Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Cisco 1003 - NAT - ISDN and extended ACLs

Reply
Thread Tools

Cisco 1003 - NAT - ISDN and extended ACLs

 
 
Matthias Fischer
Guest
Posts: n/a
 
      01-26-2004
Hello!

Sorry for this long one, but I'm stuck at some place and can't see
exactly where...head is spinning...

First my "running-config", Cisco1003, dialing my ISP, originally built
with ConfigMaker 2.6 to get things started - *plus* a selfwritten
config-file.

Cisco1003#sh running-conf
Building configuration...

Current configuration : 1846 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
service hide-telnet-addresses
!
hostname Cisco1003
!
enable secret <password>
!
ip subnet-zero
no ip source-route
no ip domain-lookup
!
no ip bootp server
isdn switch-type basic-net3
!
interface Ethernet0
description connected to EthernetLAN
ip address 192.168.100.254 255.255.255.0
ip access-group 12 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
!
interface BRI0
description connected to <my ISP>
no ip address
ip nat outside
encapsulation ppp
dialer rotary-group 1
isdn switch-type basic-net3
no cdp enable
!
interface Dialer1
description connected to <my ISP>
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
encapsulation ppp
no ip split-horizon
dialer in-band
dialer idle-timeout 60
dialer string <ISP-Tel.-No.>
dialer hold-queue 10
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname http://www.velocityreviews.com/forums/(E-Mail Removed)
ppp chap password <password>
ppp pap sent-username <(E-Mail Removed)> password <password>
!
router rip
version 2
passive-interface Dialer1
network 192.168.100.0
no auto-summary
!
ip nat inside source list 1 interface Dialer1 overload
no ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
!
access-list 1 permit 192.168.100.0 0.0.0.255
access-list 12 deny 192.168.100.4
access-list 12 deny 192.168.100.5
access-list 12 deny 192.168.100.6
access-list 12 permit 192.168.100.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
line con 0
exec-timeout 0 0
password <password>
login
line vty 0
password <password>
login
transport input none
line vty 1 4
login
transport input none
!
end

Important: the above listing is the "running-config" *plus* the
following config-file. I'm sending the initial configuration with
ConfigMaker 2.6 through Console 0 - the following goes into the router
using "copy tftp: running-config" and 3COMs "3CDaemon".

CONFIG-TFTP.CFG
****************SNIP**************
!
service hide-telnet-addresses
no service finger
no service tcp-small-servers
no service udp-small-servers
no ip source-route
no ip bootp server
no ip http server
no snmp-server
no cdp run
!
interface ethernet 0
ip access-group 12 in
no ip unreachables
no ip proxy-arp
no ip redirects
!
interface dialer 1
no ip unreachables
no ip proxy-arp
no ip redirects
! ip access-group filterin in <- can't get this working...
! ip access-group filterout out <- something is wrong, but I don't
! get the clue...
!
! only with multilink enabled...
! load-interval 300
! dialer load-threshold 200 either
!
! Standard-ACLs...
!
no access-list 12
access-list 12 remark ethernet0/in
! denying all coming in from ethernet - i need this sometimes
! access-list 12 deny 192.168.100.0 0.0.0.255
!
! These are only enabled when needed...
! Home-PC (Kid No.1)
access-list 12 deny host 192.168.100.4
!
! Home-PC (Kid No.2)
access-list 12 deny host 192.168.100.5
!
! Home-PC for testing
access-list 12 deny host 192.168.100.6
!
! all others are allowed...
access-list 12 permit 192.168.100.0 0.0.0.255
!

This is working up to this point - basically - and I think I understand
what I'm doing...hopefully...

But next I thought it would be a good idea to start using
access-lists to "harden my router"...
Ok, I use NAT, but...

The following two list are the ones I wrote after reading Scott D.
Winter's article "Securing the perimeter with Cisco IOS 12 Routers".

no ip access-list extended filterin
ip access-list extended filterin
deny ip 192.168.100.0 0.0.0.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 224.0.0.0 15.255.255.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip 0.0.0.0 0.255.255.255 any
deny ip host 0.0.0.0 any
deny icmp any any redirect
permit icmp any any packet-too-big
! permit ip any any established <- does this make sense here?
evaluate packets
!
no ip access-list extended filterout
ip access-list extended filterout
! ftp
permit tcp any any eq 21 reflect packets
! SSH
permit tcp any any eq 22 reflect packets
! telnet
permit tcp any any eq 23 reflect packets
! smtp
permit tcp any any eq 25 reflect packets
! domain
permit tcp any any eq 53 reflect packets
! http
permit tcp any any eq 80 reflect packets
! pop
permit tcp any any eq 110 reflect packets
! nntp
permit tcp any any eq 119 reflect packets
! imap
permit tcp any any eq 143 reflect packets
! ssl
permit tcp any any eq 443 reflect packets
! dns
permit udp any any eq 53 reflect packets
! icmp packet-too-big
permit icmp any any packet-too-big
!

