Cisco 1003 - NAT - ISDN and extended ACLs

Discussion in 'Cisco' started by Matthias Fischer, Jan 26, 2004.

  1. Hello!

    Sorry for this long one, but I'm stuck at some place and can't see
    exactly where...head is spinning...

    First my "running-config", Cisco1003, dialing my ISP, originally built
    with ConfigMaker 2.6 to get things started - *plus* a selfwritten
    config-file.

    Cisco1003#sh running-conf
    Building configuration...

    Current configuration : 1846 bytes
    !
    version 12.1
    no service single-slot-reload-enable
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    service hide-telnet-addresses
    !
    hostname Cisco1003
    !
    enable secret <password>
    !
    ip subnet-zero
    no ip source-route
    no ip domain-lookup
    !
    no ip bootp server
    isdn switch-type basic-net3
    !
    interface Ethernet0
    description connected to EthernetLAN
    ip address 192.168.100.254 255.255.255.0
    ip access-group 12 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    !
    interface BRI0
    description connected to <my ISP>
    no ip address
    ip nat outside
    encapsulation ppp
    dialer rotary-group 1
    isdn switch-type basic-net3
    no cdp enable
    !
    interface Dialer1
    description connected to <my ISP>
    ip address negotiated
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    encapsulation ppp
    no ip split-horizon
    dialer in-band
    dialer idle-timeout 60
    dialer string <ISP-Tel.-No.>
    dialer hold-queue 10
    dialer-group 1
    no cdp enable
    ppp authentication chap pap callin
    ppp chap hostname
    ppp chap password <password>
    ppp pap sent-username <> password <password>
    !
    router rip
    version 2
    passive-interface Dialer1
    network 192.168.100.0
    no auto-summary
    !
    ip nat inside source list 1 interface Dialer1 overload
    no ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer1
    no ip http server
    !
    access-list 1 permit 192.168.100.0 0.0.0.255
    access-list 12 deny 192.168.100.4
    access-list 12 deny 192.168.100.5
    access-list 12 deny 192.168.100.6
    access-list 12 permit 192.168.100.0 0.0.0.255
    dialer-list 1 protocol ip permit
    no cdp run
    !
    line con 0
    exec-timeout 0 0
    password <password>
    login
    line vty 0
    password <password>
    login
    transport input none
    line vty 1 4
    login
    transport input none
    !
    end

    Important: the above listing is the "running-config" *plus* the
    following config-file. I'm sending the initial configuration with
    ConfigMaker 2.6 through Console 0 - the following goes into the router
    using "copy tftp: running-config" and 3COMs "3CDaemon".

    CONFIG-TFTP.CFG
    ****************SNIP**************
    !
    service hide-telnet-addresses
    no service finger
    no service tcp-small-servers
    no service udp-small-servers
    no ip source-route
    no ip bootp server
    no ip http server
    no snmp-server
    no cdp run
    !
    interface ethernet 0
    ip access-group 12 in
    no ip unreachables
    no ip proxy-arp
    no ip redirects
    !
    interface dialer 1
    no ip unreachables
    no ip proxy-arp
    no ip redirects
    ! ip access-group filterin in <- can't get this working...
    ! ip access-group filterout out <- something is wrong, but I don't
    ! get the clue...
    !
    ! only with multilink enabled...
    ! load-interval 300
    ! dialer load-threshold 200 either
    !
    ! Standard-ACLs...
    !
    no access-list 12
    access-list 12 remark ethernet0/in
    ! denying all coming in from ethernet - i need this sometimes
    ! access-list 12 deny 192.168.100.0 0.0.0.255
    !
    ! These are only enabled when needed...
    ! Home-PC (Kid No.1)
    access-list 12 deny host 192.168.100.4
    !
    ! Home-PC (Kid No.2)
    access-list 12 deny host 192.168.100.5
    !
    ! Home-PC for testing
    access-list 12 deny host 192.168.100.6
    !
    ! all others are allowed...
    access-list 12 permit 192.168.100.0 0.0.0.255
    !

    This is working up to this point - basically - and I think I understand
    what I'm doing...hopefully...

    But next I thought it would be a good idea to start using
    access-lists to "harden my router"...
    Ok, I use NAT, but...

    The following two list are the ones I wrote after reading Scott D.
    Winter's article "Securing the perimeter with Cisco IOS 12 Routers".

    no ip access-list extended filterin
    ip access-list extended filterin
    deny ip 192.168.100.0 0.0.0.255 any
    deny ip 10.0.0.0 0.255.255.255 any
    deny ip 127.0.0.0 0.255.255.255 any
    deny ip 169.254.0.0 0.0.255.255 any
    deny ip 172.16.0.0 0.15.255.255 any
    deny ip 192.168.0.0 0.0.255.255 any
    deny ip 192.0.2.0 0.0.0.255 any
    deny ip 224.0.0.0 15.255.255.255 any
    deny ip 224.0.0.0 31.255.255.255 any
    deny ip 0.0.0.0 0.255.255.255 any
    deny ip host 0.0.0.0 any
    deny icmp any any redirect
    permit icmp any any packet-too-big
    ! permit ip any any established <- does this make sense here?
    evaluate packets
    !
    no ip access-list extended filterout
    ip access-list extended filterout
    ! ftp
    permit tcp any any eq 21 reflect packets
    ! SSH
    permit tcp any any eq 22 reflect packets
    ! telnet
    permit tcp any any eq 23 reflect packets
    ! smtp
    permit tcp any any eq 25 reflect packets
    ! domain
    permit tcp any any eq 53 reflect packets
    ! http
    permit tcp any any eq 80 reflect packets
    ! pop
    permit tcp any any eq 110 reflect packets
    ! nntp
    permit tcp any any eq 119 reflect packets
    ! imap
    permit tcp any any eq 143 reflect packets
    ! ssl
    permit tcp any any eq 443 reflect packets
    ! dns
    permit udp any any eq 53 reflect packets
    ! icmp packet-too-big
    permit icmp any any packet-too-big
    !

