DanielUK
join:2004-11-04
Schenectady, NY
1 edit | 801 ISDN access list woes
I'm wondering why it is that I lose net access when I apply access list 101 to my Dialler1 interface:
access-list 101 deny icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny icmp any any
access-list 101 deny tcp any range 0 65535 any range 0 65535
access-list 101 deny udp any range 0 65535 any range 0 65535
access-list 101 deny ip any any log
As soon as I remove it, it operates fine. This is my running config at the moment:
Current configuration : 3112 bytes
!
! Last configuration change at 16:41:55 UTC Mon Apr 18 2005
! NVRAM config last updated at 07:41:35 UTC Mon Apr 18 2005
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$uOpf$emfDhaV0/UALCYwjF.iHf/
!
username Router password 7 110B1B171013070005382F2B
no aaa new-model
ip subnet-zero
no ip source-route
!
ip inspect name OUTBOUND cuseeme
ip inspect name OUTBOUND ftp
ip inspect name OUTBOUND h323
ip inspect name OUTBOUND netshow
ip inspect name OUTBOUND rcmd
ip inspect name OUTBOUND realaudio
ip inspect name OUTBOUND rtsp
ip inspect name OUTBOUND sqlnet
ip inspect name OUTBOUND tcp
ip inspect name OUTBOUND udp
ip inspect name OUTBOUND vdolive
ip inspect name OUTBOUND icmp
ip ssh break-string
isdn switch-type basic-net3
!
!
!
!
!
!
interface Ethernet0
ip address 192.168.0.16 255.255.255.0
ip access-group 121 in
no ip proxy-arp
ip nat inside
!
interface BRI0
no ip address
encapsulation ppp
dialer pool-member 1
isdn switch-type basic-net3
ppp authentication chap pap callin
!
interface Dialer1
description ISP
ip address negotiated
ip access-group 121 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
encapsulation ppp
no ip split-horizon
dialer pool 1
dialer remote-name Cisco1
dialer idle-timeout 360
dialer string 08089916001 class DialClass
dialer hold-queue 10
dialer load-threshold 20 either
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname host-username
ppp chap password 7 14131A5859513C38213B23272B07031E
ppp pap sent-username username-here password 7 070B291F1B5C0F161
011B1E0D3E2F2C
!
ip nat inside source list 18 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
!
map-class dialer DialClass
access-list 18 permit 192.168.0.0 0.0.0.255
access-list 23 permit 192.168.0.0 0.0.0.255
access-list 101 deny icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny icmp any any
access-list 101 deny tcp any range 0 65535 any range 0 65535
access-list 101 deny udp any range 0 65535 any range 0 65535
access-list 101 deny ip any any log
access-list 121 deny udp any eq netbios-dgm any
access-list 121 deny udp any eq netbios-ns any
access-list 121 deny udp any eq netbios-ss any
access-list 121 deny tcp any eq 137 any
access-list 121 deny tcp any eq 138 any
access-list 121 deny tcp any eq 139 any
access-list 121 permit ip any any time-range TIME
dialer-list 1 protocol ip permit
!
!
line con 0
exec-timeout 0 0
transport preferred all
transport output all
stopbits 1
line vty 0 4
access-class 23 in
exec-timeout 0 0
login local
transport preferred all
transport input all
transport output all
!
no rcapi server
!
!
time-range TIME
periodic daily 0:00 to 23:59
!
!
end
Am I missing anything obvious? Or, can anyone recommend a better access list?
Thanks
Dan |
|
se4b4ss
join:2004-12-09
Desoto, TX | Your last statement is "deny ip any any". You should put a "permit tcp any any eq 80" in there.
Steve
»www.networking-forum.com |
|
DanielUK
join:2004-11-04
Schenectady, NY
| Thanks Steve, I'll give that a go when I've got a free minute. Just to recap, I should end up with:
access-list 101 deny icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny icmp any any
access-list 101 deny tcp any range 0 65535 any range 0 65535
access-list 101 deny udp any range 0 65535 any range 0 65535
access-list 101 permit tcp any any eq 80
access-list 101 deny ip any any log
I keep the '101 deny ip any any log', right?
