Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Access lists - can I safely clear them without loosing communication?

Reply
Thread Tools

Access lists - can I safely clear them without loosing communication?

 
 
HC
Guest
Posts: n/a
 
      11-27-2003
Hi

I have a Cisco SOHO77 router. I'm trying to get my nameserver (Bind9) behind
the router to answer. Questions to the nameserver from the inside works a
treat and TCP requests works fine. UDP requests on the other hand gives me
time-out from outside but works a treat from the inside.

I am sitting ~1000km away from the router and I am configureing it from the
outside. It's pretty important to me that I do not loose communication with
the network since I do not have anyone there to interveen if I "**** up"

I think the problem is in the access-lists. My question is:

Can I safely delete the access-lists without loosing communication through
the external ADSL interface OR do I need to do something else?

There is of course other implications involcved in letting through all types
of traffic but that's another question.

Can I do:

!
configure terminal
interface [external interface, for example: Dialer1]
no ip access-group 1 in
no ip access-group 1 out
no ip access-group 100 in
no ip access-group 100 out
end
write
reload
!

The access lists are the ones the router came with.

without loosing contact to the router from the outside.

Hans-Christian

*Current configuration*********************************

XXXXXXXX#sh startup-config
Using 3599 out of 131072 bytes
!
version 12.1
no service pad
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname XXXXXXXX
!
logging buffered 8192 debugging
logging console warnings
enable DeletetForObviousReasons
!
clock timezone MET 1
clock summer-time MET-DST recurring last Sun Mar 2:00 last Sun Oct 3:00
ip subnet-zero
no ip finger
ip dhcp excluded-address 192.168.1.254
ip dhcp excluded-address 192.168.1.200 192.168.1.254
ip dhcp excluded-address 192.168.1.2 192.168.1.9
ip dhcp excluded-address 192.168.1.2
!
ip dhcp pool soho77
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 212.54.64.170 212.54.64.171
lease 0 1
!
!
!
!
interface Loopback0
no ip address
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
no keepalive
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode ansi-dmt
!
interface Dialer0
ip address negotiated
ip access-group 100 in
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username XXXXXXXX password X XXXXXXXXXXXXXXXXXX
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.2 53 interface Dialer0 53
ip nat inside source static udp 192.168.1.2 53 interface Dialer0 53
ip nat inside source static tcp 192.168.1.1 23 interface Dialer0 23
ip nat inside source static 192.168.1.2 213.237.88.166 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.0.0 255.255.0.0 192.168.1.254
no ip http server
!
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 1 permit any
access-list 100 deny icmp any any redirect
access-list 100 permit ip any any
access-list 100 deny udp any any eq 19
access-list 100 deny tcp any any eq 31 syn
access-list 100 deny tcp any any eq 41 syn
access-list 100 deny tcp any any eq 58 syn
access-list 100 deny tcp any any eq 90 syn
access-list 100 deny tcp any any eq 121 syn
access-list 100 deny udp any any eq 135
access-list 100 deny tcp any any eq 135 syn
access-list 100 deny udp any any range 136 140
access-list 100 deny tcp any any range 136 140 syn
access-list 100 deny tcp any any eq 421 syn
access-list 100 deny tcp any any eq 456 syn
access-list 100 deny tcp any any eq 531 syn
access-list 100 deny tcp any any eq 555 syn
access-list 100 deny tcp any any eq 911 syn
access-list 100 deny tcp any any eq 999 syn
access-list 100 deny udp any any eq 1349
access-list 100 deny udp any any eq 6838
access-list 100 deny udp any any eq 8787
access-list 100 deny udp any any eq 8879
access-list 100 deny udp any any eq 9325
access-list 100 deny tcp any any eq 12345 syn
access-list 100 deny udp any any eq 31335
access-list 100 deny udp any any eq 31337
access-list 100 deny udp any any eq 31338
access-list 100 deny udp any any eq 54320
access-list 100 deny udp any any eq 54321
dialer-list 1 protocol ip permit
!
line con 0
exec-timeout 60 0
password X XXXXXXXXXXXXXXXXXX
login
transport input none
stopbits 1
line vty 0 4
exec-timeout 60 0
password X XXXXXXXXXXXXXXXXXX
login
!
scheduler max-task-time 5000
end



 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      11-27-2003
In article <3fc5eaf1$0$64733$(E-Mail Removed)>, HC <(E-Mail Removed)> wrote:
:Can I safely delete the access-lists without loosing communication through
:the external ADSL interface OR do I need to do something else?

