Theme

Welcome · log in · join	food

Home

Reviews

Speed Test

	All Forums		Hot Topics		Gallery

Cisco → 801 ISDN access list woes

uniqs
2323

« Free books and exam info • 1721 DHCP with roadrunner issue »

DanielUK join:2004-11-04 Schenectady, NY 1 edit	DanielUK Member 2005-Apr-19 5:31 am 801 ISDN access list woes I'm wondering why it is that I lose net access when I apply access list 101 to my Dialler1 interface: access-list 101 deny icmp any any echo access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any time-exceeded access-list 101 permit icmp any any unreachable access-list 101 deny icmp any any access-list 101 deny tcp any range 0 65535 any range 0 65535 access-list 101 deny udp any range 0 65535 any range 0 65535 access-list 101 deny ip any any log As soon as I remove it, it operates fine. This is my running config at the moment: Current configuration : 3112 bytes ! ! Last configuration change at 16:41:55 UTC Mon Apr 18 2005 ! NVRAM config last updated at 07:41:35 UTC Mon Apr 18 2005 ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname Router ! boot-start-marker boot-end-marker ! enable secret 5 $1$uOpf$emfDhaV0/UALCYwjF.iHf/ ! username Router password 7 110B1B171013070005382F2B no aaa new-model ip subnet-zero no ip source-route ! ip inspect name OUTBOUND cuseeme ip inspect name OUTBOUND ftp ip inspect name OUTBOUND h323 ip inspect name OUTBOUND netshow ip inspect name OUTBOUND rcmd ip inspect name OUTBOUND realaudio ip inspect name OUTBOUND rtsp ip inspect name OUTBOUND sqlnet ip inspect name OUTBOUND tcp ip inspect name OUTBOUND udp ip inspect name OUTBOUND vdolive ip inspect name OUTBOUND icmp ip ssh break-string isdn switch-type basic-net3 ! ! ! ! ! ! interface Ethernet0 ip address 192.168.0.16 255.255.255.0 ip access-group 121 in no ip proxy-arp ip nat inside ! interface BRI0 no ip address encapsulation ppp dialer pool-member 1 isdn switch-type basic-net3 ppp authentication chap pap callin ! interface Dialer1 description ISP ip address negotiated ip access-group 121 in no ip redirects no ip unreachables no ip proxy-arp ip nat outside encapsulation ppp no ip split-horizon dialer pool 1 dialer remote-name Cisco1 dialer idle-timeout 360 dialer string 08089916001 class DialClass dialer hold-queue 10 dialer load-threshold 20 either dialer-group 1 no cdp enable ppp authentication chap pap callin ppp chap hostname host-username ppp chap password 7 14131A5859513C38213B23272B07031E ppp pap sent-username username-here password 7 070B291F1B5C0F161 011B1E0D3E2F2C ! ip nat inside source list 18 interface Dialer1 overload ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 no ip http server no ip http secure-server ! ! map-class dialer DialClass access-list 18 permit 192.168.0.0 0.0.0.255 access-list 23 permit 192.168.0.0 0.0.0.255 access-list 101 deny icmp any any echo access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any time-exceeded access-list 101 permit icmp any any unreachable access-list 101 deny icmp any any access-list 101 deny tcp any range 0 65535 any range 0 65535 access-list 101 deny udp any range 0 65535 any range 0 65535 access-list 101 deny ip any any log access-list 121 deny udp any eq netbios-dgm any access-list 121 deny udp any eq netbios-ns any access-list 121 deny udp any eq netbios-ss any access-list 121 deny tcp any eq 137 any access-list 121 deny tcp any eq 138 any access-list 121 deny tcp any eq 139 any access-list 121 permit ip any any time-range TIME dialer-list 1 protocol ip permit ! ! line con 0 exec-timeout 0 0 transport preferred all transport output all stopbits 1 line vty 0 4 access-class 23 in exec-timeout 0 0 login local transport preferred all transport input all transport output all ! no rcapi server ! ! time-range TIME periodic daily 0:00 to 23:59 ! ! end Am I missing anything obvious? Or, can anyone recommend a better access list? Thanks Dan
	actions · 2005-Apr-19 5:31 am ·
se4b4ss join:2004-12-09 Desoto, TX	se4b4ss Member 2005-Apr-19 7:34 am Your last statement is "deny ip any any". You should put a "permit tcp any any eq 80" in there. Steve »www.networking-forum.com
	actions · 2005-Apr-19 7:34 am ·
DanielUK join:2004-11-04 Schenectady, NY	DanielUK Member 2005-Apr-20 4:20 am Thanks Steve, I'll give that a go when I've got a free minute. Just to recap, I should end up with: access-list 101 deny icmp any any echo access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any time-exceeded access-list 101 permit icmp any any unreachable access-list 101 deny icmp any any access-list 101 deny tcp any range 0 65535 any range 0 65535 access-list 101 deny udp any range 0 65535 any range 0 65535 access-list 101 permit tcp any any eq 80 access-list 101 deny ip any any log I keep the '101 deny ip any any log', right? Thanks again, Dan
	actions · 2005-Apr-20 4:20 am ·
DanielUK	DanielUK Member 2005-Apr-20 6:01 am Hmmm, thinking about it, access-list 101 is for traffic coming in. Shouldn't permit tcp any any eq 80 be applied to outgoing traffic? And shouldn't port 443 also be on there for secure connections? Thanks Dan
	actions · 2005-Apr-20 6:01 am ·
se4b4ss join:2004-12-09 Desoto, TX	se4b4ss to DanielUK Member 2005-Apr-20 8:29 am to DanielUK You will only have to permit ip any any 80 outbound if you are implicitely denying that type of traffic...you are implicitely denying it inbound so you must explicitely permit it. Steve »www.networking-forum.com
	actions · 2005-Apr-20 8:29 am ·
aryoba MVM join:2002-08-22	aryoba to se4b4ss MVM 2005-Apr-22 8:38 am to se4b4ss se4b4ss, You said "Your last statement is 'deny ip any any'. You should put a "permit tcp any any eq 80" in there." Actually you are missing the point here if I may say this. I can see from the configuration that DanielUK here is trying to use CBAC (the ip inspect command). The "deny ip any any" actually is a good thing and should be there for CBAC implementation to employ strong IOS-based firewall. DanielUK, Your original ACL 101 and 121 were already good to go with one little modification. Modify "access-list 121 permit ip any any time-range TIME" to be "access-list 121 permit ip any any". 2nd step, modify the ACL application so that the interface Dialer1 uses ACL 101 and interface Ethernet0 uses ACL 121. Therefore under interface Dialer1, modify "ip access-group 121 in" to be "ip access-group 101 in". A little tip. You might want to add remark on these two ACLs for future reference so that it would be easier to distinguish between the two. Add a remark like something of "access-list 121 remark Inside Interface Firewall" and "access-list 101 remark Outside Interface Firewall". 3rd step, add "ip inspect OUTBOUND out" under the interface Dialer1. This will activate the CBAC on the outside Internet-facing interface. The 3rd step should be the final step. At the end of this step, your router should work with no problem. Btw, do you recall that I was the one back months ago who suggested your original configuration (with the CBAC usage)?
	actions · 2005-Apr-22 8:38 am ·
DanielUK join:2004-11-04 Schenectady, NY	DanielUK Member 2005-Apr-25 3:41 am Thanks Aryoba, No I haven't forgotten that it was you who gave me the original configuration! I will try your suggestions but a couple more things. 1. Going back to the original thread, I updated to IOS 12.3 but I still can't get the "ip cef" command to work and subsequently the "ip verify unicast reverse-path" (which tells me to run ip cef!) won't run. I asked this question before (I think you missed it!) and one of the replies was "You can't use CEF through a multilink interface." so I gather I can't use it? 2. The router has been in operation over the past week but we've been finding that the receiving of a long list of emails will suddenly stop in the middle. This is usually resolved by stop/starting the receiving to receive only a small number of emails at a time, but I was wondering if there was some kind of size limit on the emails coming in? Thanks again, Dan
	actions · 2005-Apr-25 3:41 am ·