Thanks again,
Dan |
|
DanielUK
join:2004-11-04
Schenectady, NY | reply to DanielUK
Hmmm, thinking about it, access-list 101 is for traffic coming in. Shouldn't permit tcp any any eq 80 be applied to outgoing traffic? And shouldn't port 443 also be on there for secure connections?
Thanks
Dan |
|
se4b4ss
join:2004-12-09
Desoto, TX
| reply to DanielUK
You will only have to permit ip any any 80 outbound if you are implicitely denying that type of traffic...you are implicitely denying it inbound so you must explicitely permit it.
Steve
»www.networking-forum.com |
|
aryoba
Premium,MVM
join:2002-08-22
| reply to se4b4ss
se4b4ss,
You said "Your last statement is 'deny ip any any'. You should put a "permit tcp any any eq 80" in there."
Actually you are missing the point here if I may say this. I can see from the configuration that DanielUK here is trying to use CBAC (the ip inspect command). The "deny ip any any" actually is a good thing and should be there for CBAC implementation to employ strong IOS-based firewall.
DanielUK,
Your original ACL 101 and 121 were already good to go with one little modification. Modify "access-list 121 permit ip any any time-range TIME" to be "access-list 121 permit ip any any".
2nd step, modify the ACL application so that the interface Dialer1 uses ACL 101 and interface Ethernet0 uses ACL 121. Therefore under interface Dialer1, modify "ip access-group 121 in" to be "ip access-group 101 in".
A little tip. You might want to add remark on these two ACLs for future reference so that it would be easier to distinguish between the two. Add a remark like something of "access-list 121 remark Inside Interface Firewall" and "access-list 101 remark Outside Interface Firewall".
3rd step, add "ip inspect OUTBOUND out" under the interface Dialer1. This will activate the CBAC on the outside Internet-facing interface.
The 3rd step should be the final step. At the end of this step, your router should work with no problem. Btw, do you recall that I was the one back months ago who suggested your original configuration (with the CBAC usage)?  |
|
DanielUK
join:2004-11-04
Schenectady, NY
| reply to DanielUK
Thanks Aryoba,
No I haven't forgotten that it was you who gave me the original configuration! I will try your suggestions but a couple more things.
1. Going back to the original thread, I updated to IOS 12.3 but I still can't get the "ip cef" command to work and subsequently the "ip verify unicast reverse-path" (which tells me to run ip cef!) won't run. I asked this question before (I think you missed it!) and one of the replies was "You can't use CEF through a multilink interface." so I gather I can't use it?
2. The router has been in operation over the past week but we've been finding that the receiving of a long list of emails will suddenly stop in the middle. This is usually resolved by stop/starting the receiving to receive only a small number of emails at a time, but I was wondering if there was some kind of size limit on the emails coming in?
Thanks again,
Dan |
|
aryoba
Premium,MVM
join:2002-08-22
| 1. The "ip cef" command is only available on certain IOS image and certain routers. Frankly, I never use 801 routers before. Therefore I'm not certain of such unavailability in 801 routers. However the unavailability should not affect your security level.
2. Email process itself has no concern whatsoever to your router's configuration nor the ISP connection. However my guess is that the problem may lie on the email servers themselves. |
|
DanielUK
join:2004-11-04
Schenectady, NY
| reply to DanielUK
Thanks Aryoba, everything is stealthed now and working, email problem must have been an intermittent ISP problem. I basically recreated from scratch and made sure access list 101 was applied to dialer1 and access list 121 was applied to ethernet0.
The only thing I didn't change is removing the "time-range TIME" as you suggested. Does it make any difference if its there or not? Access list 121 is the default list the router generates when you go through faststep.
Thanks
Dan |
|
aryoba
Premium,MVM
join:2002-08-22
| Since you set the TIME value of 0:00 to 23:59, there should be no difference between the "permit ip any any time-range" and "permit ip any any". To understand better, here's a Cisco link on the time range discussion:
Time-Based ISDN/Asynchronous (Legacy) DDR:
»www.cisco.com/en/US/tech/tk801/t···89.shtml |
|
