Access lists - can I safely clear them without loosing communication?

Discussion in 'Cisco' started by HC, Nov 27, 2003.

  1. HC

    HC Guest

    Hi

    I have a Cisco SOHO77 router. I'm trying to get my nameserver (Bind9) behind
    the router to answer. Questions to the nameserver from the inside works a
    treat and TCP requests works fine. UDP requests on the other hand gives me
    time-out from outside but works a treat from the inside.

    I am sitting ~1000km away from the router and I am configureing it from the
    outside. It's pretty important to me that I do not loose communication with
    the network since I do not have anyone there to interveen if I "**** up" :)

    I think the problem is in the access-lists. My question is:

    Can I safely delete the access-lists without loosing communication through
    the external ADSL interface OR do I need to do something else?

    There is of course other implications involcved in letting through all types
    of traffic but that's another question.

    Can I do:

    !
    configure terminal
    interface [external interface, for example: Dialer1]
    no ip access-group 1 in
    no ip access-group 1 out
    no ip access-group 100 in
    no ip access-group 100 out
    end
    write
    reload
    !

    The access lists are the ones the router came with.

    without loosing contact to the router from the outside.

    Hans-Christian

    *Current configuration*********************************

    XXXXXXXX#sh startup-config
    Using 3599 out of 131072 bytes
    !
    version 12.1
    no service pad
    service timestamps debug datetime localtime show-timezone
    service timestamps log datetime localtime show-timezone
    service password-encryption
    !
    hostname XXXXXXXX
    !
    logging buffered 8192 debugging
    logging console warnings
    enable DeletetForObviousReasons :)
    !
    clock timezone MET 1
    clock summer-time MET-DST recurring last Sun Mar 2:00 last Sun Oct 3:00
    ip subnet-zero
    no ip finger
    ip dhcp excluded-address 192.168.1.254
    ip dhcp excluded-address 192.168.1.200 192.168.1.254
    ip dhcp excluded-address 192.168.1.2 192.168.1.9
    ip dhcp excluded-address 192.168.1.2
    !
    ip dhcp pool soho77
    network 192.168.1.0 255.255.255.0
    default-router 192.168.1.1
    dns-server 212.54.64.170 212.54.64.171
    lease 0 1
    !
    !
    !
    !
    interface Loopback0
    no ip address
    !
    interface Ethernet0
    ip address 192.168.1.1 255.255.255.0
    ip nat inside
    no keepalive
    !
    interface ATM0
    no ip address
    no atm ilmi-keepalive
    pvc 0/35
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    dsl operating-mode ansi-dmt
    !
    interface Dialer0
    ip address negotiated
    ip access-group 100 in
    ip nat outside
    encapsulation ppp
    dialer pool 1
    dialer-group 1
    ppp authentication pap callin
    ppp pap sent-username XXXXXXXX password X XXXXXXXXXXXXXXXXXX
    !
    ip nat inside source list 1 interface Dialer0 overload
    ip nat inside source static tcp 192.168.1.2 53 interface Dialer0 53
    ip nat inside source static udp 192.168.1.2 53 interface Dialer0 53
    ip nat inside source static tcp 192.168.1.1 23 interface Dialer0 23
    ip nat inside source static 192.168.1.2 213.237.88.166 extendable
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer0
    ip route 192.168.0.0 255.255.0.0 192.168.1.254
    no ip http server
    !
    access-list 1 permit 192.168.0.0 0.0.255.255
    access-list 1 permit any
    access-list 100 deny icmp any any redirect
    access-list 100 permit ip any any
    access-list 100 deny udp any any eq 19
    access-list 100 deny tcp any any eq 31 syn
    access-list 100 deny tcp any any eq 41 syn
    access-list 100 deny tcp any any eq 58 syn
    access-list 100 deny tcp any any eq 90 syn
    access-list 100 deny tcp any any eq 121 syn
    access-list 100 deny udp any any eq 135
    access-list 100 deny tcp any any eq 135 syn
    access-list 100 deny udp any any range 136 140
    access-list 100 deny tcp any any range 136 140 syn
    access-list 100 deny tcp any any eq 421 syn
    access-list 100 deny tcp any any eq 456 syn
    access-list 100 deny tcp any any eq 531 syn
    access-list 100 deny tcp any any eq 555 syn
    access-list 100 deny tcp any any eq 911 syn
    access-list 100 deny tcp any any eq 999 syn
    access-list 100 deny udp any any eq 1349
    access-list 100 deny udp any any eq 6838
    access-list 100 deny udp any any eq 8787
    access-list 100 deny udp any any eq 8879
    access-list 100 deny udp any any eq 9325
    access-list 100 deny tcp any any eq 12345 syn
    access-list 100 deny udp any any eq 31335
    access-list 100 deny udp any any eq 31337
    access-list 100 deny udp any any eq 31338
    access-list 100 deny udp any any eq 54320
    access-list 100 deny udp any any eq 54321
    dialer-list 1 protocol ip permit
    !
    line con 0
    exec-timeout 60 0
    password X XXXXXXXXXXXXXXXXXX
    login
    transport input none
    stopbits 1
    line vty 0 4
    exec-timeout 60 0
    password X XXXXXXXXXXXXXXXXXX
    login
    !
    scheduler max-task-time 5000
    end
    HC, Nov 27, 2003
    #1
    1. Advertising