aryoba MVM join:2002-08-22	aryoba MVM 2005-Apr-25 2:48 pm 1. The "ip cef" command is only available on certain IOS image and certain routers. Frankly, I never use 801 routers before. Therefore I'm not certain of such unavailability in 801 routers. However the unavailability should not affect your security level. 2. Email process itself has no concern whatsoever to your router's configuration nor the ISP connection. However my guess is that the problem may lie on the email servers themselves.
	actions · 2005-Apr-25 2:48 pm ·
DanielUK join:2004-11-04 Schenectady, NY	DanielUK Member 2005-Apr-26 7:36 am Thanks Aryoba, everything is stealthed now and working, email problem must have been an intermittent ISP problem. I basically recreated from scratch and made sure access list 101 was applied to dialer1 and access list 121 was applied to ethernet0. The only thing I didn't change is removing the "time-range TIME" as you suggested. Does it make any difference if its there or not? Access list 121 is the default list the router generates when you go through faststep. Thanks Dan
	actions · 2005-Apr-26 7:36 am ·
aryoba MVM join:2002-08-22	aryoba MVM 2005-Apr-26 10:00 am Since you set the TIME value of 0:00 to 23:59, there should be no difference between the "permit ip any any time-range" and "permit ip any any". To understand better, here's a Cisco link on the time range discussion: Time-Based ISDN/Asynchronous (Legacy) DDR: »www.cisco.com/en/US/tech ··· 89.shtml
	actions · 2005-Apr-26 10:00 am ·

Forums → Equipment Support → Hardware By Brand → Cisco	« Free books and exam info • 1721 DHCP with roadrunner issue »