Cisco Router Help

[Netopia]

Greetings all!

I recently ran into a problem with a Cisco 1700 router that I can't seem to get around. Please understand that I've NEVER even touched one of these before, so it could be a simple thing, but something that I just don't know or understand. Here's the situation:

A subnet of 8 public IP's. For the moment I'll just list the important ones:

x.x.x.32 = Broadcast
x.x.x.33 = The Router
x.x.x.34 = Web Server
x.x.x.35 = Windows Web Server
x.x.x.36-38 unused
x.x.x.39 = Network

Anyway... here's the thing....

I go into the router and it has NO access lists for incoming or outgoing. BUT... .35 is wide open to the internet (using its own firewall to block all but needed ports) and everything works for that machine... but NOT FOR ANY OTHER IP!

If I try to add an access-list for any IP address, .35 becomes totally blocked! If I remove all access-lists (and the group) then .35 works fine again. They want to run a web server on .34, but I can't get anything open to it without .35 going dead on me.

I've also tried to write an access list that includes both .34 and .35, but when I do, .35 still suddenly becomes totally blocked!

Here's a copy of the current config:

cisco1760>show ip interface
FastEthernet0/0 is up, line protocol is up
Internet address is x.x..33/29
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP CEF switching is disabled
IP Fast switching turbo vector
IP multicast fast switching is disabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast
Router discoverry is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
Serial0/0 is up, line protocol is up
Internet protocol processing disabled
Interface is unnumbered. Using address of FastEthernet0/0 (x.x.x..33)
Broadcast address is 255.255.255.255
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is enabled
IP CEF switching is disabled
IP Fast switching turbo vector
IP multicast fast switching is disabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled

This is my try at an access list:

access-list 105 permit tcp any host x.x.x.34 eq www
access-list 105 permit tcp any host x.x.x.34 eq 1843
access-list 105 permit icmp any host x.x.x.34

and then

interface FastEthenet 0/0
ip access-group 102 in

But after that... no traffic that I could tell to any IP.

HELP!

I don't know what I'm doing wrong.

Here's what I want to do,

Port 80 Open for any hosts to .34
ICMP Open for any host to .34
ALL PORTS Open for any hosts to .35 (not my choice...)
ICMP Open for any hosts to .35

ANY help is MUCH appreciated!

Joe

 

[randal]

Here's what I want to do,

Port 80 Open for any host to .34
ICMP Open for any host to .34
ALL PORTS Open for any host to .35 (not my choice...)
ICMP Open for any host to .35


!
conf t
!
ip access-list 120 permit tcp any host x.x.x.34 eq 80
ip access-list 120 permit tcp any x.x.x.35
ip access-list 120 permit icmp any host x.x.x.34
ip access-list 120 permit icmp any host x.x.x.35
!
int fa0/0
!
ip access-group 120 out
!

--

Major Problems - you'll want to apply your inbound access-lists to your external interface, or as close to the source of the traffic as possible. Your fa0/0 is attached to your LAN, you would want to apply the inbound access-list to your WAN interface, aka serial/T1/DSL/whatever. If you don't, remember that the direction of traffic flow changes as it passes through the router. Traffic IN on your WAN link turns into OUTbound traffic on Fa0/0. INBOUND traffic on Fa0/0 is OUTBound traffic on your WAN link.

 

[tho]

Well said randal. The command to show the config is
#show run or #show start in priveledged mode and post the config here.

Of course, it gets a little complicated when you have involve NAT.

 

[Netopia]

OK... I'm going to get a copy of what you've asked for. I have to admit, I didn't think about the serial interface to the WAN as being the "in", since I figured that the router accepted everything and then applied rules to based on the internal interface. No particualar reason I thought that way, just ignorance of the config.

Joe

 

[Netopia]

Here is the "show run". Obviously some things have been changed because this is a public board, like passwords, things that specifically idnentify the company and the first three octets of IP addresses... but other than that, it's just like out of the router:

cisco1760#show run
Building configuration...

Current configuration : 930 bytes
!
version 12.2
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco1760
!
enable secret 5 "hash"
enable password "password"
!
ip subnet-zero
ip domain name ALTER.NET
ip name-server 198.6.1.195
!
!
!
!
!
interface FastEthernet0/0
description To Office FastEthernet
ip address x.x.x.33 255.255.255.248
speed auto
full-duplex
no cdp enable
!
interface Serial0/0
description To Worldcom (wcomw0k98532)
bandwidth 1536
no ip address
encapsulation frame-relay IETF
no fair-queue
frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
bandwidth 1536
ip unnumbered FastEthernet0/0
frame-relay interface-dlci 500 IETF
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
no ip http server
!
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
password "password"
login
!
no scheduler allocate
end

Guys... thanks, I really appreciate the helping hands!

Joe

 

[Netopia]

One other thought....

Suppose I had three different ethernet ports (internal) on the router. For access lists (in), does that mean that I have to configure access lists for the serial interface (frame relay in this case) to each of the IP addresses? I've tried to read what I could find on the web about this stuff, but everything seems to indicate writing the lists for the ethernet connection, so I'm a little confused.