  2. In article <3fc5eaf1$0$64733$>, HC <> wrote:
    :Can I safely delete the access-lists without loosing communication through
    :the external ADSL interface OR do I need to do something else?

    :Can I do:
    :no ip access-group 1 in
    :no ip access-group 1 out
    :no ip access-group 100 in
    :no ip access-group 100 out

    :without loosing contact to the router from the outside.

    :ip nat inside source list 1 interface Dialer0 overload

    It looks to me that you don't have access-list 1 assigned as
    an access-group. I can see, though, that you don't want to clear
    access-list 1 (e.g., no access-list 1 ) as that defines your
    NAT for your Dialer0. It should be fine, though, to get rid of the
    access-group 100 entry or to clear the access-list 100.
    --
    "[...] it's all part of one's right to be publicly stupid." -- Dave Smey
    Walter Roberson, Nov 27, 2003
    #2
    1. Advertising

  3. HC

    HC Guest

    Thanks Walter

    My original problem is that UDP answers from my nameserver behind the router
    does not seem to come out through the firewall, whereas it seems that they
    com in perfectly.

    Would, in your opinion, this problem go away if I remove accessgroup 100?

    :)

    HC

    hc(at)jehg(dot)dk

    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:bq5epe$l86$...
    > In article <3fc5eaf1$0$64733$>, HC <>

    wrote:
    > :Can I safely delete the access-lists without loosing communication

    through
    > :the external ADSL interface OR do I need to do something else?
    >
    > :Can I do:
    > :no ip access-group 1 in
    > :no ip access-group 1 out
    > :no ip access-group 100 in
    > :no ip access-group 100 out
    >
    > :without loosing contact to the router from the outside.
    >
    > :ip nat inside source list 1 interface Dialer0 overload
    >
    > It looks to me that you don't have access-list 1 assigned as
    > an access-group. I can see, though, that you don't want to clear
    > access-list 1 (e.g., no access-list 1 ) as that defines your
    > NAT for your Dialer0. It should be fine, though, to get rid of the
    > access-group 100 entry or to clear the access-list 100.
    > --
    > "[...] it's all part of one's right to be publicly stupid." -- Dave

