13 Replies Latest reply: Sep 3, 2012 5:56 AM by Derrick B, CCENT RSS

    ACLs on cisco router

    Derrick B, CCENT

      I am doing a router config, i have 2 computers connected to the router 192.168.2.2 and 1.2. here is the configuration commands:

       

       

      En

      Conf t

      Hostname REDACTED

      Enable secret REDACTED

      Service password encryption

      No cdp run

      No ip finger

      No ip http server

      No ip source-route

      No proxy-arp

      Aaa new-model

      Username REDACTED password 0 REDACTED

      Ip domain –name REDACTED

      Crypto key generate rsa

      1024

      Ip ssh authentication-retries 3

      Ip access-list extended External

      Permit tcp any 192.168.2.0 0.0.0.255 eq 80

      Permit tcp any 192.168.2.0 0.0.0.255 eq 25

      Permit tcp any 192.168.2.0 0.0.0.255 eq 53

      line con 0

      Logging syn

      Exec-timeout 0 0

      Password REDACTED

      Exit

      Line vty 0 4

      Password REDACTED

      Transport input ssh

      Exit

      Int fa0/0

      Ip add 192.168.2.1 255.255.255.0

      Desc ISP

      No ip unreachables

      No cdp enable

      Ip access-group External in

      No shut

      Exit

      Int fa1/0

      Ip add 192.168.1.1 255.255.255.0

      Desc router inside

      No ip directed-broadcast

      No ip unreachables

      No cdp enable

      No shut

      Exit

      Ip route 0.0.0.0 0.0.0.0 f0/0

       

      Unfortunatly, I can still ping between the two networks which shouldnt be allowed right? Any ideas?

        • 1. Re: ACLs on cisco router
          Stuart

          You could ping 192.168.2.1 from 192.168.1.X but not 192.168.2.2-254

          If you can thats wiered

           

          If you add permit icmp any any to External

          Then do some pings

          Then do show ip access-list

          Do you see hits on the icmp line. This will confirm that the icmp's are going through the access-list.

          Check the spelling of External, It is easy to apply a missspelt access list.

          Remember if the AL does not exist it defaults to permit all

          • 2. Re: ACLs on cisco router
            Derrick B, CCENT

            Actually i can ping both ways, from 192.168.1.0->2.0 and from 2.0->1.0

             

            I added the acl deny icmp any any to the list. the sh ip access-lists command shows:

             

            Extended IP access list External

            10 permit tcp any 192.168.2.0 0.0.0.255 eq smtp

            20 permit tcp any 192.168.2.0 0.0.0.255 eq domain

            30 permit tcp any 192.168.2.0 0.0.0.255 eq www

            40 deny icmp any any (1013 matches) - note this is after a few rounds of pings.

             

             

            also, my understanding is that default policy for any traffic that doesnt match an ACL is deny?

             

            http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml :"The first match determines whether the Cisco IOS® Software accepts or rejects the packet. Because the Cisco IOS Software stops testing conditions after the first match, the order of the conditions is critical. If no conditions match, the router rejects the packet because of an implicit deny all clause."

            • 3. Re: ACLs on cisco router
              Derrick B, CCENT

              Any ideas?

              • 4. Re: ACLs on cisco router
                just plain old Kev

                This is just off the top of my head, but the icmp type field comes after the IP header...

                so I would put the deny icmp at the top of the list before the allow tcp - that should block it.

                 

                Ignore that, I thought you were blocking TCP.

                 

                try it like this:(example)

                 

                interface Serial0/0/0
                ip address 192.168.1.0 255.255.255.0
                ip access-group DENY_ICMP1 in

                 

                interface Serial0/0/1
                ip address 192.168.2.0 255.255.255.0
                ip access-group DENY_ICMP2 in

                 

                ip access-list extended DENY_ICMP1

                deny icmp any host 192.168.2.0
                deny icmp any host 192.168.1.0

                permit tcp any 192.168.2.0 0.0.0.255 eq 80

                permit tcp any 192.168.2.0 0.0.0.255 eq 25

                permit tcp any 192.168.2.0 0.0.0.255 eq 53

                deny ip any any (so it shows in couter list)

