Cisco ios

[thecoldone06]

Quote:

Originally Posted by Flyingbull

access-list 1 is my interface for outside access,
When I put in this:
access-list 1 permit ip 192.168.10.0 0.0.0.255 any
it fails with a "tranlsating ip...." then it goes invalid input at marker. at ip.
Any idea as to why?

The reason that that won't work is because access-list 1 is a standard access list. Access-list 1 - 99 are standard and 100 - 199 are extended. Standard access lists are made up as below:

access-list 1 permit/deny <ip address> <wildcard> <log> #wildcard and log are optional commands.

When you get into extended access lists, you can start adding a destination and a port. So in my example:

access-list 101 permit ip 192.168.10.0 0.0.0.255 any

This is allowing your 192.168.10.0 network to get to any destination. This is why it is attempting to translate because a standard access-list can't have a destination. I believe. I haven't tried it, i'll have to give it a shot on a test router I have here. Thats my only thought as to why that wouldn't work though.

[Flyingbull]

Quote:

Originally Posted by thecoldone06

The reason that that won't work is because access-list 1 is a standard access list. Access-list 1 - 99 are standard and 100 - 199 are extended. Standard access lists are made up as below:

access-list 1 permit/deny <ip address> <wildcard> <log> #wildcard and log are optional commands.

When you get into extended access lists, you can start adding a destination and a port. So in my example:

access-list 101 permit ip 192.168.10.0 0.0.0.255 any

This is allowing your 192.168.10.0 network to get to any destination. This is why it is attempting to translate because a standard access-list can't have a destination. I believe. I haven't tried it, i'll have to give it a shot on a test router I have here. Thats my only thought as to why that wouldn't work though.

So it doesn't matter that access-list is setup like this then:
access-list 1 permit 192.168.10.0 0.0.0.255
that is why they can't get out because I need to setup a new list, access 102 with the paramters described then? I can then remove the established line on the other list maybe?

[thecoldone06]

Quote:

Originally Posted by Flyingbull

So it doesn't matter that access-list is setup like this then:
access-list 1 permit 192.168.10.0 0.0.0.255
that is why they can't get out because I need to setup a new list, access 102 with the paramters described then? I can then remove the established line on the other list maybe?

From my understanding, it has been a while since I've setup access-lists (especially standard) that if you got rid of the access-list 1 and replaced it with the one i provided, this would allow all IP (TCP and UDP) out of the network. Because you allowed it out, the reply would be allowed to come back in. If you then got rid of all access-list coming in then you would be essentially shutting everything down comeing in from the outside. However, on a router, if there is not an access-list applied, it by default allows everything.

I tested the standard access-list with the Protocol (another option not allowed with standard) and a destination and it attempted a translation as well.

Code:

Router#config t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#access-list 1 permit ip 192.168.10.0 0.0.0.255 any
Translating "ip"...domain server (255.255.255.255)
                                    ^
% Invalid input detected at '^' marker.

Router(config)#

[Flyingbull]

Quote:

Originally Posted by thecoldone06

From my understanding, it has been a while since I've setup access-lists (especially standard) that if you got rid of the access-list 1 and replaced it with the one i provided, this would allow all IP (TCP and UDP) out of the network. Because you allowed it out, the reply would be allowed to come back in. If you then got rid of all access-list coming in then you would be essentially shutting everything down comeing in from the outside. However, on a router, if there is not an access-list applied, it by default allows everything.

I tested the standard access-list with the Protocol (another option not allowed with standard) and a destination and it attempted a translation as well.

Code:

Router#config t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#access-list 1 permit ip 192.168.10.0 0.0.0.255 any
Translating "ip"...domain server (255.255.255.255)
                                    ^
% Invalid input detected at '^' marker.

Router(config)#

Looks like there is more in this mix then I realized, I deleted the access list 1, and added in the other one. Didn't make a differn't, but then I realized I forgot to put access list 1 back in, didn't even make a difference.
as long as I put those two lines Access-list 101 tcp 192.168.2.0 0.0.0.255 etablished
and udp any any
everyone is happy as a lark.

[thecoldone06]

Quote:

Originally Posted by Flyingbull

Looks like there is more in this mix then I realized, I deleted the access list 1, and added in the other one. Didn't make a differn't, but then I realized I forgot to put access list 1 back in, didn't even make a difference.
as long as I put those two lines Access-list 101 tcp 192.168.2.0 0.0.0.255 etablished
and udp any any
everyone is happy as a lark.

When you put in the access-list 101 command, unless you change the

ip nat inside source list 1 pool natpool overload

command to reflect the 101 access list then I don't think it would mean anything to the router.

EDIT: Try this

change these two lines:

Code:

ip nat inside source list 1 pool natpool overload
access-list 1 permit 192.168.10.0 0.0.0.255

to reflect:

Code:

ip nat inside source list 102 pool natpool overload
access-list 102 permit ip 192.168.10.0 0.0.0.255 any

[thecoldone06]

You get a chance to test that out?

[Flyingbull]

Quote:

Originally Posted by thecoldone06

You get a chance to test that out?