    Smey


    ****************

    *Current configuration*********************************

    XXXXXXXX#sh startup-config
    Using 3599 out of 131072 bytes
    !
    version 12.1
    no service pad
    service timestamps debug datetime localtime show-timezone
    service timestamps log datetime localtime show-timezone
    service password-encryption
    !
    hostname XXXXXXXX
    !
    logging buffered 8192 debugging
    logging console warnings
    enable DeletetForObviousReasons :)
    !
    clock timezone MET 1
    clock summer-time MET-DST recurring last Sun Mar 2:00 last Sun Oct 3:00
    ip subnet-zero
    no ip finger
    ip dhcp excluded-address 192.168.1.254
    ip dhcp excluded-address 192.168.1.200 192.168.1.254
    ip dhcp excluded-address 192.168.1.2 192.168.1.9
    ip dhcp excluded-address 192.168.1.2
    !
    ip dhcp pool soho77
    network 192.168.1.0 255.255.255.0
    default-router 192.168.1.1
    dns-server 212.54.64.170 212.54.64.171
    lease 0 1
    !
    !
    !
    !
    interface Loopback0
    no ip address
    !
    interface Ethernet0
    ip address 192.168.1.1 255.255.255.0
    ip nat inside
    no keepalive
    !
    interface ATM0
    no ip address
    no atm ilmi-keepalive
    pvc 0/35
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    dsl operating-mode ansi-dmt
    !
    interface Dialer0
    ip address negotiated
    ip access-group 100 in
    ip nat outside
    encapsulation ppp
    dialer pool 1
    dialer-group 1
    ppp authentication pap callin
    ppp pap sent-username XXXXXXXX password X XXXXXXXXXXXXXXXXXX
    !
    ip nat inside source list 1 interface Dialer0 overload
    ip nat inside source static tcp 192.168.1.2 53 interface Dialer0 53
    ip nat inside source static udp 192.168.1.2 53 interface Dialer0 53
    ip nat inside source static tcp 192.168.1.1 23 interface Dialer0 23
    ip nat inside source static 192.168.1.2 213.237.88.166 extendable
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer0
    ip route 192.168.0.0 255.255.0.0 192.168.1.254
    no ip http server
    !
    access-list 1 permit 192.168.0.0 0.0.255.255
    access-list 1 permit any
    access-list 100 deny icmp any any redirect
    access-list 100 permit ip any any
    access-list 100 deny udp any any eq 19
    access-list 100 deny tcp any any eq 31 syn
    access-list 100 deny tcp any any eq 41 syn
    access-list 100 deny tcp any any eq 58 syn
    access-list 100 deny tcp any any eq 90 syn
    access-list 100 deny tcp any any eq 121 syn
    access-list 100 deny udp any any eq 135
    access-list 100 deny tcp any any eq 135 syn
    access-list 100 deny udp any any range 136 140
    access-list 100 deny tcp any any range 136 140 syn
    access-list 100 deny tcp any any eq 421 syn
    access-list 100 deny tcp any any eq 456 syn
    access-list 100 deny tcp any any eq 531 syn
    access-list 100 deny tcp any any eq 555 syn
    access-list 100 deny tcp any any eq 911 syn
    access-list 100 deny tcp any any eq 999 syn
    access-list 100 deny udp any any eq 1349
    access-list 100 deny udp any any eq 6838
    access-list 100 deny udp any any eq 8787
    access-list 100 deny udp any any eq 8879
    access-list 100 deny udp any any eq 9325
    access-list 100 deny tcp any any eq 12345 syn
    access-list 100 deny udp any any eq 31335
    access-list 100 deny udp any any eq 31337
    access-list 100 deny udp any any eq 31338
    access-list 100 deny udp any any eq 54320
    access-list 100 deny udp any any eq 54321
    dialer-list 1 protocol ip permit
    !
    line con 0
    exec-timeout 60 0
    password X XXXXXXXXXXXXXXXXXX
    login
    transport input none
    stopbits 1
    line vty 0 4
    exec-timeout 60 0
    password X XXXXXXXXXXXXXXXXXX
    login
    !
    scheduler max-task-time 5000
    end
    HC, Nov 28, 2003
    #3
  4. HC

    PES Guest

    I can't see anything in your config that would keep udp from going back out.
    Is the TCP working? If not, check the default gateway on your dns server.
    Also, a side note. Your access-list 100 is permitting all ip. All the
    lines below access-list 100 permit ip any any are useless.