:Can I do:
:no ip access-group 1 in
:no ip access-group 1 out
:no ip access-group 100 in
:no ip access-group 100 out

:without loosing contact to the router from the outside.

:ip nat inside source list 1 interface Dialer0 overload

It looks to me that you don't have access-list 1 assigned as
an access-group. I can see, though, that you don't want to clear
access-list 1 (e.g., no access-list 1 ) as that defines your
NAT for your Dialer0. It should be fine, though, to get rid of the
access-group 100 entry or to clear the access-list 100.
--
"[...] it's all part of one's right to be publicly stupid." -- Dave Smey
 
Reply With Quote
 
 
 
 
HC
Guest
Posts: n/a
 
      11-28-2003
Thanks Walter

My original problem is that UDP answers from my nameserver behind the router
does not seem to come out through the firewall, whereas it seems that they
com in perfectly.

Would, in your opinion, this problem go away if I remove accessgroup 100?



HC

hc(at)jehg(dot)dk

"Walter Roberson" <(E-Mail Removed)-cnrc.gc.ca> wrote in message
news:bq5epe$l86$(E-Mail Removed)...
> In article <3fc5eaf1$0$64733$(E-Mail Removed)>, HC <(E-Mail Removed)>

wrote:
> :Can I safely delete the access-lists without loosing communication

through
> :the external ADSL interface OR do I need to do something else?
>
> :Can I do:
> :no ip access-group 1 in
> :no ip access-group 1 out
> :no ip access-group 100 in
> :no ip access-group 100 out
>
> :without loosing contact to the router from the outside.
>
> :ip nat inside source list 1 interface Dialer0 overload
>
> It looks to me that you don't have access-list 1 assigned as
> an access-group. I can see, though, that you don't want to clear
> access-list 1 (e.g., no access-list 1 ) as that defines your
> NAT for your Dialer0. It should be fine, though, to get rid of the
> access-group 100 entry or to clear the access-list 100.
> --
> "[...] it's all part of one's right to be publicly stupid." -- Dave

Smey


****************

*Current configuration*********************************

XXXXXXXX#sh startup-config
Using 3599 out of 131072 bytes
!
version 12.1
no service pad
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname XXXXXXXX
!
logging buffered 8192 debugging
logging console warnings
enable DeletetForObviousReasons
!
clock timezone MET 1
clock summer-time MET-DST recurring last Sun Mar 2:00 last Sun Oct 3:00
ip subnet-zero
no ip finger
ip dhcp excluded-address 192.168.1.254
ip dhcp excluded-address 192.168.1.200 192.168.1.254
ip dhcp excluded-address 192.168.1.2 192.168.1.9
ip dhcp excluded-address 192.168.1.2
!
ip dhcp pool soho77
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 212.54.64.170 212.54.64.171
lease 0 1
!
!
!
!
interface Loopback0
no ip address
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
no keepalive
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode ansi-dmt
!
interface Dialer0
ip address negotiated
ip access-group 100 in
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username XXXXXXXX password X XXXXXXXXXXXXXXXXXX
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.2 53 interface Dialer0 53
ip nat inside source static udp 192.168.1.2 53 interface Dialer0 53
ip nat inside source static tcp 192.168.1.1 23 interface Dialer0 23
ip nat inside source static 192.168.1.2 213.237.88.166 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.0.0 255.255.0.0 192.168.1.254
no ip http server
!
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 1 permit any
access-list 100 deny icmp any any redirect
access-list 100 permit ip any any
access-list 100 deny udp any any eq 19
access-list 100 deny tcp any any eq 31 syn
access-list 100 deny tcp any any eq 41 syn
access-list 100 deny tcp any any eq 58 syn
access-list 100 deny tcp any any eq 90 syn
access-list 100 deny tcp any any eq 121 syn
access-list 100 deny udp any any eq 135
access-list 100 deny tcp any any eq 135 syn
access-list 100 deny udp any any range 136 140
access-list 100 deny tcp any any range 136 140 syn
access-list 100 deny tcp any any eq 421 syn
access-list 100 deny tcp any any eq 456 syn
access-list 100 deny tcp any any eq 531 syn
access-list 100 deny tcp any any eq 555 syn
access-list 100 deny tcp any any eq 911 syn
access-list 100 deny tcp any any eq 999 syn
access-list 100 deny udp any any eq 1349
access-list 100 deny udp any any eq 6838
access-list 100 deny udp any any eq 8787
access-list 100 deny udp any any eq 8879
access-list 100 deny udp any any eq 9325
access-list 100 deny tcp any any eq 12345 syn
access-list 100 deny udp any any eq 31335
access-list 100 deny udp any any eq 31337
access-list 100 deny udp any any eq 31338
access-list 100 deny udp any any eq 54320
access-list 100 deny udp any any eq 54321
dialer-list 1 protocol ip permit
!
line con 0
exec-timeout 60 0
password X XXXXXXXXXXXXXXXXXX
login
transport input none
stopbits 1
line vty 0 4
exec-timeout 60 0
password X XXXXXXXXXXXXXXXXXX
login
!
scheduler max-task-time 5000
end




