Go Back   Technibble Forums > Technical Discussions > Networking

  Technibble Sponsor

Reply
 
Thread Tools Display Modes
  #21  
Old 02-19-2009, 06:43 PM
thecoldone06's Avatar
thecoldone06 thecoldone06 is offline
 
Join Date: Aug 2007
Location: St. Louis, MO
Posts: 824
thecoldone06 is on a distinguished road
Default

Quote:
Originally Posted by Flyingbull View Post
access-list 1 is my interface for outside access,
When I put in this:
access-list 1 permit ip 192.168.10.0 0.0.0.255 any
it fails with a "tranlsating ip...." then it goes invalid input at marker. at ip.
Any idea as to why?
The reason that that won't work is because access-list 1 is a standard access list. Access-list 1 - 99 are standard and 100 - 199 are extended. Standard access lists are made up as below:

access-list 1 permit/deny <ip address> <wildcard> <log> #wildcard and log are optional commands.

When you get into extended access lists, you can start adding a destination and a port. So in my example:

access-list 101 permit ip 192.168.10.0 0.0.0.255 any

This is allowing your 192.168.10.0 network to get to any destination. This is why it is attempting to translate because a standard access-list can't have a destination. I believe. I haven't tried it, i'll have to give it a shot on a test router I have here. Thats my only thought as to why that wouldn't work though.
Reply With Quote
  #22  
Old 02-19-2009, 06:47 PM
Flyingbull's Avatar
Flyingbull Flyingbull is offline
 
Join Date: Feb 2009
Location: Holly Springs, NC
Posts: 137
Flyingbull is an unknown quantity at this point
Send a message via MSN to Flyingbull Send a message via Skype™ to Flyingbull
Default

Quote:
Originally Posted by thecoldone06 View Post
The reason that that won't work is because access-list 1 is a standard access list. Access-list 1 - 99 are standard and 100 - 199 are extended. Standard access lists are made up as below:

access-list 1 permit/deny <ip address> <wildcard> <log> #wildcard and log are optional commands.

When you get into extended access lists, you can start adding a destination and a port. So in my example:

access-list 101 permit ip 192.168.10.0 0.0.0.255 any

This is allowing your 192.168.10.0 network to get to any destination. This is why it is attempting to translate because a standard access-list can't have a destination. I believe. I haven't tried it, i'll have to give it a shot on a test router I have here. Thats my only thought as to why that wouldn't work though.
So it doesn't matter that access-list is setup like this then:
access-list 1 permit 192.168.10.0 0.0.0.255
that is why they can't get out because I need to setup a new list, access 102 with the paramters described then? I can then remove the established line on the other list maybe?
__________________

[SIZE="1"]Michael L.White Consulting (919) 285-8313
michael@flyingbullsoftware.com
[/SIZE]
Reply With Quote
  #23  
Old 02-19-2009, 06:55 PM
thecoldone06's Avatar
thecoldone06 thecoldone06 is offline
 
Join Date: Aug 2007
Location: St. Louis, MO
Posts: 824
thecoldone06 is on a distinguished road
Default

Quote:
Originally Posted by Flyingbull View Post
So it doesn't matter that access-list is setup like this then:
access-list 1 permit 192.168.10.0 0.0.0.255
that is why they can't get out because I need to setup a new list, access 102 with the paramters described then? I can then remove the established line on the other list maybe?
From my understanding, it has been a while since I've setup access-lists (especially standard) that if you got rid of the access-list 1 and replaced it with the one i provided, this would allow all IP (TCP and UDP) out of the network. Because you allowed it out, the reply would be allowed to come back in. If you then got rid of all access-list coming in then you would be essentially shutting everything down comeing in from the outside. However, on a router, if there is not an access-list applied, it by default allows everything.

I tested the standard access-list with the Protocol (another option not allowed with standard) and a destination and it attempted a translation as well.

Code:
Router#config t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#access-list 1 permit ip 192.168.10.0 0.0.0.255 any
Translating "ip"...domain server (255.255.255.255)
                                    ^
% Invalid input detected at '^' marker.

Router(config)#

Last edited by thecoldone06; 02-19-2009 at 06:58 PM.
Reply With Quote
  #24  
Old 02-19-2009, 07:16 PM
Flyingbull's Avatar
Flyingbull Flyingbull is offline
 
Join Date: Feb 2009
Location: Holly Springs, NC
Posts: 137
Flyingbull is an unknown quantity at this point
Send a message via MSN to Flyingbull Send a message via Skype™ to Flyingbull
Default

Quote:
Originally Posted by thecoldone06 View Post
From my understanding, it has been a while since I've setup access-lists (especially standard) that if you got rid of the access-list 1 and replaced it with the one i provided, this would allow all IP (TCP and UDP) out of the network. Because you allowed it out, the reply would be allowed to come back in. If you then got rid of all access-list coming in then you would be essentially shutting everything down comeing in from the outside. However, on a router, if there is not an access-list applied, it by default allows everything.

