111 permit udp any eq bootps any eq bootpc
> access-list 111 permit udp any eq bootps any eq bootps
> access-list 111 permit esp any any
> access-list 111 permit udp any any eq isakmp
> access-list 111 permit udp any any eq 10000
> access-list 111 permit tcp any any eq 1723
> access-list 111 permit gre any any
> access-list 111 deny udp any any eq netbios-ns
> access-list 111 deny udp any any eq netbios-dgm
> access-list 111 deny udp any any eq netbios-ss
> access-list 111 deny tcp any any eq www
> access-list 111 deny tcp any any eq telnet
> access-list 111 deny icmp any any
> access-list 111 deny ip any any
> interface ethernet1
> ip access-group 111 in
> end
> !
>
> to apply these acl's just get to your router in enable mode and copy/paste
> them in from to top exclamation mark(!) to the below one
>
> in the above ACL, i've added the deny statements manually so you could see
> the hits if any when doing a sho ip access-list, but technically, your
deny
> ip any any, should deny all other traffic should it be tcp/udp
> etc..Generally, ACL's are something you play with until you hit the right
> cocktail especially if you are implementing them for multiple protocols at
> once..
>
> ACL's can be modified directly in the router. Just copy the current acl to
a
> notepad or something and edit. Don't forget to remove the old acl with the
> no access-list 111 command before implementing the new one. I'm assuming
> with everything i've done above that you have enable access on your router
> and that you have proper rights to make changes.
>
> let me know how this works out.
>
>
> "Naamloos" <naamloos@msn.com> wrote in message
> news:creGb.94178$%s5.4192284@phobos.telenet-ops.be...
is[color=blue]
the[color=blue]
> you
> out
the[color=blue]
allow[color=blue]
it's[color=blue]
> ip
a[color=blue]
> them
> ****************************
>
>

2003-12-26, 1:24 am

ok, well for icmp and telnet, try this *can't go wrong*

conf t
no access-list 111
access-list 111 deny icmp any any
access-list 111 deny tcp any any eq www
access-list 111 permit ip any any
int ethernet1
ip access-group 111 in
ip access-group 111 out
end

try that on for size, from my understanding ethernet1 is the WAN interface
right?
with this access list you may not be able to surf the net either, as it's
blocking incoming AND outgoing traffic, but it's just to prove a point
I have to run, but i'll check back in tomorrow

"Naamloos" <naamloos@msn.com> wrote in message
news:iyKGb.96565$s46.4272217@phobos.telenet-ops.be...
> access-list 111 permit udp any eq bootps any eq bootpc
> access-list 111 permit udp any eq bootps any eq bootps
> access-list 111 permit esp any any
> access-list 111 permit udp any any eq isakmp
> access-list 111 permit udp any any eq 10000
> access-list 111 deny icmp any any
> access-list 111 deny tcp any any
> access-list 111 deny udp any any
> access-list 111 deny ip any any
>
> I changed it a bit to this: only allow dhcp to get a lease (with the first
> two statements I believe).
> Allow for clients behind the router to setup a VPN connection with a
remote
> site (lines 3 through 5).
> Deny everything else.
>
> It still doesn't seem to do it's job however, I can still ping the router
> (despite the deny icmp any any rule), I can still telnet and browse to the
> router from the WAN (tested from a friend's linux box).
> I got the same result using your two access lists and my example.
>
> Then I searched the sh run output for answers, could it be this:
> interface Ethernet1
> ip address dhcp client-id Ethernet1
> ip access-group 111 in
> ip nat outside
> ip inspect myfw out
> duplex auto
> no cdp enable
> !
> ip nat inside source list 102 interface Ethernet1 overload
> ip classless
> ip http server
> no ip http secure-server
>
>
> What's the ip inspect myfw out rule about?
> What are the last four lines about?
>
> Could this be the reason why 23 and 80 are still accessible from the web?
>
> When I do an sh access-lists I get this:
> Standard IP access list 23
> 10 permit 10.10.10.0, wildcard bits 0.0.0.255 (2 matches)
> Extended IP access list 102
> 10 permit ip 10.10.10.0 0.0.0.255 any (24 matches)
> Extended IP access list 111
> 10 permit udp any eq bootps any eq bootpc (4 matches)
> 20 permit udp any eq bootps any eq bootps
> 30 permit esp any any
> 40 permit udp any any eq isakmp
> 50 permit udp any any eq 10000
> 60 deny icmp any any (2 matches)
> 70 deny tcp any any
> 80 deny udp any any
> 90 deny ip any any
>
> What are the (x matches) about?
>
>
>
> Season's greetings from Belgium ;-)
>
>
>
> "SD" <diesel7108@NOSPAM.sympatico.ca> wrote in message
> news:gVkGb.10453$d%1.2137060@news20.bellglobal.com...
> far
based[color=blue]
to[color=blue]
> IN
> on
> way
> else,
> deny
> the
copy/paste[color=blue]
see[color=blue]
> deny
right[color=blue]
at[color=blue]
to[color=blue]
> a
the[color=blue]
assuming[color=blue]
router[color=blue]
permiting[color=blue]
> is
> the
do[color=blue]
write[color=blue]
> the
> allow
> it's
setup[color=blue]
> a
side[color=blue]
>
>