 
Reply With Quote
 
PES
Guest
Posts: n/a
 
      11-28-2003
I can't see anything in your config that would keep udp from going back out.
Is the TCP working? If not, check the default gateway on your dns server.
Also, a side note. Your access-list 100 is permitting all ip. All the
lines below access-list 100 permit ip any any are useless.

"HC" <(E-Mail Removed)> wrote in message
news:3fc5eaf1$0$64733$(E-Mail Removed) ...
> Hi
>
> I have a Cisco SOHO77 router. I'm trying to get my nameserver (Bind9)

behind
> the router to answer. Questions to the nameserver from the inside works a
> treat and TCP requests works fine. UDP requests on the other hand gives me
> time-out from outside but works a treat from the inside.
>
> I am sitting ~1000km away from the router and I am configureing it from

the
> outside. It's pretty important to me that I do not loose communication

with
> the network since I do not have anyone there to interveen if I "**** up"


>
> I think the problem is in the access-lists. My question is:
>
> Can I safely delete the access-lists without loosing communication through
> the external ADSL interface OR do I need to do something else?
>
> There is of course other implications involcved in letting through all

types
> of traffic but that's another question.
>
> Can I do:
>
> !
> configure terminal
> interface [external interface, for example: Dialer1]
> no ip access-group 1 in
> no ip access-group 1 out
> no ip access-group 100 in
> no ip access-group 100 out
> end
> write
> reload
> !
>
> The access lists are the ones the router came with.
>
> without loosing contact to the router from the outside.
>
> Hans-Christian
>
> *Current configuration*********************************
>
> XXXXXXXX#sh startup-config
> Using 3599 out of 131072 bytes
> !
> version 12.1
> no service pad
> service timestamps debug datetime localtime show-timezone
> service timestamps log datetime localtime show-timezone
> service password-encryption
> !
> hostname XXXXXXXX
> !
> logging buffered 8192 debugging
> logging console warnings
> enable DeletetForObviousReasons
> !
> clock timezone MET 1
> clock summer-time MET-DST recurring last Sun Mar 2:00 last Sun Oct 3:00
> ip subnet-zero
> no ip finger
> ip dhcp excluded-address 192.168.1.254
> ip dhcp excluded-address 192.168.1.200 192.168.1.254
> ip dhcp excluded-address 192.168.1.2 192.168.1.9
> ip dhcp excluded-address 192.168.1.2
> !
> ip dhcp pool soho77
> network 192.168.1.0 255.255.255.0
> default-router 192.168.1.1
> dns-server 212.54.64.170 212.54.64.171
> lease 0 1
> !
> !
> !
> !
> interface Loopback0
> no ip address
> !
> interface Ethernet0
> ip address 192.168.1.1 255.255.255.0
> ip nat inside
> no keepalive
> !
> interface ATM0
> no ip address
> no atm ilmi-keepalive
> pvc 0/35
> encapsulation aal5mux ppp dialer
> dialer pool-member 1
> !
> dsl operating-mode ansi-dmt
> !
> interface Dialer0
> ip address negotiated
> ip access-group 100 in
> ip nat outside
> encapsulation ppp
> dialer pool 1
> dialer-group 1
> ppp authentication pap callin
> ppp pap sent-username XXXXXXXX password X XXXXXXXXXXXXXXXXXX
> !
> ip nat inside source list 1 interface Dialer0 overload
> ip nat inside source static tcp 192.168.1.2 53 interface Dialer0 53
> ip nat inside source static udp 192.168.1.2 53 interface Dialer0 53
> ip nat inside source static tcp 192.168.1.1 23 interface Dialer0 23
> ip nat inside source static 192.168.1.2 213.237.88.166 extendable
> ip classless
> ip route 0.0.0.0 0.0.0.0 Dialer0
> ip route 192.168.0.0 255.255.0.0 192.168.1.254
> no ip http server
> !
> access-list 1 permit 192.168.0.0 0.0.255.255
> access-list 1 permit any
> access-list 100 deny icmp any any redirect
> access-list 100 permit ip any any
> access-list 100 deny udp any any eq 19
> access-list 100 deny tcp any any eq 31 syn
> access-list 100 deny tcp any any eq 41 syn
> access-list 100 deny tcp any any eq 58 syn
> access-list 100 deny tcp any any eq 90 syn
> access-list 100 deny tcp any any eq 121 syn
> access-list 100 deny udp any any eq 135
> access-list 100 deny tcp any any eq 135 syn
> access-list 100 deny udp any any range 136 140
> access-list 100 deny tcp any any range 136 140 syn
> access-list 100 deny tcp any any eq 421 syn
> access-list 100 deny tcp any any eq 456 syn
> access-list 100 deny tcp any any eq 531 syn
> access-list 100 deny tcp any any eq 555 syn
> access-list 100 deny tcp any any eq 911 syn
> access-list 100 deny tcp any any eq 999 syn
> access-list 100 deny udp any any eq 1349
> access-list 100 deny udp any any eq 6838
> access-list 100 deny udp any any eq 8787
> access-list 100 deny udp any any eq 8879
> access-list 100 deny udp any any eq 9325
> access-list 100 deny tcp any any eq 12345 syn
> access-list 100 deny udp any any eq 31335
> access-list 100 deny udp any any eq 31337
> access-list 100 deny udp any any eq 31338
> access-list 100 deny udp any any eq 54320
> access-list 100 deny udp any any eq 54321
> dialer-list 1 protocol ip permit
> !
> line con 0
> exec-timeout 60 0
> password X XXXXXXXXXXXXXXXXXX
> login
> transport input none
> stopbits 1
> line vty 0 4
> exec-timeout 60 0
> password X XXXXXXXXXXXXXXXXXX
> login
> !
> scheduler max-task-time 5000
> end
>
>
>