                 

                ip access-list extended DENY_ICMP2
                deny icmp any host 192.168.2.0
                deny icmp any host 192.168.1.0

                permit tcp any 192.168.1.0 0.0.0.255 eq 80

                permit tcp any 192.168.1.0 0.0.0.255 eq 25

                permit tcp any 192.168.1.0 0.0.0.255 eq 53

                deny ip any any (so it shows in counter list)

                 

                Message was edited by: ciscodaze

                • 5. Re: ACLs on cisco router
                  Paul Stewart  -  CCIE Security

                  The default is to deny if there is no match. I have never seen it not behave as you explained. The fact that when you added the "deny" shows that it is definitely applied. The only thing that has ever surprised me working with acl's is the fact that outbound packets are not checked by outbound acls when initiated by the router itself.

                  • 6. Re: ACLs on cisco router
                    Stuart

                    Just to be clear.

                    After you addedd the explicit deny, and it was getting hits.

                    Were you still able to ping ?

                    • 7. Re: ACLs on cisco router
                      Derrick B, CCENT

                      Yes, I was able to ping the hosts on either end, as well as the router interfaces.

                      • 8. Re: ACLs on cisco router
                        Brian

                        First off, in the ACL you have the source IP is "any" and the destination IP is the 192.168.2.0/24 network.  See below:

                         

                        Ip access-list extended External

                        Permit tcp any 192.168.2.0 0.0.0.255 eq 80

                        Permit tcp any 192.168.2.0 0.0.0.255 eq 25

                        Permit tcp any 192.168.2.0 0.0.0.255 eq 53

                         

                        However, you applied this to the wrong interface.  See below:

                         

                        Int fa0/0

                        Ip add 192.168.2.1 255.255.255.0

                        Ip access-group External in

                         

                        This ACL is applied "inbound", this means coming from the hosts that lie out this interface.  The 192.168.2.0/24 network will never be the destination when applied "inbound".  You to need to set this as an "outbound" ACL on interface F0/0.  However, the implicit "deny" at the end of the ACL should deny everything else.

                         

                        Thirdly, apply the ACL as written to interface Fa1/0.  See below:

                         

                        Int fa1/0

                        Ip add 192.168.1.1 255.255.255.0

                        Ip access-group External in

                         

                        Now, the "any" source to destination 192.168.2.0/24 will allow only these three TCP ports.

                         

                        Lastly, show me the pings from a host on the 192.168.1.0/24 network to a host on the 192.168.2.0/24 network and vice versa.

                         

                        Brian

                         

                         

                        Message was edited by: Brian

                        • 9. Re: ACLs on cisco router
                          Derrick B, CCENT

                          I finally was able to make a screenshot of the config, as I couldnt copy it. Can you guys take a look?

                           

                          http://i2.photobucket.com/albums/y35/LordSephiroth/configcensored.png

                          • 10. Re: ACLs on cisco router
                            sambotech12

                            Brian wrote:

                             

                            First off, in the ACL you have the source IP is "any" and the destination IP is the 192.168.2.0/24 network.  See below:

                             

                            Ip access-list extended External

                            Permit tcp any 192.168.2.0 0.0.0.255 eq 80

                            Permit tcp any 192.168.2.0 0.0.0.255 eq 25

                            Permit tcp any 192.168.2.0 0.0.0.255 eq 53

                             

                            However, you applied this to the wrong interface.  See below:

                             

                            Int fa0/0

                            Ip add 192.168.2.1 255.255.255.0

                            Ip access-group External in

                             

                            This ACL is applied "inbound", this means coming from the hosts that lie out this interface.  The 192.168.2.0/24 network will never be the destination when applied "inbound".  You to need to set this as an "outbound" ACL on interface F0/0.  However, the implicit "deny" at the end of the ACL should deny everything else.

                             

                            Thirdly, apply the ACL as written to interface Fa1/0.  See below:

                             

                            Int fa1/0

                            Ip add 192.168.1.1 255.255.255.0

                            Ip access-group External in

                             

                            Now, the "any" source to destination 192.168.2.0/24 will allow only these three TCP ports.

