Setting up basic ACL's on Cisco 2600

[t_ski]

OK, I have a small project I'm working on. To start with, here's the basic network map:

I'm looking to set up some very basic access control lists for using the router as a firewall. (This is a requirement for the class I'm doing this for, so don't ask me why I'm not using a regular firewall.) Since we're only dealing with these three servers (web, email and FTP), we're only concerned with ports 80, 25, 20/21 and 110. However, Windows ephemeral ports 49151-65535 have to be considered as well.

Here's what I have so far:

!Access List #1
!Applied to e0/0
!
Router(config)# access-list 1 permit tcp any eq 80
Router(config)# access-list 1 permit tcp any eq 25
Router(config)# access-list 1 permit tcp any eq 110
Router(config)# access-list 1 permit tcp any eq 20
Router(config)# access-list 1 permit tcp any eq 21
Router(config)# access-list 1 permit tcp any range 49151-65535
Router(config)# access-list 1 deny ip any any
!
!
!end



!Access List #2
!Applied to e0/1
!
Router(config)# access-list 2 permit tcp any eq 80
Router(config)# access-list 2 permit tcp any eq 25
Router(config)# access-list 2 deny tcp any eq 110
Router(config)# access-list 2 permit tcp any eq 20
Router(config)# access-list 2 permit tcp any eq 21
Router(config)# access-list 2 permit tcp any range 49151-65535
Router(config)# access-list 2 permit icmp any any
Router(config)# access-list 2 deny ip any any
!
!
!end

Am I on the right track here? I don't want to be missing something huge.

 

[Fint]

Your syntax is wrong for an ACL.

RTI-VB(config)#access-list 2 permit tcp any eq 80
Translating "tcp"
^
% Invalid input detected at '^' marker.

RTI-VB(config)#access-list 2 permit ?
Hostname or A.B.C.D Address to match
any Any source host
host A single host address


There is usually no point in blocking at both interfaces.

 

[blk95civicex]

I could be wrong, but I think you might want to specify internal hosts and their ports. It looks to me like all of those ports are open to any of the servers. Something like below maybe??

**********

!Access List #2
!Applied to e0/1
!
Router(config)# access-list 2 deny tcp any any eq 110
Router(config)# access-list 2 permit tcp any host 10.20.1.1 eq 80
Router(config)# access-list 2 permit tcp any host 10.20.1.2 eq 25
Router(config)# access-list 2 permit tcp any host 10.20.1.3 eq 20
Router(config)# access-list 2 permit tcp any host 10.20.1.3 eq 21
Router(config)# access-list 2 permit tcp any range 49151-65535
Router(config)# access-list 2 permit icmp any any
Router(config)# access-list 2 deny ip any any
!
!
!end

**********

Also, deny entries go before permits. I am definitely not an ACL expert however. Hope I have helped, but no gaurantees

 

[Impulse25]

If you want to block explicit ports you have to use an extended access list which are numbered 100-199:

i.e.: access-list 100 permit tcp any any eq 80 permits all http traffic from any host to any host

Access lists 1-99 are standard access lists and allow/deny traffic based on a source host or network only

i.e.: access-list 1 permit 1.1.1.1 0.0.0.0 permits all traffic from the host 1.1.1.1

 

[blk95civicex]

Ah yes, I forgot to change the access-list name in my example.

 

[t_ski]

There is usually no point in blocking at both interfaces.

I forgot to mention that these were being applied to the "in" side of each of the ports. Port e0/0 was traffic from the internet through the router to the DMZ/LAN. Port e0/1 was traffice from the DMZ/LAN through the router to the internet.

I think I need a statement to apply the access-group as well. Something like:

(Config)# int e0/0
Router(config-if)# ip access-group 100 in
(Config)# int e0/1
Router(config-if)# ip access-group 101 in

I could be wrong, but I think you might want to specify internal hosts and their ports. It looks to me like all of those ports are open to any of the servers. Something like below maybe??

**********

!Access List #2
!Applied to e0/1
!
Router(config)# access-list 2 deny tcp any any eq 110
Router(config)# access-list 2 permit tcp any host 10.20.1.1 eq 80
Router(config)# access-list 2 permit tcp any host 10.20.1.2 eq 25
Router(config)# access-list 2 permit tcp any host 10.20.1.3 eq 20
Router(config)# access-list 2 permit tcp any host 10.20.1.3 eq 21
Router(config)# access-list 2 permit tcp any range 49151-65535
Router(config)# access-list 2 permit icmp any any
Router(config)# access-list 2 deny ip any any
!
!
!end

**********

Also, deny entries go before permits. I am definitely not an ACL expert however. Hope I have helped, but no gaurantees

Yes, that makes sense. That just gets applied to the e0/1 inteface, or on both sides?

If you want to block explicit ports you have to use an extended access list which are numbered 100-199:

i.e.: access-list 100 permit tcp any any eq 80 permits all http traffic from any host to any host

Access lists 1-99 are standard access lists and allow/deny traffic based on a source host or network only

i.e.: access-list 1 permit 1.1.1.1 0.0.0.0 permits all traffic from the host 1.1.1.1

OK, that clears up the info I was reading. I didn't understand the difference between standard and extended access lists. So how about this for the new text:

!Access List #100
!Applied to e0/0 coming in from the internet
!
Router(config)# access-list 100 permit tcp any eq 80
Router(config)# access-list 100 permit tcp any eq 25
Router(config)# access-list 100 permit tcp any eq 110
Router(config)# access-list 100 permit tcp any eq 20
Router(config)# access-list 100 permit tcp any eq 21
Router(config)# access-list 100 permit tcp any range 49151-65535
Router(config)# access-list 100 deny ip any any
!
!
!end



!Access List #101
!Applied to e0/1 going out of the DMZ
!
Router(config)# access-list 101 deny tcp any eq 110
Router(config)# access-list 101 permit tcp any host 10.20.1.1 eq 80
Router(config)# access-list 101 permit tcp any host 10.20.1.2 eq 25
Router(config)# access-list 101 permit tcp any host 10.20.1.3 eq 20
Router(config)# access-list 101 permit tcp any host 10.20.1.3 eq 21
Router(config)# access-list 101 permit tcp any range 49151-65535
Router(config)# access-list 101 permit icmp any any
Router(config)# access-list 101 deny ip any any
!
!
!end

I know I'm supposed to deny a local ip address from accessing the network from the internet. Should I add the folllowing to ACL #100:

Router(config)# access-list 100 deny host 10.20.0.0 255.255.255.0 any