Skip navigation
Cisco Learning Home > Learning Center > Discussions

_Communities

3044 Views 13 Replies Latest reply: Sep 3, 2012 5:56 AM by Derrick B, CCENT RSS

Currently Being Moderated

ACLs on cisco router

Mar 22, 2012 8:15 PM

Derrick B, CCENT 86 posts since
Sep 27, 2009

I am doing a router config, i have 2 computers connected to the router 192.168.2.2 and 1.2. here is the configuration commands:

 

 

En

Conf t

Hostname REDACTED

Enable secret REDACTED

Service password encryption

No cdp run

No ip finger

No ip http server

No ip source-route

No proxy-arp

Aaa new-model

Username REDACTED password 0 REDACTED

Ip domain –name REDACTED

Crypto key generate rsa

1024

Ip ssh authentication-retries 3

Ip access-list extended External

Permit tcp any 192.168.2.0 0.0.0.255 eq 80

Permit tcp any 192.168.2.0 0.0.0.255 eq 25

Permit tcp any 192.168.2.0 0.0.0.255 eq 53

line con 0

Logging syn

Exec-timeout 0 0

Password REDACTED

Exit

Line vty 0 4

Password REDACTED

Transport input ssh

Exit

Int fa0/0

Ip add 192.168.2.1 255.255.255.0

Desc ISP

No ip unreachables

No cdp enable

Ip access-group External in

No shut

Exit

Int fa1/0

Ip add 192.168.1.1 255.255.255.0

Desc router inside

No ip directed-broadcast

No ip unreachables

No cdp enable

No shut

Exit

Ip route 0.0.0.0 0.0.0.0 f0/0

 

Unfortunatly, I can still ping between the two networks which shouldnt be allowed right? Any ideas?

  • Stuart 33 posts since
    Feb 13, 2012
    Currently Being Moderated
    1. Mar 23, 2012 4:46 AM (in response to Derrick B, CCENT)
    Re: ACLs on cisco router

    You could ping 192.168.2.1 from 192.168.1.X but not 192.168.2.2-254

    If you can thats wiered

     

    If you add permit icmp any any to External

    Then do some pings

    Then do show ip access-list

    Do you see hits on the icmp line. This will confirm that the icmp's are going through the access-list.

    Check the spelling of External, It is easy to apply a missspelt access list.

    Remember if the AL does not exist it defaults to permit all

  • Currently Being Moderated
    4. Mar 25, 2012 5:58 PM (in response to Derrick B, CCENT)
    Re: ACLs on cisco router

    This is just off the top of my head, but the icmp type field comes after the IP header...

    so I would put the deny icmp at the top of the list before the allow tcp - that should block it.

     

    Ignore that, I thought you were blocking TCP.

     

    try it like this:(example)

     

    interface Serial0/0/0
    ip address 192.168.1.0 255.255.255.0
    ip access-group DENY_ICMP1 in

     

    interface Serial0/0/1
    ip address 192.168.2.0 255.255.255.0
    ip access-group DENY_ICMP2 in

     

    ip access-list extended DENY_ICMP1

    deny icmp any host 192.168.2.0
    deny icmp any host 192.168.1.0

    permit tcp any 192.168.2.0 0.0.0.255 eq 80

    permit tcp any 192.168.2.0 0.0.0.255 eq 25

    permit tcp any 192.168.2.0 0.0.0.255 eq 53

    deny ip any any (so it shows in couter list)

     

    ip access-list extended DENY_ICMP2
    deny icmp any host 192.168.2.0
    deny icmp any host 192.168.1.0

    permit tcp any 192.168.1.0 0.0.0.255 eq 80

    permit tcp any 192.168.1.0 0.0.0.255 eq 25

    permit tcp any 192.168.1.0 0.0.0.255 eq 53

    deny ip any any (so it shows in counter list)

     

    Message was edited by: ciscodaze

  • Paul Stewart  -  CCIE Security, CCSI 6,993 posts since
    Jul 18, 2008
    Currently Being Moderated
    5. Mar 25, 2012 6:33 PM (in response to Derrick B, CCENT)
    Re: ACLs on cisco router

    The default is to deny if there is no match. I have never seen it not behave as you explained. The fact that when you added the "deny" shows that it is definitely applied. The only thing that has ever surprised me working with acl's is the fact that outbound packets are not checked by outbound acls when initiated by the router itself.

  • Stuart 33 posts since
    Feb 13, 2012
    Currently Being Moderated
    6. Mar 26, 2012 9:21 AM (in response to Derrick B, CCENT)
    Re: ACLs on cisco router

    Just to be clear.

    After you addedd the explicit deny, and it was getting hits.

    Were you still able to ping ?

  • Brian 2,968 posts since
    Aug 17, 2009
    Currently Being Moderated
    8. Mar 26, 2012 10:51 AM (in response to Derrick B, CCENT)
    Re: ACLs on cisco router

    First off, in the ACL you have the source IP is "any" and the destination IP is the 192.168.2.0/24 network.  See below:

     

    Ip access-list extended External

    Permit tcp any 192.168.2.0 0.0.0.255 eq 80

    Permit tcp any 192.168.2.0 0.0.0.255 eq 25

    Permit tcp any 192.168.2.0 0.0.0.255 eq 53

     

    However, you applied this to the wrong interface.  See below:

     

    Int fa0/0

    Ip add 192.168.2.1 255.255.255.0

    Ip access-group External in

     

    This ACL is applied "inbound", this means coming from the hosts that lie out this interface.  The 192.168.2.0/24 network will never be the destination when applied "inbound".  You to need to set this as an "outbound" ACL on interface F0/0.  However, the implicit "deny" at the end of the ACL should deny everything else.