                             

                            Lastly, show me the pings from a host on the 192.168.1.0/24 network to a host on the 192.168.2.0/24 network and vice versa.

                             

                            Brian

                             

                             

                            Message was edited by: Brian

                            Hey Brian,

                             

                            I don't know about real cisco routers but Sa Sk's config worked in Packet Tracer.  Please refer to the attached jpeg.

                             

                            acl_cisco_router.jpg

                             

                            I believe the External acl caught the echoes when pinging from 192.168.2.2 to 192.168.1.2.  That's why the fa 0/0 interface replied with Destination host unreachable.  And then the acl caught the echo-replies from 192.168.2.2 when pinging from 192.168.1.2 to 192.168.2.2.  That's why the Request timed out.  I can verify this with a different, but functionally similar, acl.  Post to follow.  The only thing is 192.168.1.2 can ping the fa 0/0 interface, 192.168.2.1.

                             

                            The Packet Tracer file is also attached.

                             

                            -sambotech12

                            • 11. Re: ACLs on cisco router
                              sambotech12

                              Here's the modified acl:

                               

                              ip access-list extended External

                              permit tcp any 192.168.2.0 0.0.0.255 eq smtp

                              permit tcp any 192.168.2.0 0.0.0.255 eq domain

                              permit tcp any 192.168.2.0 0.0.0.255 eq www

                              deny icmp any any echo

                              deny icmp any any echo-reply

                              permit ip any any

                              deny ip any any

                               

                              The matched statements work as described in the previous post.  Please refer to the following jpeg.

                               

                              acl_cisco_router_2.jpg

                               

                              I know Sa Sk's application of the acl doesn't follow Cisco's best practice but I think it works.  I wonder why the pings were successful on his real equipment???

                               

                              -sambotech12

                              • 12. Re: ACLs on cisco router
                                sambotech12

                                SaSk wrote:

                                 

                                I am doing a router config, i have 2 computers connected to the router 192.168.2.2 and 1.2. here is the configuration commands:

                                 

                                 

                                En

                                Conf t

                                Hostname REDACTED

                                Enable secret REDACTED

                                Service password encryption

                                No cdp run

                                No ip finger

                                No ip http server

                                No ip source-route

                                No proxy-arp

                                Aaa new-model

                                Username REDACTED password 0 REDACTED

                                Ip domain –name REDACTED

                                Crypto key generate rsa

                                1024

                                Ip ssh authentication-retries 3

                                Ip access-list extended External

                                Permit tcp any 192.168.2.0 0.0.0.255 eq 80

                                Permit tcp any 192.168.2.0 0.0.0.255 eq 25

                                Permit tcp any 192.168.2.0 0.0.0.255 eq 53

                                line con 0

                                Logging syn

                                Exec-timeout 0 0

                                Password REDACTED

                                Exit

                                Line vty 0 4

                                Password REDACTED

                                Transport input ssh

                                Exit

                                Int fa0/0

                                Ip add 192.168.2.1 255.255.255.0

                                Desc ISP

                                No ip unreachables

                                No cdp enable

                                Ip access-group External in

                                No shut

                                Exit

                                Int fa1/0

                                Ip add 192.168.1.1 255.255.255.0

                                Desc router inside

                                No ip directed-broadcast

                                No ip unreachables

                                No cdp enable

                                No shut

                                Exit

                                Ip route 0.0.0.0 0.0.0.0 f0/0

                                 

                                Unfortunatly, I can still ping between the two networks which shouldnt be allowed right? Any ideas?

                                Hey Sa Sk,

                                 

                                I tried this on GNS3 and the pings worked the same as you but that was because of a misconfiguration.  Are you doing this on GNS3?

                                 

                                Please do a tracert from the host 192.168.2.2 to 192.168.1.2 and post the results.

                                 

                                Thanks,

                                -sambotech12

                                • 13. Re: ACLs on cisco router
                                  Derrick B, CCENT

                                  I have totally forgot about this, trying to remember where i had this lab setup...