    But now my knowledge is at its end - *how* and *where* do I integrate
    these two lists (afterall, do I *really need* them?) in my
    running-config?
    To put it in a nutshell: Are they making any sense and where should I
    place them?
    Does it make sense using these "extended" lists while dialing to an ISP
    with ISDN using NAT?

    When I bind both "filterin" and "filterout" to "Dialer 1", Router is
    blocked.
    Activating "filterin in" and pinging my ISP-DNS-Servers: dials, but
    nothing comes in.
    Activating "filterout out": Timeout, does not dial...
    Deactiving both: dials, everything seems to be ok...

    Binding both to BRI0 gives no errors, but "sh ip interface bri0" tells
    me:

    ....
    BRI0 is up, line protocol is up
    Internet protocol processing disabled
    ....

    Ok, that's it...any tips would be fine - thanks for reading this...

    Regards

    Matthias
     
    Matthias Fischer, Jan 26, 2004
    #1
    1. Advertising

  2. In article <bv2sbt$nfule$-berlin.de>,
    Matthias Fischer <> wrote:

    > When I bind both "filterin" and "filterout" to "Dialer 1", Router is
    > blocked.
    > Activating "filterin in" and pinging my ISP-DNS-Servers: dials, but
    > nothing comes in.
    > Activating "filterout out": Timeout, does not dial...
    > Deactiving both: dials, everything seems to be ok...


    Your access lists don't permit ICMP Echo packets out, and don't permit
    ICMP Echo Reply packets in, so you're blocking all pinging.

    --
    Barry Margolin,
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
     
    Barry Margolin, Jan 26, 2004
    #2
    1. Advertising

  3. Barry Margolin <> wrote:

    [incredible fast answer]
    >...
    >so you're blocking all pinging


    Ok - I see it now, working on it - thanks! - anything else... ?

    Regards
    Matthias
     
    Matthias Fischer, Jan 26, 2004
    #3
  4. Barry Margolin <> wrote:

    >...
    >Your access lists don't permit ICMP Echo packets out, and don't permit
    >ICMP Echo Reply packets in, so you're blocking all pinging.


    Ok - I changed to:

    !
    interface dialer 1
    no ip unreachables
    no ip proxy-arp
    no ip redirects
    ip access-group filterin in
    ip access-group filterout out
    !
    !...
    !
    no ip access-list extended filterin
    ip access-list extended filterin
    deny ip 192.168.100.0 0.0.0.255 any
    deny ip 10.0.0.0 0.255.255.255 any
    deny ip 127.0.0.0 0.255.255.255 any
    deny ip 169.254.0.0 0.0.255.255 any
    deny ip 172.16.0.0 0.15.255.255 any
    deny ip 192.168.0.0 0.0.255.255 any
    deny ip 192.0.2.0 0.0.0.255 any
    deny ip 224.0.0.0 15.255.255.255 any
    deny ip 224.0.0.0 31.255.255.255 any
    deny ip 0.0.0.0 0.255.255.255 any
    deny ip host 0.0.0.0 any
    !
    ! DEACTIVATED !
    ! deny icmp any any redirect
    ! permit icmp any any packet-too-big
    !
    ! new: "I like icmp..."
    permit icmp any any
    evaluate packets
    !
    !
    no ip access-list extended filterout
    ip access-list extended filterout
    ! ftp
    permit tcp any any eq 21 reflect packets
    ! SSH
    permit tcp any any eq 22 reflect packets
    ! telnet
    permit tcp any any eq 23 reflect packets
    ! smtp
    permit tcp any any eq 25 reflect packets
    ! domain
    permit tcp any any eq 53 reflect packets
    ! http
    permit tcp any any eq 80 reflect packets
    ! pop
    permit tcp any any eq 110 reflect packets
    ! nntp
    permit tcp any any eq 119 reflect packets
    ! imap
    permit tcp any any eq 143 reflect packets
    ! ssl
    permit tcp any any eq 443 reflect packets
    ! dns
    permit udp any any eq 53 reflect packets
    !
    ! NEW !
    deny icmp any any time-exceeded
    ! NEW !
    permit icmp any any reflect packets

    And he's doing it... :)

    Simple fault it seems - perhaps I shouldn't write such lists not at 3
    o'clock in the morning...:)

    Anything else I can/should do...? Any comments welcome!

    Regards

    Matthias
     
    Matthias Fischer, Jan 26, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Daniel
    Replies:
    0
    Views:
    421
    Daniel
    Dec 7, 2003
  2. Matthias Fischer
    Replies:
    4
    Views:
    902
    Matthias Fischer
    Jan 21, 2004
  3. Scott Townsend
    Replies:
    4
    Views:
    2,655
    Walter Roberson
    Jun 7, 2006
  4. encinomaan
    Replies:
    5
    Views:
    464
  5. sync
    Replies:
    0
    Views:
    592
Loading...

Share This Page