DOH! I need some ACL basic help!

Discussion in 'Cisco' started by David Hodgson, Aug 18, 2004.

  1. Folks I appreciatte everyones help here but I have major questions about
    ACL's that need verified before all my hair falls out, and beleive me
    there's not much left :). I can't really do any debugging as guys are using
    this router 24/7 and I keep getting complaints that they're getting
    disconnected etc. while I work on ACL's, not surprising really :)

    I have


    Host 1.1.1.2---HUB---e1/1, 1.1.1.1-Router-e1/2, 2.2.2.2---HUB---Host 2.2.2.3

    I want to only allow port 80 from any source to 2.2.2.3
    I also want to only allow port 22 from only 1.1.1.2 to 2.2.2.3
    I also want 2.2.2.3 allowed to access everything and anything (including
    ICMP)

    I've tried setting this up with the help of this newsgroup but I'm at a
    loss, can someone please tell me what commands I need to put in?

    I originally put in the following but this stops 2.2.2.3 going out

    e1/2
    ip access-group 100 out

    access-list 100 permit tcp any host 2.2.2.3 eq www
    access-list 100 permit tcp host 1.1.1.2 host 2.2.2.3 eq 22
    access-list 100 deny ip any any

    Should the ip group be "in" instead of "out"?

    What does this mean "One access list per interface, per protocol, per
    direction is allowed" Does that mean I cannot have 2 different protocols on
    one access list (TCP and IP)?

    When you have an "in" access-list should you also always have an "out"
    access-list? Does this encroach on the above restriction?

    I come from a windows background so be kind :)

    as said earlier any help answering these questions would be great.

    cheers
    Dave
     
    David Hodgson, Aug 18, 2004
    #1
    1. Advertising

  2. Hello,
    see inline answer(s)
    David Hodgson wrote:

    > Folks I appreciatte everyones help here but I have major questions about
    > ACL's that need verified before all my hair falls out, and beleive me
    > there's not much left :). I can't really do any debugging as guys are using
    > this router 24/7 and I keep getting complaints that they're getting
    > disconnected etc. while I work on ACL's, not surprising really :)
    >
    > I have
    >
    >
    > Host 1.1.1.2---HUB---e1/1, 1.1.1.1-Router-e1/2, 2.2.2.2---HUB---Host 2.2.2.3
    >
    > I want to only allow port 80 from any source to 2.2.2.3
    > I also want to only allow port 22 from only 1.1.1.2 to 2.2.2.3
    > I also want 2.2.2.3 allowed to access everything and anything (including
    > ICMP)
    >

    So fine, so good. But you must extend this description with the following:
    permit all tcp/udp-traffic that is returned! to 2.2.2.3 on behalf of a
    connection beeing originated by 2.2.2.3
    > I've tried setting this up with the help of this newsgroup but I'm at a
    > loss, can someone please tell me what commands I need to put in?
    >
    > I originally put in the following but this stops 2.2.2.3 going out
    >
    > e1/2
    > ip access-group 100 out
    >
    > access-list 100 permit tcp any host 2.2.2.3 eq www
    > access-list 100 permit tcp host 1.1.1.2 host 2.2.2.3 eq 22
    > access-list 100 deny ip any any
    >

    This access-lists allows only traffic from any to port 80 and from
    1.1.1.2 to 2.2.2.3 with ssh. BUT, you want to allow all traffic from
    2.2.2.3 to everywhere, right?
    Now, "traffic" normally means a duplex connection, that means some
    packets need to come back to the originator.
    So, you need to add an appropriate entry to the access-list 100
    permitting this.
    Now, there're several methods of doing that, some more secure or elegant
    than others. I suggest that you read the Configuration guides for IOS
    Security and Traffic filtering.

    But, a simple approach might be three more lines:
    access-list 100 permit tcp any host 2.2.2.3 established
    access-list 100 permit icmp any host 2.2.2.3
    access-list 100 permit udp any host 2.2.2.3 gt 1023

    These three lines will allow any TCP-traffic to 2.2.2.3 with the ACK
    and/or RST-Bit set (normal packet during a tcp-conversation, NOT during
    setup),
    all ICMP (i.e. an echo from 2.2.2.3 will want to have a echo-response
    back) to 2.2.2.3 and
    all udp-traffic with portnumber >1023, which is an INDICATION (not a
    fact) that this packet is an answer.
    Now, this still doesn't solve a ftp-issue. Dig for yourself :)


    > Should the ip group be "in" instead of "out"?