    "HC" <> wrote in message
    news:3fc5eaf1$0$64733$...
    > Hi
    >
    > I have a Cisco SOHO77 router. I'm trying to get my nameserver (Bind9)

    behind
    > the router to answer. Questions to the nameserver from the inside works a
    > treat and TCP requests works fine. UDP requests on the other hand gives me
    > time-out from outside but works a treat from the inside.
    >
    > I am sitting ~1000km away from the router and I am configureing it from

    the
    > outside. It's pretty important to me that I do not loose communication

    with
    > the network since I do not have anyone there to interveen if I "**** up"

    :)
    >
    > I think the problem is in the access-lists. My question is:
    >
    > Can I safely delete the access-lists without loosing communication through
    > the external ADSL interface OR do I need to do something else?
    >
    > There is of course other implications involcved in letting through all

    types
    > of traffic but that's another question.
    >
    > Can I do:
    >
    > !
    > configure terminal
    > interface [external interface, for example: Dialer1]
    > no ip access-group 1 in
    > no ip access-group 1 out
    > no ip access-group 100 in
    > no ip access-group 100 out
    > end
    > write
    > reload
    > !
    >
    > The access lists are the ones the router came with.
    >
    > without loosing contact to the router from the outside.
    >
    > Hans-Christian
    >
    > *Current configuration*********************************
    >
    > XXXXXXXX#sh startup-config
    > Using 3599 out of 131072 bytes
    > !
    > version 12.1
    > no service pad
    > service timestamps debug datetime localtime show-timezone
    > service timestamps log datetime localtime show-timezone
    > service password-encryption
    > !
    > hostname XXXXXXXX
    > !
    > logging buffered 8192 debugging
    > logging console warnings
    > enable DeletetForObviousReasons :)
    > !
    > clock timezone MET 1
    > clock summer-time MET-DST recurring last Sun Mar 2:00 last Sun Oct 3:00
    > ip subnet-zero
    > no ip finger
    > ip dhcp excluded-address 192.168.1.254
    > ip dhcp excluded-address 192.168.1.200 192.168.1.254
    > ip dhcp excluded-address 192.168.1.2 192.168.1.9
    > ip dhcp excluded-address 192.168.1.2
    > !
    > ip dhcp pool soho77
    > network 192.168.1.0 255.255.255.0
    > default-router 192.168.1.1
    > dns-server 212.54.64.170 212.54.64.171
    > lease 0 1
    > !
    > !
    > !
    > !
    > interface Loopback0
    > no ip address
    > !
    > interface Ethernet0
    > ip address 192.168.1.1 255.255.255.0
    > ip nat inside
    > no keepalive
    > !
    > interface ATM0
    > no ip address
    > no atm ilmi-keepalive
    > pvc 0/35
    > encapsulation aal5mux ppp dialer
    > dialer pool-member 1
    > !
    > dsl operating-mode ansi-dmt
    > !
    > interface Dialer0
    > ip address negotiated
    > ip access-group 100 in
    > ip nat outside
    > encapsulation ppp
    > dialer pool 1
    > dialer-group 1
    > ppp authentication pap callin
    > ppp pap sent-username XXXXXXXX password X XXXXXXXXXXXXXXXXXX
    > !
    > ip nat inside source list 1 interface Dialer0 overload
    > ip nat inside source static tcp 192.168.1.2 53 interface Dialer0 53
    > ip nat inside source static udp 192.168.1.2 53 interface Dialer0 53
    > ip nat inside source static tcp 192.168.1.1 23 interface Dialer0 23
    > ip nat inside source static 192.168.1.2 213.237.88.166 extendable
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 Dialer0
    > ip route 192.168.0.0 255.255.0.0 192.168.1.254
    > no ip http server
    > !
    > access-list 1 permit 192.168.0.0 0.0.255.255
    > access-list 1 permit any
    > access-list 100 deny icmp any any redirect
    > access-list 100 permit ip any any
    > access-list 100 deny udp any any eq 19
    > access-list 100 deny tcp any any eq 31 syn
    > access-list 100 deny tcp any any eq 41 syn
    > access-list 100 deny tcp any any eq 58 syn
    > access-list 100 deny tcp any any eq 90 syn
    > access-list 100 deny tcp any any eq 121 syn
    > access-list 100 deny udp any any eq 135
    > access-list 100 deny tcp any any eq 135 syn
    > access-list 100 deny udp any any range 136 140
    > access-list 100 deny tcp any any range 136 140 syn
    > access-list 100 deny tcp any any eq 421 syn
    > access-list 100 deny tcp any any eq 456 syn
    > access-list 100 deny tcp any any eq 531 syn
    > access-list 100 deny tcp any any eq 555 syn
    > access-list 100 deny tcp any any eq 911 syn
    > access-list 100 deny tcp any any eq 999 syn
    > access-list 100 deny udp any any eq 1349
    > access-list 100 deny udp any any eq 6838
    > access-list 100 deny udp any any eq 8787
    > access-list 100 deny udp any any eq 8879
    > access-list 100 deny udp any any eq 9325
    > access-list 100 deny tcp any any eq 12345 syn
    > access-list 100 deny udp any any eq 31335
    > access-list 100 deny udp any any eq 31337
    > access-list 100 deny udp any any eq 31338
    > access-list 100 deny udp any any eq 54320
    > access-list 100 deny udp any any eq 54321
    > dialer-list 1 protocol ip permit
    > !
    > line con 0
    > exec-timeout 60 0
    > password X XXXXXXXXXXXXXXXXXX
    > login
    > transport input none
    > stopbits 1
    > line vty 0 4
    > exec-timeout 60 0
    > password X XXXXXXXXXXXXXXXXXX
    > login
    > !
    > scheduler max-task-time 5000
    > end
    >
    >
    >
    PES, Nov 28, 2003
    #4
  5. HC