Sorry, I forgot to come back and say "Well sort of eurkeka"
it didn't work the way I expected. While the line of code did work, it didn't do what I wanted to do. It makes me think that maybe the interfaces need to be setup differn'tly.
On the code where I went "udp any any" I thought that would be a serious security violation, but I got a UDP port scanner, and it didn't find any of the ports.

[thecoldone06]

Could you post your current running configuration as it has changed quite a bit since you posted it on the first page.

[Flyingbull]

My next step is now to disable the services http for one, I'm looking at differn't templates on IOS to guide me in understanding what is good bad and ugly on this crap

Code:

Using 2360 out of 245752 bytes
!
version 12.4
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname !!!!!!!!!!!!!!!!!!!!!1
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable password %%%%%%%%%
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
ip cef
!
!
ip name-server 1XX.0.XXX.XX
!
!
!
!
interface FastEthernet0/0
 description ttt Local Area Network
 ip address 192.168.10.254 255.255.255.0 secondary
 ip address 1xx.1.1xx.xx 255.255.255.192
 ip nat inside
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0/0
 description T1 line #1
 ip address 1xx.xxx.198.xxx 255.255.255.252
 ip access-group 101 in
 ip nat outside
!
interface Serial0/1/0
 description T1 line #2
 ip address 1xx.xxx.198.xxx 255.255.255.252
 ip access-group 101 in
 ip nat outside
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
ip route 0.0.0.0 0.0.0.0 Serial0/1/0
!
ip http server
ip nat pool natpool ##.1.196.## ##.1.196.75 netmask 255.255.255.192
ip nat inside source list 100 pool natpool overload
ip nat inside source static 192.168.10.201 xx.x.196.70
ip nat inside source static 192.168.10.1 xx.x.196.71
ip nat inside source static 192.168.10.7 xx.x.196.72
ip nat inside source static 192.168.10.5 xx.x.196.73
ip nat inside source static 192.168.10.16 xx.x.196.74
ip nat inside source static 192.168.10.17 xx.x.196.76
ip nat inside source static 192.168.10.15 xx.x.196.77
!
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 101 permit tcp any any established  #with out this
access-list 101 permit udp any any		#and this, can't do anything
access-list 101 permit tcp any any eq telnet    #need this for my access
access-list 101 permit tcp any eq ftp-data any  #Active FTP
access-list 101 permit tcp any any eq ftp       #FTP
access-list 101 permit udp any any eq 23	#Active FTP	
access-list 101 permit tcp any any eq pop3
access-list 101 permit tcp any any eq 143	
access-list 101 permit tcp any any eq 587	#smtp
access-list 101 permit tcp any any eq 3000	#Web-e-mail
access-list 101 permit tcp any any eq 3389	#RDP
access-list 101 permit udp any any eq 3389	#RDP
access-list 101 permit tcp any any eq 5631	#PCA
access-list 101 permit udp any any eq 5632	#PCA
access-list 101 deny   ip any any
!
control-plane
!
!
line con 0
 password xxxx
 login
line aux 0
 password cxxxx
 login
line vty 0 4
 password xxxxx
 login
!
scheduler allocate 20000 1000
!
end

[thecoldone06]

Check out this site:

http://www.networkclue.com/routing/C...sts/index.aspx

Very nice explanation of ACL's. Also at the bottom is a continuation on applying them. According to that article, check out the below and see what you think.

Code:

access-list 100 permit ip 192.168.10.0 0.0.0.255 any 
            #allows all internal network traffic out of router

access-list 101 permit tcp any 192.168.10.0 0.0.0.255 established
           #Allows established connections from outside back in     
             (originated internally)

access-list 101 permit tcp any any eq telnet    #need this for my access
access-list 101 permit udp any any eq 23	        #Active FTP
access-list 101 permit tcp any eq ftp-data any  #Active FTP
access-list 101 permit tcp any any eq ftp       #FTP
access-list 101 permit tcp any any eq pop3
access-list 101 permit tcp any any eq 143	
access-list 101 permit tcp any any eq 587	#smtp
access-list 101 permit tcp any any eq 3000	#Web-e-mail
access-list 101 permit tcp any any eq 3389	#RDP
access-list 101 permit udp any any eq 3389	#RDP
access-list 101 permit tcp any any eq 5631	#PCA
access-list 101 permit udp any any eq 5632	#PCA
access-list 101 deny   ip any any

interface Serial0/0/0
 description T1 line #1
 ip address 1xx.xxx.198.xxx 255.255.255.252
 ip access-group 101 in
 ip access-group 100 out
 ip nat outside
!
interface Serial0/1/0
 description T1 line #2
 ip address 1xx.xxx.198.xxx 255.255.255.252
 ip access-group 101 in
 ip access-group 100 out
 ip nat outside
!

I took out the following:

access-list 101 permit udp any any
#shouldn't need this

Then on the serial interfaces iv made the access group 100 outbound. I'm not a NAT guru so im not positive list 100 is even being applied. Thill for sure allow the traffic out. What do ya think?