Options

cisco 831 and acl's

DeliriousDelirious Member Posts: 79 ■■□□□□□□□□
in CCNA & CCENT
It seems like no matter what acl i apply to the incoming port (one thats connected to modem) it results in me not being able to access the internet. I've read about a dozen different online guides and even used their acl's (modified with appropriate address) and those don't work.

I really need some help in a bad way.

heres my config:

Building configuration...

Current configuration : 3684 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HomeR1
!
boot-start-marker
boot-end-marker
!
enable secret
!
clock timezone EST -4
no aaa new-model
ip subnet-zero
!
!
!
ip dhcp pool Home1
network 192.168.0.0 255.255.255.0
dns-server 24.92.226.9 24.92.226.102
default-router 192.168.0.1
lease 7
!
!
ip domain name maine.rr.com
ip ips po max-events 100
ip ssh time-out 60
no ftp-server write-enable
!
!
username privilege 15 password 0
!
!
no crypto isakmp ccm
!
!
!
interface Ethernet0
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no cdp enable
!
interface Ethernet1
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
no cdp enable
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
ip classless
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface Ethernet1 overload
ip nat inside source static tcp 192.168.0.10 23389 interface Ethernet1 23389
ip nat inside source static tcp 192.168.0.9 5900 interface Ethernet1 5900
ip nat inside source static tcp 192.168.0.9 65050 interface Ethernet1 65050
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 deny any
access-list 100 permit tcp any any established
access-list 100 deny ip 192.168.0.0 0.0.0.255 any log-input
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip any 192.168.0.0 0.0.0.255 log-input
access-list 100 permit icmp any host 81.88.156.99 time-exceeded
access-list 100 permit icmp any host 81.88.156.99 packet-too-big
access-list 100 permit icmp any host 81.88.156.99 unreachable
access-list 100 permit icmp any host 81.88.156.99 traceroute
access-list 100 permit icmp any host 81.88.156.99 echo-reply
access-list 100 permit icmp any host 81.88.156.99 echo log-input
access-list 100 deny icmp any any redirect
access-list 100 deny icmp any any timestamp-request
access-list 100 deny icmp any any information-request
access-list 100 permit tcp any host 81.88.156.99 eq ftp-data
access-list 100 permit tcp any host 81.88.156.99 eq ftp
access-list 100 permit tcp any host 81.88.156.99 eq 22
access-list 100 permit tcp any host 81.88.156.99 eq smtp
access-list 100 permit tcp any host 81.88.156.99 eq www
access-list 100 permit tcp any host 81.88.156.99 eq 5900
access-list 100 permit tcp any host 81.88.156.99 eq 65050
access-list 100 permit tcp any host 81.88.156.99 eq 23389
access-list 100 permit tcp any host 81.88.156.99 eq 3389
access-list 100 remark block telnet
access-list 100 deny tcp any host 81.88.156.99 eq telnet
access-list 100 remark 445 is Sasser
access-list 100 deny tcp any any eq 445 log-input
access-list 100 remark 135 is MSBlaster
access-list 100 deny tcp any any eq 135 log-input
access-list 100 remark 1433 is MS-SQL Hello Buffer overflow
access-list 100 deny tcp any any eq 1433 log-input
access-list 100 deny ip any any log-input
access-list 101 remark incoming
no cdp run
!
!
control-plane
!
banner motd ^C

UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
You must have explicit permission to access this device.
All activities performed on this device are logged.


^C
!
line con 0
password
logging synchronous
login local
no modem enable
line aux 0
password
logging synchronous
login local
line vty 0 4
password
logging synchronous
login local
transport input ssh
!
scheduler max-task-time 5000
end
· Share on FacebookShare on Twitter

Comments

  • Options
    dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    You have the outside interface set for DHCP and you're creating an access list that has hard coded addresses in it. If the address from your ISP changes it will break the ACL. In this case I'm assuming the outside interface has the IP address 81.88.156.9. You may want to change that to an entry using the Subnet address/wc mask. Not sure if that's the problem but I would look into it
    The only easy day was yesterday!
    · Share on FacebookShare on Twitter
  • Options
    mikej412mikej412 Member Posts: 10,086 ■■■■■■■■■■
    I don't see any routing protocol or default static route configured in your config. How does the router know where to send internet traffic?