     

    Thirdly, apply the ACL as written to interface Fa1/0.  See below:

     

    Int fa1/0

    Ip add 192.168.1.1 255.255.255.0

    Ip access-group External in

     

    Now, the "any" source to destination 192.168.2.0/24 will allow only these three TCP ports.

     

    Lastly, show me the pings from a host on the 192.168.1.0/24 network to a host on the 192.168.2.0/24 network and vice versa.

     

    Brian

     

    Message was edited by: Brian

  • sambotech12 727 posts since
    Apr 3, 2012
    Currently Being Moderated
    10. May 28, 2012 8:10 PM (in response to Brian)
    Re: ACLs on cisco router

    Brian wrote:

     

    First off, in the ACL you have the source IP is "any" and the destination IP is the 192.168.2.0/24 network.  See below:

     

    Ip access-list extended External

    Permit tcp any 192.168.2.0 0.0.0.255 eq 80

    Permit tcp any 192.168.2.0 0.0.0.255 eq 25

    Permit tcp any 192.168.2.0 0.0.0.255 eq 53

     

    However, you applied this to the wrong interface.  See below:

     

    Int fa0/0

    Ip add 192.168.2.1 255.255.255.0

    Ip access-group External in

     

    This ACL is applied "inbound", this means coming from the hosts that lie out this interface.  The 192.168.2.0/24 network will never be the destination when applied "inbound".  You to need to set this as an "outbound" ACL on interface F0/0.  However, the implicit "deny" at the end of the ACL should deny everything else.

     

    Thirdly, apply the ACL as written to interface Fa1/0.  See below:

     

    Int fa1/0

    Ip add 192.168.1.1 255.255.255.0

    Ip access-group External in

     

    Now, the "any" source to destination 192.168.2.0/24 will allow only these three TCP ports.

     

    Lastly, show me the pings from a host on the 192.168.1.0/24 network to a host on the 192.168.2.0/24 network and vice versa.

     

    Brian

     

    Message was edited by: Brian

    Hey Brian,

     

    I don't know about real cisco routers but Sa Sk's config worked in Packet Tracer.  Please refer to the attached jpeg.

     

    acl_cisco_router.jpg

     

    I believe the External acl caught the echoes when pinging from 192.168.2.2 to 192.168.1.2.  That's why the fa 0/0 interface replied with Destination host unreachable.  And then the acl caught the echo-replies from 192.168.2.2 when pinging from 192.168.1.2 to 192.168.2.2.  That's why the Request timed out.  I can verify this with a different, but functionally similar, acl.  Post to follow.  The only thing is 192.168.1.2 can ping the fa 0/0 interface, 192.168.2.1.

     

    The Packet Tracer file is also attached.

     

    -sambotech12

    Attachments:
  • sambotech12 727 posts since
    Apr 3, 2012
    Currently Being Moderated
    11. May 28, 2012 8:30 PM (in response to sambotech12)
    Re: ACLs on cisco router

    Here's the modified acl:

     

    ip access-list extended External

    permit tcp any 192.168.2.0 0.0.0.255 eq smtp

    permit tcp any 192.168.2.0 0.0.0.255 eq domain

    permit tcp any 192.168.2.0 0.0.0.255 eq www

    deny icmp any any echo

    deny icmp any any echo-reply

    permit ip any any

    deny ip any any

     

    The matched statements work as described in the previous post.  Please refer to the following jpeg.

     

    acl_cisco_router_2.jpg

     

    I know Sa Sk's application of the acl doesn't follow Cisco's best practice but I think it works.  I wonder why the pings were successful on his real equipment???

     

    -sambotech12

  • sambotech12 727 posts since
    Apr 3, 2012
    Currently Being Moderated
    12. May 29, 2012 1:18 PM (in response to Derrick B, CCENT)
    Re: ACLs on cisco router

    SaSk wrote:

     

    I am doing a router config, i have 2 computers connected to the router 192.168.2.2 and 1.2. here is the configuration commands:

     

     

    En

    Conf t

    Hostname REDACTED

    Enable secret REDACTED

    Service password encryption

    No cdp run

    No ip finger

    No ip http server

    No ip source-route

    No proxy-arp

    Aaa new-model

    Username REDACTED password 0 REDACTED

    Ip domain –name REDACTED

    Crypto key generate rsa

    1024

    Ip ssh authentication-retries 3

    Ip access-list extended External

    Permit tcp any 192.168.2.0 0.0.0.255 eq 80

    Permit tcp any 192.168.2.0 0.0.0.255 eq 25

    Permit tcp any 192.168.2.0 0.0.0.255 eq 53

    line con 0

    Logging syn

    Exec-timeout 0 0

    Password REDACTED

    Exit

    Line vty 0 4

    Password REDACTED

    Transport input ssh

    Exit

    Int fa0/0

    Ip add 192.168.2.1 255.255.255.0

    Desc ISP

    No ip unreachables

    No cdp enable

    Ip access-group External in

    No shut

    Exit

    Int fa1/0

    Ip add 192.168.1.1 255.255.255.0

    Desc router inside

    No ip directed-broadcast

    No ip unreachables

    No cdp enable

    No shut

    Exit

    Ip route 0.0.0.0 0.0.0.0 f0/0

     

    Unfortunatly, I can still ping between the two networks which shouldnt be allowed right? Any ideas?

    Hey Sa Sk,

     

    I tried this on GNS3 and the pings worked the same as you but that was because of a misconfiguration.  Are you doing this on GNS3?

     

    Please do a tracert from the host 192.168.2.2 to 192.168.1.2 and post the results.

     

    Thanks,

    -sambotech12

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)