    Well, reversing the direction of a packetfilter does change the rules
    required but not the problem

    >
    > What does this mean "One access list per interface, per protocol, per
    > direction is allowed" Does that mean I cannot have 2 different protocols on
    > one access list (TCP and IP)?

    That means, that you could have
    ONE access-list for protocol IP in INCOMING and ONE for IP in OUTGOING
    direction
    AND
    ONE access-list for protocol IPX in INCOMING and ONE for IPX in OUTGOING
    direction
    and so forth. TCP/UDP certainly do not qualify as "protocols" in regards
    of OSI layer 3, which is synonymous here for "protocol".

    >
    > When you have an "in" access-list should you also always have an "out"
    > access-list? Does this encroach on the above restriction?

    Not required. But have a look to "reflective access-lists". THEN you
    need in and out
    >


    Mathias

    --
    CCIE #11220
    Everything written is MY opinion only, not the one of my company or
    employer unless otherwise noted

    The early bird gets the worm, but the second mouse gets the cheese

    My signature is certified by Fraunhofer Society.
    The root-ca IS trusted but the browser-manufacturers want big $ to have
    it included
     
    Mathias Gaertner, Aug 18, 2004
    #2
    1. Advertising

  3. Hi Mathias Gaertner,

    Thankyou for your help, your explanations are great and your example worked
    a treat. You're the man!

    Dave

    "Mathias Gaertner" <> wrote in message
    news:cfvfus$1oe$-darmstadt.de...
    > Hello,
    > see inline answer(s)
    > David Hodgson wrote:
    >
    > > Folks I appreciatte everyones help here but I have major questions about
    > > ACL's that need verified before all my hair falls out, and beleive me
    > > there's not much left :). I can't really do any debugging as guys are

    using
    > > this router 24/7 and I keep getting complaints that they're getting
    > > disconnected etc. while I work on ACL's, not surprising really :)
    > >
    > > I have
    > >
    > >
    > > Host 1.1.1.2---HUB---e1/1, 1.1.1.1-Router-e1/2, 2.2.2.2---HUB---Host

    2.2.2.3
    > >
    > > I want to only allow port 80 from any source to 2.2.2.3
    > > I also want to only allow port 22 from only 1.1.1.2 to 2.2.2.3
    > > I also want 2.2.2.3 allowed to access everything and anything (including
    > > ICMP)
    > >

    > So fine, so good. But you must extend this description with the following:
    > permit all tcp/udp-traffic that is returned! to 2.2.2.3 on behalf of a
    > connection beeing originated by 2.2.2.3
    > > I've tried setting this up with the help of this newsgroup but I'm at a
    > > loss, can someone please tell me what commands I need to put in?
    > >
    > > I originally put in the following but this stops 2.2.2.3 going out
    > >
    > > e1/2
    > > ip access-group 100 out
    > >
    > > access-list 100 permit tcp any host 2.2.2.3 eq www
    > > access-list 100 permit tcp host 1.1.1.2 host 2.2.2.3 eq 22
    > > access-list 100 deny ip any any
    > >

    > This access-lists allows only traffic from any to port 80 and from
    > 1.1.1.2 to 2.2.2.3 with ssh. BUT, you want to allow all traffic from
    > 2.2.2.3 to everywhere, right?
    > Now, "traffic" normally means a duplex connection, that means some
    > packets need to come back to the originator.
    > So, you need to add an appropriate entry to the access-list 100
    > permitting this.
    > Now, there're several methods of doing that, some more secure or elegant
    > than others. I suggest that you read the Configuration guides for IOS
    > Security and Traffic filtering.
    >
    > But, a simple approach might be three more lines:
    > access-list 100 permit tcp any host 2.2.2.3 established
    > access-list 100 permit icmp any host 2.2.2.3
    > access-list 100 permit udp any host 2.2.2.3 gt 1023
    >
    > These three lines will allow any TCP-traffic to 2.2.2.3 with the ACK
    > and/or RST-Bit set (normal packet during a tcp-conversation, NOT during
    > setup),
    > all ICMP (i.e. an echo from 2.2.2.3 will want to have a echo-response
    > back) to 2.2.2.3 and
    > all udp-traffic with portnumber >1023, which is an INDICATION (not a
    > fact) that this packet is an answer.
    > Now, this still doesn't solve a ftp-issue. Dig for yourself :)
    >
    >
    > > Should the ip group be "in" instead of "out"?

    > Well, reversing the direction of a packetfilter does change the rules
    > required but not the problem
    >
    > >
    > > What does this mean "One access list per interface, per protocol, per
    > > direction is allowed" Does that mean I cannot have 2 different protocols

    on
    > > one access list (TCP and IP)?