Joe

 

[randal]

You can write access-lists, both inbound and outbound, and apply them to every interface. If you have 3x FastEthernet + 1x Serial, you could apply 8 access-lists total. Apply the security & rulesets as granularly as you'd like, or don't, your choice.

In your situation, I would apply one access-list to your inbound Serial interface. This ACL will cover everything inbound, to include all of the networks on every internal LAN interface. I would apply an outbound ACL to the Serial Interface to prevent crazy things from happening too. I would then proceed to apply an access-list to every internal interface with similar rulesets to what is on your Serial interface -- stopping the traffic at the FastEthernet interface before it crosses the router is better.

ACLs are a HUGE part of becoming a Cisco Certified Network Associate, as they are a critical foundation skill for any network person. I would highly recommend getting a book from your local book store and becoming very familiar with them; they can make or break your network with surprising ease.

 

[Netopia]

I'm not sure how much work I'm going to be doing with Cisco routers, but I certainly agree that it is in my best interest to get as much knowledge in the area as I can. I tend to do side jobs that cover everything for smaller companies, so I don't really spend much time on routers, but one desktops and servers. Still... a situation like this can make me feel like a retard when I don' t know what I'm doing.

In the "show run" output I posted, which is the interface for which I should write the ACL (inbound)? Is it the Serial0/0 or the Serial0/0.1?

Joe

 

[spidey07]

You apply ACLs on IP interfaces.

Frame relay primarily uses separate sub-interfaces to represent the individual IP interfaces for each PVC.

So in your case you apply it on the S0/0.1 interface.

Another good tool is "show ip access-list" as it will show you how many hits on the ACL and each line.

Also don't forget that at the end of every ACL is an implied "deny any any" which means if traffic doesn't match your permit statements it will be dropped. In your case I think this is what you want. Another trick is to put a "deny any any" at the end of the ACL, that way you can see the hits on your final "drop everything else" rule.

One other thing to keep in mind about ACLs - traffic is bi-directional. Meaning client talks to server on destination port 80, and server speaks to client with a source port of 80. Its sometimes easy to forget the return traffic when messing with ACLs. If you use an inbound or outbound connection use the "established" key word to permit return traffic that is part of an existing connection.

something like this.
INBOUND
110 permit tcp any any eq 80
110 permit tcp any any eq 443
110 deny any any log

OUTBOUND
120 permit tcp any eq 80 any established
120 deny any any log

careful with the log keyword if the circuit is very busy or the router us underpowered.

decent doc...
http://www.cisco.com/en/US/products/sw/...oducts_tech_note09186a00800a5b9a.shtml

 

[Netopia]

For your rules:

something like this.
INBOUND
110 permit tcp any any eq 80
110 permit tcp any any eq 443
110 deny any any log

OUTBOUND
120 permit tcp any eq 80 any established
120 deny any any log

Can I interpret them as:

Inbound:
ACL# permit protocol external-host internal-host = port#
ACL# deny external-host internal-host send.output.to.log

Outbound:
ACL# permit protocol internal-host = port# any.already.established.external.host
ACL# deny internal-host external-host send.output.to.log

If I'm right, then does that mean on incoming rules you put external hosts first and then internal, and on outbound rules you put internal hosts first followed by the port and then external?

Thanks for the info, the link and any answers!

Joe

 

[spidey07]

well there really is no differentiation between internal and external hosts. An acl just permits or denies traffic.

The key is understanding source and destination IP address and how it appears to the router.

Take a basic example A web server runs a HTTP server on port 80.

When a client starts to contact the server a packet will be sent by the client that looks like this.
<IP src addy><IP dst addy><TCP src port><TCP dst port=80>

of note is the TCP dst port will be 80. This packet is destined for the HTTP open port on the server. src port is immaterial and is random.

Next packet will be the server answering...
IP src addy><IP src addy><TCP src port=80><TCP dst port>

Key here is the packet is sourced from the server with a source port of 80.

Finally client will send another packet..
<IP src addy><IP dst addy><TCP src port><TCP dst port=80>

The connection between client and server is now open and the client will request data/web pages.

Its just important when working with ACLs to understand this fundamental concept.

Hard to explain on forum, but there is a ton of information on ACLs at cisco.com. Its almost more important than IP addressing itself.

 

[Netopia]

This is VERY eye opening!

In the case of my initial question, how does one permit ALL ports to a specific IP address? Is there an (eq "range") sort of syntax?

Joe

 

[spidey07]

access-list 101 permit tcp any host 10.10.10.10 range 1 65535

"permit tcp with source host of any, source port of any, to host 10.3.2.33 destination port range 1 - 65535"

kina ugly. That restricts it to TCP ports only. Another way would be...

permit ip any host 10.10.10.10

That works on the IP address alone and would allow any IP packets to the host.

 

[Netopia]

Hey... I was just reading the link you gave me to Cisco, and I think I've had something backward.

I was thinking that "in" when applied to "fastethernet0/0" meant from the router INTO that port. That's backwards, isn't it? I think I just realized (if I'm understanding correctly) that "IN" is always spoken of with the router as the central location.