    Guest

    On Fri, 28 Nov 2003 09:14:51 -0500, "PES"
    <NO*SPAMpestewartREMOVE**SUCKS> wrote:

    >I can't see anything in your config that would keep udp from going back out.
    >Is the TCP working? If not, check the default gateway on your dns server.
    >Also, a side note. Your access-list 100 is permitting all ip. All the
    >lines below access-list 100 permit ip any any are useless.



    Will the ' access-list 100 deny icmp any any redirect' cause problems
    by dropping valid icmp packets?

    One very helpful trick is 'reload'. Before you start changing
    anything, do a 'reload in 15'. That way if you dork it up and loose
    connectivity, the router will reload in 15 minutes and return to the
    saved config. Just remember not to save the config unless you're damn
    sure all is working as intended.

    Here's what I would do

    - Copy all of the access-list statements into notepad.
    - Edit as necessary, which include putting the statements in the
    proper order (recall that it stops checking as soon as a valid match
    is made).
    - Remove the access-list 100 from the interface
    - Clear the access-list
    - Recreate the access-list by pasting the lines back in.
    - Re-add the access-list 100 to the interface

    -Chris
    , Nov 28, 2003
    #5
  6. HC

    HC Guest

    Does this mean that the access list will take effect as soon as it is added
    to the interface?

    I ask this question because most other things seems to require a write,
    reload cycle before taking effect (or am I wrong about that?)

    Thanks for the tip about the Reload in 15. This will work if I do not do the
    write, correct?

    Sorry for all the seemingly stupid questions. I appreciate the help very
    much.

    Taking 100 away from the interface would be

    !
    no ip access-group 100 in
    no ip access-group 100 out
    !

    Now I could just leave it out if I did not care about the security risk?

    Possibly I would clear it (100)
    Add some Deny ..... to the interface
    Add a permit ip all all in the end
    Add it to the interface again?

    Hans-Christian


    <> wrote in message
    news:...
    > On Fri, 28 Nov 2003 09:14:51 -0500, "PES"
    > <NO*SPAMpestewartREMOVE**SUCKS> wrote:
    >
    > >I can't see anything in your config that would keep udp from going back

    out.
    > >Is the TCP working? If not, check the default gateway on your dns server.
    > >Also, a side note. Your access-list 100 is permitting all ip. All the
    > >lines below access-list 100 permit ip any any are useless.

    >
    >
    > Will the ' access-list 100 deny icmp any any redirect' cause problems
    > by dropping valid icmp packets?
    >
    > One very helpful trick is 'reload'. Before you start changing
    > anything, do a 'reload in 15'. That way if you dork it up and loose
    > connectivity, the router will reload in 15 minutes and return to the
    > saved config. Just remember not to save the config unless you're damn
    > sure all is working as intended.
    >
    > Here's what I would do
    >
    > - Copy all of the access-list statements into notepad.
    > - Edit as necessary, which include putting the statements in the
    > proper order (recall that it stops checking as soon as a valid match
    > is made).
    > - Remove the access-list 100 from the interface
    > - Clear the access-list
    > - Recreate the access-list by pasting the lines back in.
    > - Re-add the access-list 100 to the interface
    >
    > -Chris
    HC, Nov 28, 2003
    #6
  7. HC

    Guest

    On Fri, 28 Nov 2003 20:55:46 -0000, "HC" <> wrote:

    >Does this mean that the access list will take effect as soon as it is added
    >to the interface?