Naamloos

2003-12-26, 6:24 am

Ow yeah, with that last setup you provided me, I couldn't access the net ;-)
eth1 is my WAN interface indeed.

The weirdest thing has happened (christmas miracle ;-)): I left the router
running overnight with the default deny config I used earlier.
When I changed back from your config below to my config this morning and
logged in to my friend's box, al of a sudden, I couldn't ping the router any
more, could login via telnet or http.

This is sh ip access-lists (isn't there a short for access-lists, I hate
pressing tab)
Standard IP access list 23
10 permit 10.10.10.0, wildcard bits 0.0.0.255 (6 matches)
Extended IP access list 102
10 permit ip 10.10.10.0 0.0.0.255 any (113 matches)
Extended IP access list 111
10 permit udp any eq bootps any eq bootpc (4 matches)
20 permit udp any eq bootps any eq bootps
30 permit esp any any
40 permit udp any any eq isakmp
50 permit udp any any eq 10000
60 deny icmp any any (18 matches)
70 deny tcp any any (4 matches)
80 deny udp any any
90 deny ip any any

So everything is running smooth now!

Thank you very much, if you're ever in belgium, I'll buy you a few beers ;-)

"SD" <diesel7108@NOSPAM.sympatico.ca> wrote in message
news:VRPGb.14330$d%1.2978777@news20.bellglobal.com...
> ok, well for icmp and telnet, try this *can't go wrong*
>
> conf t
> no access-list 111
> access-list 111 deny icmp any any
> access-list 111 deny tcp any any eq www
> access-list 111 permit ip any any
> int ethernet1
> ip access-group 111 in
> ip access-group 111 out
> end
>
> try that on for size, from my understanding ethernet1 is the WAN interface
> right?
> with this access list you may not be able to surf the net either, as it's
> blocking incoming AND outgoing traffic, but it's just to prove a point
> I have to run, but i'll check back in tomorrow
>
>
> "Naamloos" <naamloos@msn.com> wrote in message
> news:iyKGb.96565$s46.4272217@phobos.telenet-ops.be...
first[color=blue]
> remote
router[color=blue]
the[color=blue]
web?[color=blue]
As[color=blue]
> based
> to
coming[color=blue]
based[color=blue]
other[color=blue]
you[color=blue]
ppl[color=blue]
to[color=blue]
on[color=blue]
> copy/paste
> see
> right
protocols[color=blue]
> at
acl[color=blue]
> to
> the
> assuming
> router
> permiting
111[color=blue]
to[color=blue]
here..[color=blue]
> do
the[color=blue]
> write
ACL's.[color=blue]
at[color=blue]
> setup
> side
uploading[color=blue]
>
>

Sponsored Links