I tested the standard access-list with the Protocol (another option not allowed with standard) and a destination and it attempted a translation as well.

Code:
Router#config t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#access-list 1 permit ip 192.168.10.0 0.0.0.255 any
Translating "ip"...domain server (255.255.255.255)
                                    ^
% Invalid input detected at '^' marker.

Router(config)#
Looks like there is more in this mix then I realized, I deleted the access list 1, and added in the other one. Didn't make a differn't, but then I realized I forgot to put access list 1 back in, didn't even make a difference.
as long as I put those two lines Access-list 101 tcp 192.168.2.0 0.0.0.255 etablished
and udp any any
everyone is happy as a lark.
__________________

[SIZE="1"]Michael L.White Consulting (919) 285-8313
michael@flyingbullsoftware.com
[/SIZE]
Reply With Quote
  #25  
Old 02-19-2009, 07:54 PM
thecoldone06's Avatar
thecoldone06 thecoldone06 is offline
 
Join Date: Aug 2007
Location: St. Louis, MO
Posts: 824
thecoldone06 is on a distinguished road
Default

Quote:
Originally Posted by Flyingbull View Post
Looks like there is more in this mix then I realized, I deleted the access list 1, and added in the other one. Didn't make a differn't, but then I realized I forgot to put access list 1 back in, didn't even make a difference.
as long as I put those two lines Access-list 101 tcp 192.168.2.0 0.0.0.255 etablished
and udp any any
everyone is happy as a lark.
When you put in the access-list 101 command, unless you change the

ip nat inside source list 1 pool natpool overload

command to reflect the 101 access list then I don't think it would mean anything to the router.

EDIT: Try this

change these two lines:
Code:
ip nat inside source list 1 pool natpool overload
access-list 1 permit 192.168.10.0 0.0.0.255
to reflect:
Code:
ip nat inside source list 102 pool natpool overload
access-list 102 permit ip 192.168.10.0 0.0.0.255 any

Last edited by thecoldone06; 02-19-2009 at 07:58 PM.
Reply With Quote
  #26  
Old 02-23-2009, 04:02 PM
thecoldone06's Avatar
thecoldone06 thecoldone06 is offline
 
Join Date: Aug 2007
Location: St. Louis, MO
Posts: 824
thecoldone06 is on a distinguished road
Default

You get a chance to test that out?
Reply With Quote
  #27  
Old 02-23-2009, 06:09 PM
Flyingbull's Avatar
Flyingbull Flyingbull is offline
 
Join Date: Feb 2009
Location: Holly Springs, NC
Posts: 137
Flyingbull is an unknown quantity at this point
Send a message via MSN to Flyingbull Send a message via Skype™ to Flyingbull
Default

Quote:
Originally Posted by thecoldone06 View Post
You get a chance to test that out?
Sorry, I forgot to come back and say "Well sort of eurkeka"
it didn't work the way I expected. While the line of code did work, it didn't do what I wanted to do. It makes me think that maybe the interfaces need to be setup differn'tly.
On the code where I went "udp any any" I thought that would be a serious security violation, but I got a UDP port scanner, and it didn't find any of the ports.
__________________

[SIZE="1"]Michael L.White Consulting (919) 285-8313
michael@flyingbullsoftware.com
[/SIZE]
Reply With Quote
  #28  
Old 02-23-2009, 06:34 PM
thecoldone06's Avatar
thecoldone06 thecoldone06 is offline
 
Join Date: Aug 2007
Location: St. Louis, MO
Posts: 824
thecoldone06 is on a distinguished road
Default

Could you post your current running configuration as it has changed quite a bit since you posted it on the first page.
Reply With Quote
  #29  
Old 02-23-2009, 08:15 PM
Flyingbull's Avatar
Flyingbull Flyingbull is offline
 
Join Date: Feb 2009
Location: Holly Springs, NC
Posts: 137
Flyingbull is an unknown quantity at this point
Send a message via MSN to Flyingbull Send a message via Skype™ to Flyingbull
Default