But now my knowledge is at its end - *how* and *where* do I integrate
these two lists (afterall, do I *really need* them?) in my
running-config?
To put it in a nutshell: Are they making any sense and where should I
place them?
Does it make sense using these "extended" lists while dialing to an ISP
with ISDN using NAT?

When I bind both "filterin" and "filterout" to "Dialer 1", Router is
blocked.
Activating "filterin in" and pinging my ISP-DNS-Servers: dials, but
nothing comes in.
Activating "filterout out": Timeout, does not dial...
Deactiving both: dials, everything seems to be ok...

Binding both to BRI0 gives no errors, but "sh ip interface bri0" tells
me:

....
BRI0 is up, line protocol is up
Internet protocol processing disabled
....

Ok, that's it...any tips would be fine - thanks for reading this...

Regards

Matthias
 
Reply With Quote
 
 
 
 
Barry Margolin
Guest
Posts: n/a
 
      01-26-2004
In article <bv2sbt$nfule$(E-Mail Removed)-berlin.de>,
Matthias Fischer <(E-Mail Removed)> wrote:

> When I bind both "filterin" and "filterout" to "Dialer 1", Router is
> blocked.
> Activating "filterin in" and pinging my ISP-DNS-Servers: dials, but
> nothing comes in.
> Activating "filterout out": Timeout, does not dial...
> Deactiving both: dials, everything seems to be ok...


Your access lists don't permit ICMP Echo packets out, and don't permit
ICMP Echo Reply packets in, so you're blocking all pinging.

--
Barry Margolin, (E-Mail Removed)
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
 
Reply With Quote
 
 
 
 
Matthias Fischer
Guest
Posts: n/a
 
      01-26-2004
Barry Margolin <(E-Mail Removed)> wrote:

[incredible fast answer]
>...
>so you're blocking all pinging


Ok - I see it now, working on it - thanks! - anything else... ?

Regards
Matthias
 
Reply With Quote
 
Matthias Fischer
Guest
Posts: n/a
 
      01-26-2004
Barry Margolin <(E-Mail Removed)> wrote:

>...
>Your access lists don't permit ICMP Echo packets out, and don't permit
>ICMP Echo Reply packets in, so you're blocking all pinging.


Ok - I changed to:

!
interface dialer 1
no ip unreachables
no ip proxy-arp
no ip redirects
ip access-group filterin in
ip access-group filterout out
!
!...
!
no ip access-list extended filterin
ip access-list extended filterin
deny ip 192.168.100.0 0.0.0.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 224.0.0.0 15.255.255.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip 0.0.0.0 0.255.255.255 any
deny ip host 0.0.0.0 any
!
! DEACTIVATED !
! deny icmp any any redirect
! permit icmp any any packet-too-big
!
! new: "I like icmp..."
permit icmp any any
evaluate packets
!
!
no ip access-list extended filterout
ip access-list extended filterout
! ftp
permit tcp any any eq 21 reflect packets
! SSH
permit tcp any any eq 22 reflect packets
! telnet
permit tcp any any eq 23 reflect packets
! smtp
permit tcp any any eq 25 reflect packets
! domain
permit tcp any any eq 53 reflect packets
! http
permit tcp any any eq 80 reflect packets
! pop
permit tcp any any eq 110 reflect packets
! nntp
permit tcp any any eq 119 reflect packets
! imap
permit tcp any any eq 143 reflect packets
! ssl
permit tcp any any eq 443 reflect packets
! dns
permit udp any any eq 53 reflect packets
!
! NEW !
deny icmp any any time-exceeded
! NEW !
permit icmp any any reflect packets

And he's doing it...

Simple fault it seems - perhaps I shouldn't write such lists not at 3
o'clock in the morning...

Anything else I can/should do...? Any comments welcome!

Regards

Matthias
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
pc with isdn modem not connecte isdn 1841 router with isdn module sync Cisco 0 06-05-2007 10:10 AM
Cisco ISDN to Windows RAS ISDN SkY Cisco 0 03-31-2005 08:06 AM
Cisco 804 ISDN w/NAT (not familiar with Cisco IOS) Bob Willey Cisco 0 07-25-2003 03:01 PM
Re: Cisco 804 ISDN w/NAT (not familiar with Cisco IOS) RC Cisco 1 07-23-2003 07:45 PM
Re: Cisco 804 ISDN w/NAT (not familiar with Cisco IOS) JShepherd Cisco 0 07-22-2003 10:28 PM



Advertisments