ACL not working, any clues?

DeliriousDelirious Member Posts: 79 ■■□□□□□□□□
in CCNA & CCENT
I applied the "incoming" acl to the f4 port on my 871(advanced IP)and now

can't:
1.ftp directory listing fails (it connects but fails to retrieve directory listing, filezilla)
2.get to an external web site
3.torrent works on port 65500

can:
1. telnet into router from another network
2. rdp into my machine on port 63389
3. get to my website hosted on internal machine

so its partially working i just cant figure out why ftp and internet access isnt working?

can someone please help me, i know its probably something simple but i'm not seeing it.

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname r1
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
enable secret ******
!
no aaa new-model
clock timezone EST -4
!
!
!
!
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.100 192.168.0.101
ip dhcp excluded-address 192.168.0.1 192.168.0.5
!
ip dhcp pool lan1
network 192.168.0.0 255.255.255.0
dns-server 24.92.226.9 24.92.226.102
default-router 192.168.0.1
!
!
vlan ifdescr detail
!
multilink bundle-name authenticated
!
!
username ******* privilege 15 password ********
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
spanning-tree portfast
!
interface FastEthernet1
spanning-tree portfast
!
interface FastEthernet2
spanning-tree portfast
!
interface FastEthernet3
spanning-tree portfast
!
interface FastEthernet4
ip address dhcp
ip access-group incoming in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
!
no ip http server
no ip http secure-server
ip nat inside source list lan-nat interface FastEthernet4 overload
ip nat inside source static tcp 192.168.0.3 21 interface FastEthernet4 21
ip nat inside source static tcp 192.168.0.2 65500 interface FastEthernet4 65500
ip nat inside source static tcp 192.168.0.101 63389 interface FastEthernet4 63389
ip nat inside source static tcp 192.168.0.3 80 interface FastEthernet4 80
!
ip access-list standard lan-nat
permit 192.168.0.0 0.0.0.255
!
ip access-list extended incoming
permit tcp any any established
permit tcp any host 74.75.113.20 eq ftp-data
permit tcp any host 74.75.113.20 eq 63389
permit tcp any host 74.75.113.20 eq 65500
permit tcp any host 74.75.113.20 eq www
permit tcp any host 74.75.113.20 eq ftp
permit tcp any host 74.75.113.20 eq telnet
remark IP address spoof protection
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 0.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
deny ip 192.0.2.0 0.0.0.255 any log
deny ip 169.254.0.0 0.0.255.255 any log
deny ip host 255.255.255.255 any log
deny ip host 0.0.0.0 any log
remark ICMP filters
deny icmp any any redirect log
deny icmp any any echo log
deny icmp any any mask-request log
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any source-quench
permit icmp any any packet-too-big
permit icmp any any time-exceeded
deny icmp any any
deny ip any any log
!
!
!
!
!
control-plane
!
banner motd ^C
********************************************
*Unauthorized access prohibited
********************************************
^C
!
line con 0
password 7 002E43551
logging synchronous
login local
no modem enable
transport preferred none
line aux 0
password 7 002E43551
logging synchronous
login local
transport preferred none
line vty 0 4
exec-timeout 30 0
password 7 002E43551
logging synchronous
login local
transport preferred none
!
scheduler max-task-time 5000

!
webvpn cef
end
· Share on FacebookShare on Twitter

Comments

  • NetstudentNetstudent Member Posts: 1,693 ■■■□□□□□□□
    your fa4 port is getting an IP from the DHCP right? It looks like the DHCP is leasing out private adresses. Then you are NAT overloading that interface. So are you overloading to a private IP?
    There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!
    · Share on FacebookShare on Twitter
  • DeliriousDelirious Member Posts: 79 ■■□□□□□□□□
    Netstudent wrote:
    your fa4 port is getting an IP from the DHCP right? It looks like the DHCP is leasing out private adresses. Then you are NAT overloading that interface. So are you overloading to a private IP?

    actually this is my personal home router so its hooked up to road runner and recieves a dynamic ip from them which is something like 74.75.113.20.

    the dhcp is for the lan only.
    · Share on FacebookShare on Twitter
  • tech-airmantech-airman Member Posts: 953
    Delirious wrote:
    I applied the "incoming" acl to the f4 port on my 871(advanced IP)and now

    can't:
    1.ftp directory listing fails (it connects but fails to retrieve directory listing, filezilla)
    2.get to an external web site
    3.torrent works on port 65500

    can:
    1. telnet into router from another network
    2. rdp into my machine on port 63389
    3. get to my website hosted on internal machine

    so its partially working i just cant figure out why ftp and internet access isnt working?

    can someone please help me, i know its probably something simple but i'm not seeing it.
    <snip>

    Delirious,

    In plain English, what is the purpose(s) of the ACL?
    · Share on FacebookShare on Twitter
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    Delirious wrote:
    I applied the "incoming" acl to the f4 port on my 871(advanced IP)and now

    can't:
    1.ftp directory listing fails (it connects but fails to retrieve directory listing, filezilla)
    2.get to an external web site
    3.torrent works on port 65500

    can:
    1. telnet into router from another network
    2. rdp into my machine on port 63389
    3. get to my website hosted on internal machine

    so its partially working i just cant figure out why ftp and internet access isnt working?

    You have a PAT rule for port 21 (ftp control) but not 20 (ftp-data). FTP is a difficult protocol to secure with access lists because it uses secondary ports that are negotiated in the data stream. This can be configured using IP inspection. I also don't see any entries for DNS (UDP 53) in your acl, this may prevent DNS queries from returning thereby breaking your web connections, try using nslookup to troubleshoot this.
    The only easy day was yesterday!
    · Share on FacebookShare on Twitter
  • DeliriousDelirious Member Posts: 79 ■■□□□□□□□□
    these are the suggestions i got from the cisco forum on dslreports.com. Both open up holes so for now im going to be using CBAC.


    for ftp
    again this is for ftp client sessions initiated from your inside network.

    - passive ftp uses data port gt 1023
    permit tcp any eq ftp host 74.75.113.20 gt 1023
    permit tcp any gt 1023 host 74.75.113.20 gt 1023

    - active ftp uses ftp-data port 20
    permit tcp any eq ftp host 74.75.113.20 gt 1023
    permit tcp any eq ftp-data host 74.75.113.20 gt 1023

    this will work but from this you can see the vulnerabilities opened when using stateless ACL's.


    For web traffic
    permit tcp any host 74.75.113.20 eq www

    the above entry will work for traffic initiated from outside to inside but to allow return traffic initiated from inside you will need to allow this.

    permit tcp any eq www host 74.75.113.20 gt 1023

    as for the ftp from inside to outside its a bit more complicated and depends on if your client is doing active or passive mode ftp.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.