    Yes

    >I ask this question because most other things seems to require a write,
    >reload cycle before taking effect (or am I wrong about that?)


    Most things should take effect immediately. Writing to the eeprom
    just saves the config so that it gets reread during the next boot.

    >Thanks for the tip about the Reload in 15. This will work if I do not do the
    >write, correct?


    Yup. When it reboots, it will simply read in the saved config.


    >Sorry for all the seemingly stupid questions. I appreciate the help very
    >much.
    >
    >Taking 100 away from the interface would be
    >
    >!
    >no ip access-group 100 in
    >no ip access-group 100 out
    >!


    Looks right.

    >Now I could just leave it out if I did not care about the security risk?
    >
    >Possibly I would clear it (100)
    >Add some Deny ..... to the interface
    >Add a permit ip all all in the end
    >Add it to the interface again?


    Exactly. They get checked in the order entered. You also might want
    to do a google search for some example access-lists for good ideas on
    what to permit and deny.

    -Chris
    , Nov 29, 2003
    #7
  8. On Fri, 28 Nov 2003 20:55:46 +0000, HC wrote:

    > Does this mean that the access list will take effect as soon as it is
    > added to the interface?
    >
    > I ask this question because most other things seems to require a write,
    > reload cycle before taking effect (or am I wrong about that?)
    >
    >

    Yep, you are wrong about that. Most changes take effect as soon as you
    hit the <enter> key at the end of the line. That's why it pays to be
    careful, and why "reload in ..." is so handy. It can save you from that
    sinking feeling when you hit <enter> and the prompt doesn't come back.

    --
    Martin
    Martin Gallagher, Nov 29, 2003
    #8
  9. HC

    HC Guest

    Reload in in is really cool.

    In the end removing the accesslist didn't help :-(

    I made a new route outside 53 to inside 153, moved my nameserver to answer
    at 153 and voila it works.

    It works (I can't belive it!). I still don't understand why it didn't work
    before though, but...

    I had to do the same thing (port 153) with my old 667box because it messed
    up the dns-packages send out (All asnwers became the IP of the router). I
    have been told that my "new" SOHO77 shouldn't do the same thing, but there
    you go... (Technically it wasn't the same... :)

    Anyway case closed.

    Thank You everybody for lots of help :) Now I know a lot more about the
    router.

    Hans-Christian

    hc(at)jehg(dot)dk

    "Martin Gallagher" <> wrote in message
    news:p...
    > On Fri, 28 Nov 2003 20:55:46 +0000, HC wrote:
    >
    > > Does this mean that the access list will take effect as soon as it is
    > > added to the interface?
    > >
    > > I ask this question because most other things seems to require a write,
    > > reload cycle before taking effect (or am I wrong about that?)
    > >
    > >

    > Yep, you are wrong about that. Most changes take effect as soon as you
    > hit the <enter> key at the end of the line. That's why it pays to be
    > careful, and why "reload in ..." is so handy. It can save you from that
    > sinking feeling when you hit <enter> and the prompt doesn't come back.
    >
    > --
    > Martin
    HC, Nov 29, 2003
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. yar
    Replies:
    4
    Views:
    1,573
    Juan Carlos \(El fortinero\)
    Sep 21, 2004
  2. Daniel Prince
    Replies:
    1
    Views:
    464
    Leonidas Jones
    Dec 11, 2004
  3. VWWall

    Lists of Lists

    VWWall, Oct 20, 2004, in forum: Computer Information
    Replies:
    2
    Views:
    461
    VWWall
    Oct 21, 2004
  4. Mario
    Replies:
    11
    Views:
    1,102
    Dave Martindale
    Jan 20, 2005
  5. morten
    Replies:
    4
    Views:
    1,149
    Tilman Schmidt
    Sep 4, 2007
Loading...

Share This Page