    > That means, that you could have
    > ONE access-list for protocol IP in INCOMING and ONE for IP in OUTGOING
    > direction
    > AND
    > ONE access-list for protocol IPX in INCOMING and ONE for IPX in OUTGOING
    > direction
    > and so forth. TCP/UDP certainly do not qualify as "protocols" in regards
    > of OSI layer 3, which is synonymous here for "protocol".
    >
    > >
    > > When you have an "in" access-list should you also always have an "out"
    > > access-list? Does this encroach on the above restriction?

    > Not required. But have a look to "reflective access-lists". THEN you
    > need in and out
    > >

    >
    > Mathias
    >
    > --
    > CCIE #11220
    > Everything written is MY opinion only, not the one of my company or
    > employer unless otherwise noted
    >
    > The early bird gets the worm, but the second mouse gets the cheese
    >
    > My signature is certified by Fraunhofer Society.
    > The root-ca IS trusted but the browser-manufacturers want big $ to have
    > it included
     
    David Hodgson, Aug 18, 2004
    #3
  4. Hi David, try someting like this:

    interface Ethernet0/0
    ip address 10.1.19.1 255.255.255.0
    !
    interface Ethernet1/0
    ip address 10.1.20.1 255.255.255.0

    *** traffic exiting the interface ***
    ip access-group 100 out
    !
    *** allows any tcp connection to port 80 ***
    access-list 100 permit tcp any host 10.1.20.2 eq www

    *** allows 10.1.19.2 to connect to 10.1.20.2 via port 22 ***
    access-list 100 permit tcp host 10.1.19.2 host 10.1.20.2 eq 22

    *** permits ip connectivity (you can set this up to be only your
    subnets) ***
    access-list 100 permit ip any any

    !

    Your access list denys ip connectivity for all traffic leaving the
    interface, that is why people were being disconnected.

    Thanks
    Anthony


    "David Hodgson" <> wrote in message news:<cfvb20$lfq$1$>...
    > Folks I appreciatte everyones help here but I have major questions about
    > ACL's that need verified before all my hair falls out, and beleive me
    > there's not much left :). I can't really do any debugging as guys are using
    > this router 24/7 and I keep getting complaints that they're getting
    > disconnected etc. while I work on ACL's, not surprising really :)
    >
    > I have
    >
    >
    > Host 1.1.1.2---HUB---e1/1, 1.1.1.1-Router-e1/2, 2.2.2.2---HUB---Host 2.2.2.3
    >
    > I want to only allow port 80 from any source to 2.2.2.3
    > I also want to only allow port 22 from only 1.1.1.2 to 2.2.2.3
    > I also want 2.2.2.3 allowed to access everything and anything (including
    > ICMP)
    >
    > I've tried setting this up with the help of this newsgroup but I'm at a
    > loss, can someone please tell me what commands I need to put in?
    >
    > I originally put in the following but this stops 2.2.2.3 going out
    >
    > e1/2
    > ip access-group 100 out
    >
    > access-list 100 permit tcp any host 2.2.2.3 eq www
    > access-list 100 permit tcp host 1.1.1.2 host 2.2.2.3 eq 22
    > access-list 100 deny ip any any
    >
    > Should the ip group be "in" instead of "out"?
    >
    > What does this mean "One access list per interface, per protocol, per
    > direction is allowed" Does that mean I cannot have 2 different protocols on
    > one access list (TCP and IP)?
    >
    > When you have an "in" access-list should you also always have an "out"
    > access-list? Does this encroach on the above restriction?
    >
    > I come from a windows background so be kind :)
    >
    > as said earlier any help answering these questions would be great.
    >
    > cheers
    > Dave
     
    Anthony Swanson, Aug 18, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. valentin
    Replies:
    2
    Views:
    539
    news.verizon.net
    Jun 25, 2003
  2. fitwell
    Replies:
    10
    Views:
    1,214
    fitwell
    Sep 19, 2003
  3. justinbeitler

    Need some basic help with Cisco VPN

    justinbeitler, Mar 12, 2008, in forum: Cisco
    Replies:
    0
    Views:
    467
    justinbeitler
    Mar 12, 2008
  4. tcarp
    Replies:
    2
    Views:
    388
    tcarp
    Jun 24, 2008
  5. Brian

    basic ACL help pls

    Brian, Mar 24, 2009, in forum: Cisco
    Replies:
    4
    Views:
    549
    Brian
    Mar 27, 2009
Loading...

Share This Page