Access-List: Blocking all access by mistake

Discussion in 'Cisco' started by Sarah, Nov 29, 2004.

  1. Sarah

    Sarah Guest

    I want to block only web protocols to our web servers. It needs http
    and ssl only and I want to use access-lists. I changed the real IP
    addresses. This is what I tried:

    webserver address is 10.0.0.59

    access-list 101 permit tcp 0.0.0.0 255.255.255.255 10.0.0.59 0.0.0.0
    eq 80
    access-list 101 permit tcp 0.0.0.0 255.255.255.255 10.0.0.59 0.0.0.0
    eq 443
    access-list 101 deny ip 0.0.0.0 255.255.255.255 10.0.0.59 0.0.0.0

    Then I applied it to interface Ethernet 0
    ip access-group 101 out

    I have other servers on that segment, ie. Exchanges, Proxy Server,
    etc. Once I made the change, no machine could hit internet in or out.
    Any help will be graciously appreciated, as my boss wants this issue
    resolved by yesterday.


    ------------------------------------------------------------------------------


    Using 584 out of 32762 bytes
    !
    version 10.3
    service password-encryption
    service udp-small-servers
    service tcp-small-servers
    !
    hostname
    !
    enable secret
    enable password
    !
    ip subnet-zero
    !
    interface Ethernet0
    ip address 10.0.0.57 255.255.255.0
    bandwidth 10000
    !
    interface Serial0
    ip address 64.0.0.22 255.255.255.0
    bandwidth 1544
    keepalive 9
    !
    interface Serial1
    no ip address
    shutdown
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 10.0.0.21
    logging buffered
    !
    line con 0
    line aux 0
    transport input all
    line vty 0 4
    password
    login
    !
    end
    Sarah, Nov 29, 2004
    #1
    1. Advertising

  2. In article <>,
    Sarah <> wrote:
    :I want to block only web protocols to our web servers. It needs http
    :and ssl only and I want to use access-lists. I changed the real IP
    :addresses. This is what I tried:

    :webserver address is 10.0.0.59

    :access-list 101 permit tcp 0.0.0.0 255.255.255.255 10.0.0.59 0.0.0.0 eq 80
    :access-list 101 permit tcp 0.0.0.0 255.255.255.255 10.0.0.59 0.0.0.0 eq 443
    :access-list 101 deny ip 0.0.0.0 255.255.255.255 10.0.0.59 0.0.0.0

    :Then I applied it to interface Ethernet 0
    :ip access-group 101 out

    First off, you probably want to apply this 'in' your WAN interface
    rather than 'out' your LAN interface. When you apply it 'out' your
    LAN interface, it permits your inside systems to www and ssl to
    10.0.0.59... except that those are already inside so it doesn't do
    you any good.

    Secondly, you never need a 'deny' statement at the end of an access list,
    as the default is to deny.


    Thirdly, as a matter of form, use 'any' and 'host', and use symbolic
    names for ports where applicable:

    access-list 101 permit tcp any host 10.0.0.59 eq www
    access-list 101 permit tcp any host 10.0.0.59 eq 443


    Fourthly, you need to permit return traffic for all your other systems.
    If you don't have the firewall feature set, that can be a bit tricky
    particularily if your systems might use udp to connect to other systems.


    access-list 101 remark allow returning tcp traffic
    access-list 101 permit tcp any any established
    access-list 101 remark allow returning DNS traffic
    access-list 101 permit udp any eq 53 any
    access-list 101 remark allow new connections to www and ssl
    access-list 101 permit tcp any host 10.0.0.59 eq www
    access-list 101 permit tcp any host 10.0.0.59 eq 443
    access-list 101 remark remember to allow for unreachables
    access-list 101 permit icmp any any ttl-exceeded
    access-list 101 permit icmp any any unreachable
    --
    IEA408I: GETMAIN cannot provide buffer for WATLIB.
    Walter Roberson, Nov 29, 2004
    #2
    1. Advertising

  3. Sarah

    Rod Dorman Guest

    In article <cog60s$g4h$>,
    Walter Roberson <-cnrc.gc.ca> wrote:
    > ...
    >Secondly, you never need a 'deny' statement at the end of an access list,
    >as the default is to deny.


    Minor nitpick, its handy when you want to log the occurance.

    --
    -- Rod --
    rodd(at)polylogics(dot)com
    Rod Dorman, Nov 30, 2004
    #3
  4. In article <coihfp$oa3$>, Rod Dorman <> wrote:
    :In article <cog60s$g4h$>,
    :Walter Roberson <-cnrc.gc.ca> wrote:

    :>Secondly, you never need a 'deny' statement at the end of an access list,
    :>as the default is to deny.

    :Minor nitpick, its handy when you want to log the occurance.

    True, but the OP had no logging of any sort defined, so putting
    in a deny ACL with a 'log' keyword wouldn't have had any useful
    effect.
    --
    Warhol's Second Law of Usenet: "In the future, everyone will troll
    for 15 minutes."
    Walter Roberson, Nov 30, 2004
    #4
  5. Sarah

    Erik Freitag Guest

    On Tue, 30 Nov 2004 21:19:10 +0000, Walter Roberson wrote:

    > In article <coihfp$oa3$>, Rod Dorman <> wrote:
    > :In article <cog60s$g4h$>,
    > :Walter Roberson <-cnrc.gc.ca> wrote:
    >
    > :>Secondly, you never need a 'deny' statement at the end of an access list,
    > :>as the default is to deny.
    >
    > :Minor nitpick, its handy when you want to log the occurance.
    >
    > True, but the OP had no logging of any sort defined, so putting
    > in a deny ACL with a 'log' keyword wouldn't have had any useful
    > effect.


    Sure it would - you still get match counts (as shown below)

    Extended IP access list border-inbound
    170 deny ip any any log (76290 matches)
    Erik Freitag, Nov 30, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. PS2 gamer
    Replies:
    6
    Views:
    6,666
    Hansang Bae
    Jun 9, 2004
  2. Barret Bonden
    Replies:
    0
    Views:
    1,280
    Barret Bonden
    Jun 24, 2005
  3. L Mehl
    Replies:
    4
    Views:
    5,196
    L Mehl
    Sep 28, 2003
  4. L Mehl
    Replies:
    0
    Views:
    591
    L Mehl
    Sep 27, 2003
  5. Dhruv

    stealth-blocking, isp blocking website

    Dhruv, Oct 25, 2004, in forum: Computer Security
    Replies:
    9
    Views:
    3,073
Loading...

Share This Page