My next step is now to disable the services http for one, I'm looking at differn't templates on IOS to guide me in understanding what is good bad and ugly on this crap
Code:
Using 2360 out of 245752 bytes
!
version 12.4
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname !!!!!!!!!!!!!!!!!!!!!1
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable password %%%%%%%%%
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
ip cef
!
!
ip name-server 1XX.0.XXX.XX
!
!
!
!
interface FastEthernet0/0
 description ttt Local Area Network
 ip address 192.168.10.254 255.255.255.0 secondary
 ip address 1xx.1.1xx.xx 255.255.255.192
 ip nat inside
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0/0
 description T1 line #1
 ip address 1xx.xxx.198.xxx 255.255.255.252
 ip access-group 101 in
 ip nat outside
!
interface Serial0/1/0
 description T1 line #2
 ip address 1xx.xxx.198.xxx 255.255.255.252
 ip access-group 101 in
 ip nat outside
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
ip route 0.0.0.0 0.0.0.0 Serial0/1/0
!
ip http server
ip nat pool natpool ##.1.196.## ##.1.196.75 netmask 255.255.255.192
ip nat inside source list 100 pool natpool overload
ip nat inside source static 192.168.10.201 xx.x.196.70
ip nat inside source static 192.168.10.1 xx.x.196.71
ip nat inside source static 192.168.10.7 xx.x.196.72
ip nat inside source static 192.168.10.5 xx.x.196.73
ip nat inside source static 192.168.10.16 xx.x.196.74
ip nat inside source static 192.168.10.17 xx.x.196.76
ip nat inside source static 192.168.10.15 xx.x.196.77
!
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 101 permit tcp any any established  #with out this
access-list 101 permit udp any any		#and this, can't do anything
access-list 101 permit tcp any any eq telnet    #need this for my access
access-list 101 permit tcp any eq ftp-data any  #Active FTP
access-list 101 permit tcp any any eq ftp       #FTP
access-list 101 permit udp any any eq 23	#Active FTP	
access-list 101 permit tcp any any eq pop3
access-list 101 permit tcp any any eq 143	
access-list 101 permit tcp any any eq 587	#smtp
access-list 101 permit tcp any any eq 3000	#Web-e-mail
access-list 101 permit tcp any any eq 3389	#RDP
access-list 101 permit udp any any eq 3389	#RDP
access-list 101 permit tcp any any eq 5631	#PCA
access-list 101 permit udp any any eq 5632	#PCA
access-list 101 deny   ip any any
!
control-plane
!
!
line con 0
 password xxxx
 login
line aux 0
 password cxxxx
 login
line vty 0 4
 password xxxxx
 login
!
scheduler allocate 20000 1000
!
end
__________________

[SIZE="1"]Michael L.White Consulting (919) 285-8313
michael@flyingbullsoftware.com
[/SIZE]
Reply With Quote
  #30  
Old 02-23-2009, 09:53 PM
thecoldone06's Avatar
thecoldone06 thecoldone06 is offline
 
Join Date: Aug 2007
Location: St. Louis, MO
Posts: 824
thecoldone06 is on a distinguished road
Default

Check out this site:

http://www.networkclue.com/routing/C...sts/index.aspx

Very nice explanation of ACL's. Also at the bottom is a continuation on applying them. According to that article, check out the below and see what you think.

Code:
access-list 100 permit ip 192.168.10.0 0.0.0.255 any 
            #allows all internal network traffic out of router

access-list 101 permit tcp any 192.168.10.0 0.0.0.255 established
           #Allows established connections from outside back in     
             (originated internally)

access-list 101 permit tcp any any eq telnet    #need this for my access
access-list 101 permit udp any any eq 23	        #Active FTP
access-list 101 permit tcp any eq ftp-data any  #Active FTP
access-list 101 permit tcp any any eq ftp       #FTP
access-list 101 permit tcp any any eq pop3
access-list 101 permit tcp any any eq 143	
access-list 101 permit tcp any any eq 587	#smtp
access-list 101 permit tcp any any eq 3000	#Web-e-mail
access-list 101 permit tcp any any eq 3389	#RDP
access-list 101 permit udp any any eq 3389	#RDP
access-list 101 permit tcp any any eq 5631	#PCA
access-list 101 permit udp any any eq 5632	#PCA
access-list 101 deny   ip any any

interface Serial0/0/0
 description T1 line #1
 ip address 1xx.xxx.198.xxx 255.255.255.252
 ip access-group 101 in
 ip access-group 100 out
 ip nat outside
!
interface Serial0/1/0
 description T1 line #2
 ip address 1xx.xxx.198.xxx 255.255.255.252
 ip access-group 101 in
 ip access-group 100 out
 ip nat outside
!
I took out the following:

access-list 101 permit udp any any
#shouldn't need this

Then on the serial interfaces iv made the access group 100 outbound. I'm not a NAT guru so im not positive list 100 is even being applied. Thill for sure allow the traffic out. What do ya think?
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 07:48 AM.


Powered by vBulletin®
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Technibble.com is based out of MELBOURNE, AUSTRALIA.