If I'm right, then "IN" for serial0/.01 means traffic coming from the frame relay into the router, and "IN" from fastethernet0/0 means traffic coming from the LAN into the router. Am I reading this right? If so, it makes sense why everything I did put a halt to traffic... it would mean that I was applying everything backwards!

Joe

 

[Netopia]

On other important thing....

I'm doing much of this work remotely. You suggested that I apply the ACL's to serial0/0.1.... but since that's the router's external interface, if I mess something up, will I be blocked from telnetting into the router and have to go to their site and have to hook up via serial cable? I just want to know if there's a possibility that I'm going to lock myself out before I go goofing around.

Joe

 

[spidey07]

Originally posted by: Netopia
Hey... I was just reading the link you gave me to Cisco, and I think I've had something backward.

I was thinking that "in" when applied to "fastethernet0/0" meant from the router INTO that port. That's backwards, isn't it? I think I just realized (if I'm understanding correctly) that "IN" is always spoken of with the router as the central location.

If I'm right, then "IN" for serial0/.01 means traffic coming from the frame relay into the router, and "IN" from fastethernet0/0 means traffic coming from the LAN into the router. Am I reading this right? If so, it makes sense why everything I did put a halt to traffic... it would mean that I was applying everything backwards!

Joe

That is correct.

inbound is "inbound to the router" and is only locally significant. It doesn't matter where the packet came from (internet, dmz, internal network, buddies wireless, japan), just that it is coming "IN" to an interface.

-edit- try not to do ACLs remotely if you are not very comfortable with them. You can very easily lock yourself out of the router so that you cannot get to it anymore and will have to reboot to get the config loaded. As soon as you apply that ACL it is in effect.

Another tip (and this is for others that may be reading)...

Don't modify an ACL if it is applied to an interface. remove it first, modify it and then re-apply. What can happen is when modifying ACLs you use a "copy/paste" kind of configuration with a text editor. As you are pasting in the ACL you could lock yourself out because not all of the ACL is pasted (remember there is a default deny all all so the second you "paste" the ACL you have a single line with a deny all all at the end of it - locked out of router.

 

[Netopia]

When you talk about locked out of the router, are you talking about locked out from telnetting or locked out PERIOD (as in not even a cable to the console port)?

Joe

 

[spidey07]

locked out in that you inadvertently disallow access to the router (by dropping telnet or SSH)

I was working on a router with about 800 interfaces that had a single security ACL applied to all interfaces. Yeah, I really screwed that one up LOL.

 

[Netopia]

WOW! 800 INTERFACES!

I am but an egg!

The router I'm working on has all of 2! (not counting the console), Serial0/0 and FastEthernet0/0

So that one ACL covered ALL the IP addresses for all 800 interfaces!?! How big can an ACL get? Was something like that hundreds of lines long?

Joe

 

[spidey07]

This one was just base security rules to block the normal internet worm ports.

It wasn't that big, maybe 50 lines.

How big can an ACL be? As big as the router memory will allow and some routers are approaching 1GB of memory. The biggest i remember was about 30,000 lines.

 

[Netopia]

I'm speechless.... well, that's a physical impossibility, but I'm about as close as I can get!

Joe

 

[Netopia]

Ok.... I know now that the correct thing for me to do is to write ACL's and apply them to the Serial0/0.1 interface.

For the time being though, would it work for me to temorarily apply rules for Serial0/0.1 that say everything is allowed and and out (since I'm working remotely) and then write and apply rules to the fastethernet0/0 interface, since it is the only other interface?

If so, would these rules be right, assuming that I wanted to allow all traffic into and out of the serial interface, and on the fastethernet allow all ports on .35 and only ports 80, 443 and ICMP on .34 and nothing else, would the following be right?


======================
for the serial0/0.1 interface

access-list 101 permit tcp any x.x.x.33 range 1 65535
access-list 101 permit tcp any x.x.x.34 range 1 65535
access-list 101 permit tcp any x.x.x.35 range 1 65535
access-list 101 permit tcp any x.x.x.36 range 1 65535
access-list 101 permit tcp any x.x.x.37 range 1 65535
access-list 101 permit tcp any x.x.x.38 range 1 65535
^z

and then apply that to the interface via:

interface serial0/0.1
ip access-group 101 in
ip access-group 101 out


and then for the fastethernet0/0 interface:

access-list 102 permit tcp any x.x.x.35 range 1 65535
access-list 102 permit tcp any x.x.x.34 eq 80
access-list 102 permit tcp any x.x.x.34 eq 443
access-list 102 permit ICMP any x.x.x.34

interface fastethernet0/0
ip access-group 102 out

access-list 103 permit tcp x.x.x.35 range 1 65535 any established
access-list 103 permit tcp x.x.x.34 eq 80 any established
access-list 103 permit tcp x.x.x.34 eq 443 any established
access-list 103 permit ICMP x.x.x.34 any established

interface fastethernet0/0
ip access-group 103 in

========================

Is this at least close? I'm hoping I'm understanding more and not just digging my brain deeper in the muck and only fooling myself!

Joe