 
Reply With Quote
 
chris@nospam.com
Guest
Posts: n/a
 
      11-28-2003
On Fri, 28 Nov 2003 09:14:51 -0500, "PES"
<NO*SPAMpestewartREMOVE*(E-Mail Removed)*SUCK S> wrote:

>I can't see anything in your config that would keep udp from going back out.
>Is the TCP working? If not, check the default gateway on your dns server.
>Also, a side note. Your access-list 100 is permitting all ip. All the
>lines below access-list 100 permit ip any any are useless.



Will the ' access-list 100 deny icmp any any redirect' cause problems
by dropping valid icmp packets?

One very helpful trick is 'reload'. Before you start changing
anything, do a 'reload in 15'. That way if you dork it up and loose
connectivity, the router will reload in 15 minutes and return to the
saved config. Just remember not to save the config unless you're damn
sure all is working as intended.

Here's what I would do

- Copy all of the access-list statements into notepad.
- Edit as necessary, which include putting the statements in the
proper order (recall that it stops checking as soon as a valid match
is made).
- Remove the access-list 100 from the interface
- Clear the access-list
- Recreate the access-list by pasting the lines back in.
- Re-add the access-list 100 to the interface

-Chris
 
Reply With Quote
 
HC
Guest
Posts: n/a
 
      11-28-2003
Does this mean that the access list will take effect as soon as it is added
to the interface?

I ask this question because most other things seems to require a write,
reload cycle before taking effect (or am I wrong about that?)

Thanks for the tip about the Reload in 15. This will work if I do not do the
write, correct?

Sorry for all the seemingly stupid questions. I appreciate the help very
much.

Taking 100 away from the interface would be

!
no ip access-group 100 in
no ip access-group 100 out
!

Now I could just leave it out if I did not care about the security risk?

Possibly I would clear it (100)
Add some Deny ..... to the interface
Add a permit ip all all in the end
Add it to the interface again?

Hans-Christian


<(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Fri, 28 Nov 2003 09:14:51 -0500, "PES"
> <NO*SPAMpestewartREMOVE*(E-Mail Removed)*SUCK S> wrote:
>
> >I can't see anything in your config that would keep udp from going back

out.
> >Is the TCP working? If not, check the default gateway on your dns server.
> >Also, a side note. Your access-list 100 is permitting all ip. All the
> >lines below access-list 100 permit ip any any are useless.