    I also don't see the ACL applied to your "external interface"... but NAT should take care of some of the stuff. If you want traffic to come in on some ports (like web server) -- then you'd map those ports to your internal (nat'ed) hosts.
    :mike: Cisco Certifications -- Collect the Entire Set!
    · Share on FacebookShare on Twitter
  • Options
    DeliriousDelirious Member Posts: 79 ■■□□□□□□□□
    mikej412 wrote:
    I don't see any routing protocol or default static route configured in your config. How does the router know where to send internet traffic?

    I setup NAT i didnt realize i have to setup a default static route? Everything has been working fine, i get internet access all the static mappings work, dhcp works, and i can ssh into the router from work.

    mikej412 wrote:
    I also don't see the ACL applied to your "external interface"... but NAT should take care of some of the stuff. If you want traffic to come in on some ports (like web server) -- then you'd map those ports to your internal (nat'ed) hosts.

    I didnt apply the acl to the e1 (in) interface cause when i do i get no internet access. The same goes with any acl i try.

    Even one like this doesnt work:

    access-list 101 permit icmp any any echo
    access-list 101 permit icmp any any echo-reply
    access-list 101 permit icmp any any packet-too-big
    access-list 101 permit icmp any any time-exceeded
    access-list 101 permit icmp any any traceroute
    access-list 101 permit icmp any any unreachable
    access-list 101 permit ip any host 81.88.156.99 eq 65000
    access-list 101 permit ip any host 81.88.156.99 eq 65051
    access-list 101 permit ip any host 81.88.156.99 eq 63389
    access-list 101 permit ip any host 81.88.156.99 eq 23
    access-list 101 permit ip any host 81.88.156.99 eq 22
    access-list 101 permit ip any host 81.88.156.99 eq 5900
    access-list 101 permit ip any host 81.88.156.99 eq 80
    access-list 101 permit ip any host 81.88.156.99 eq 443
    access-list 101 deny ip any any log
    · Share on FacebookShare on Twitter
  • Options
    dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    well the second example you've removed the "permit tcp any any established", that would break most of your tcp protocols.
    access-list 101 permit ip any host 81.88.156.99 eq 23
    access-list 101 permit ip any host 81.88.156.99 eq 22
    access-list 101 permit ip any host 81.88.156.99 eq 5900
    access-list 101 permit ip any host 81.88.156.99 eq 80
    access-list 101 permit ip any host 81.88.156.99 eq 443

    If the intent here was to allow Telnet, SSH, HTTP and SSL inbound, remember the protocol is TCP not IP, and the port number that the traffic is going to is a random number above 1023

    try somthing like this

    access-list 101 permit tcp any eq 80 host 81.88.156.99

    that would allow traffic from a web server to the client. I would add the permit tcp any any established back to take care of the tcp protocols, instead of creating an entry for each one. Or perhaps creating a reflexive acl (not sure if the 831 supports them)
    The only easy day was yesterday!
    · Share on FacebookShare on Twitter
  • Options
    DeliriousDelirious Member Posts: 79 ■■□□□□□□□□
    My intent was to filter incoming ports.

    I tried, #access-list 101 permit tcp any any established as the only entry in the acl and applied it to the e1 interface for incoming and lost internet connection, removed it and it worked again.

    tried: access-list 101 permit tcp any any established
    access-list 101 permit tcp any eq 80 host 81.88.156.99

    those were the only two entries applied to the e1 interface as incoming and still no internet connection.

    this is really irritating.
    dtlokee wrote:
    well the second example you've removed the "permit tcp any any established", that would break most of your tcp protocols.
    access-list 101 permit ip any host 81.88.156.99 eq 23
    access-list 101 permit ip any host 81.88.156.99 eq 22
    access-list 101 permit ip any host 81.88.156.99 eq 5900
    access-list 101 permit ip any host 81.88.156.99 eq 80
    access-list 101 permit ip any host 81.88.156.99 eq 443

    If the intent here was to allow Telnet, SSH, HTTP and SSL inbound, remember the protocol is TCP not IP, and the port number that the traffic is going to is a random number above 1023

    try somthing like this

    access-list 101 permit tcp any eq 80 host 81.88.156.99

    that would allow traffic from a web server to the client. I would add the permit tcp any any established back to take care of the tcp protocols, instead of creating an entry for each one. Or perhaps creating a reflexive acl (not sure if the 831 supports them)
    · Share on FacebookShare on Twitter
Sign In or Register to comment.