>
>
> Will the ' access-list 100 deny icmp any any redirect' cause problems
> by dropping valid icmp packets?
>
> One very helpful trick is 'reload'. Before you start changing
> anything, do a 'reload in 15'. That way if you dork it up and loose
> connectivity, the router will reload in 15 minutes and return to the
> saved config. Just remember not to save the config unless you're damn
> sure all is working as intended.
>
> Here's what I would do
>
> - Copy all of the access-list statements into notepad.
> - Edit as necessary, which include putting the statements in the
> proper order (recall that it stops checking as soon as a valid match
> is made).
> - Remove the access-list 100 from the interface
> - Clear the access-list
> - Recreate the access-list by pasting the lines back in.
> - Re-add the access-list 100 to the interface
>
> -Chris



 
Reply With Quote
 
chris@nospam.com
Guest
Posts: n/a
 
      11-29-2003
On Fri, 28 Nov 2003 20:55:46 -0000, "HC" <(E-Mail Removed)> wrote:

>Does this mean that the access list will take effect as soon as it is added
>to the interface?


Yes

>I ask this question because most other things seems to require a write,
>reload cycle before taking effect (or am I wrong about that?)


Most things should take effect immediately. Writing to the eeprom
just saves the config so that it gets reread during the next boot.

>Thanks for the tip about the Reload in 15. This will work if I do not do the
>write, correct?


Yup. When it reboots, it will simply read in the saved config.


>Sorry for all the seemingly stupid questions. I appreciate the help very
>much.
>
>Taking 100 away from the interface would be
>
>!
>no ip access-group 100 in
>no ip access-group 100 out
>!


Looks right.

>Now I could just leave it out if I did not care about the security risk?
>
>Possibly I would clear it (100)
>Add some Deny ..... to the interface
>Add a permit ip all all in the end
>Add it to the interface again?


Exactly. They get checked in the order entered. You also might want
to do a google search for some example access-lists for good ideas on
what to permit and deny.

-Chris
 
Reply With Quote
 
Martin Gallagher
Guest
Posts: n/a
 
      11-29-2003
On Fri, 28 Nov 2003 20:55:46 +0000, HC wrote:

> Does this mean that the access list will take effect as soon as it is
> added to the interface?
>
> I ask this question because most other things seems to require a write,
> reload cycle before taking effect (or am I wrong about that?)
>
>

Yep, you are wrong about that. Most changes take effect as soon as you
hit the <enter> key at the end of the line. That's why it pays to be
careful, and why "reload in ..." is so handy. It can save you from that
sinking feeling when you hit <enter> and the prompt doesn't come back.

--
Martin
 
Reply With Quote
 
HC
Guest
Posts: n/a
 
      11-29-2003
Reload in in is really cool.

In the end removing the accesslist didn't help

I made a new route outside 53 to inside 153, moved my nameserver to answer
at 153 and voila it works.

It works (I can't belive it!). I still don't understand why it didn't work
before though, but...

I had to do the same thing (port 153) with my old 667box because it messed
up the dns-packages send out (All asnwers became the IP of the router). I
have been told that my "new" SOHO77 shouldn't do the same thing, but there
you go... (Technically it wasn't the same...

Anyway case closed.

Thank You everybody for lots of help Now I know a lot more about the
router.

Hans-Christian

hc(at)jehg(dot)dk

"Martin Gallagher" <(E-Mail Removed)> wrote in message
news(E-Mail Removed)...
> On Fri, 28 Nov 2003 20:55:46 +0000, HC wrote:
>
> > Does this mean that the access list will take effect as soon as it is
> > added to the interface?
> >
> > I ask this question because most other things seems to require a write,
> > reload cycle before taking effect (or am I wrong about that?)
> >
> >

> Yep, you are wrong about that. Most changes take effect as soon as you
> hit the <enter> key at the end of the line. That's why it pays to be
> careful, and why "reload in ..." is so handy. It can save you from that
> sinking feeling when you hit <enter> and the prompt doesn't come back.
>
> --
> Martin



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: Lists of lists and tuples, and finding things within them Daniel Nogradi Python 3 11-10-2006 07:57 AM
Safely renaming a file without overwriting Steven D'Aprano Python 11 10-29-2006 10:40 AM
List of lists of lists of lists... =?UTF-8?B?w4FuZ2VsIEd1dGnDqXJyZXogUm9kcsOtZ3Vleg==?= Python 5 05-15-2006 11:47 AM
Switching from Mozilla to FireFox without loosing my stored cookies and passwords Daniel Prince Firefox 1 12-11-2004 11:03 PM
How do I let people access the internet via an access point but not allow them access to my network yar Wireless Networking 4 09-21-2004 03:48 AM



Advertisments