Advertisement

08.29.2008 at 03:13PM PDT, ID: 23690281 | Points: 250
[x]
Attachment Details

Cisco 2800 access lists

Asked by UptimeSystems in Network Routers

Tags: , , ,

Hello;
I am managing a Cisco 2800 router that performs a few functions for a small network:
1. It is the edge device, and connects this network to the Internet.
2. It is effectively the firewall (CBAC).
3. It is also a VPN endpoint to another satellite office.
4. It ties in with their Cisco phone system.

I have attached a copy of the running-config in teh code snippet portion (below).  Public IP addresses have been changed.  In trying to create and apply new access-list I've found that I see no "access group" commands in the config that actually applies any access list to an interface.  They have several different access lists, including some basic ones (for internal port forwards) as well as some used by NAT bypass and VPN traffic.  But I cannot see where they are applied.  Is my limited CIOS knowlege out of date, and some other command is used to apply an ACL to an int?  I even tried various iterations of 'sh int' and 'sh ip int brief' to try to see some assignment, but could not.

Ultimately, what I want to accomplish is simple--create a new ACL that inspects traffic coming INTO the INSIDE interface (IE: ultimately destined for the itnernet) and allows all outbound except port 25 outbound (with the exception of the internal mail server).

So...

1. What am I missing--where are these ACL's applied?
2. Can someone list a few commands to accomplish the SMTP control I've requested?  Something like:

access-list 300 permit tcp host 192.168.1.10 (internal mail server IP) any eq 25
access-ilist 300 deny tcp 192.168.1.0 255.255.255.0 any eq 25
access-list 300 permit ip192.168.1.0 255.255.255.0 any

Thanks!  PS--I inheretid this Cisco router, so plese forgive the messy config.Start Free Trial 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
257:
258:
259:
260:
261:
262:
263:
264:
265:
266:
267:
268:
269:
270:
271:
272:
273:
274:
275:
276:
277:
278:
279:
280:
281:
282:
283:
284:
285:
286:
287:
288:
289:
290:
291:
292:
293:
294:
295:
296:
297:
298:
299:
300:
301:
302:
303:
304:
305:
306:
307:
308:
309:
310:
311:
312:
313:
314:
315:
316:
317:
318:
319:
320:
321:
322:
323:
324:
325:
326:
327:
328:
329:
330:
331:
332:
333:
334:
335:
336:
337:
338:
339:
340:
341:
342:
343:
344:
345:
346:
347:
348:

!
! Last configuration change at 17:17:46 CDT Thu Aug 28 2008 by admin
! NVRAM config last updated at 17:17:49 CDT Thu Aug 28 2008 by admin
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname BSG_Edina_Router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
logging console warnings
logging monitor warnings
enable secret 5 $1$8NFd$oJar8FoaBoCz.XzReiD2T0
!
no aaa new-model
!
resource policy
!
clock timezone CST -6
clock summer-time CDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
network-clock-participate wic 0 
network-clock-select 1 T1 0/0/0
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.49
ip dhcp excluded-address 192.168.1.101 192.168.1.254
!
ip dhcp pool Dhcp
   network 192.168.1.0 255.255.255.0
   domain-name BUYSSUPPORT.COM
   default-router 192.168.1.254 
   dns-server 192.168.1.10 
!
ip dhcp pool dhcp
   dns-server 192.168.1.10 
!
!
no ip domain lookup
ip domain name buyerssupport.com
ip ssh time-out 5
ip ssh version 2
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
!
isdn switch-type primary-ni
!
voice-card 0
 no dspfarm
!
!
no voice call carrier capacity active
!
voice service voip 
 allow-connections h323 to h323
 no supplementary-service h450.2
 no supplementary-service h450.3
 fax protocol pass-through g711ulaw
 h323
 modem passthrough nse codec g711ulaw
 sip
!
!
!
voice class codec 1
 codec preference 1 g711ulaw
 codec preference 2 g729r8
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-1271774607
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1271774607
 revocation-check none
 rsakeypair TP-self-signed-1271774607
!
!
crypto pki certificate chain TP-self-signed-1271774607
 certificate self-signed 01
  3082025C 308201C5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 31323731 37373436 3037301E 170D3036 30313330 32313136 
  35395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32373137 
  37343630 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100B23D 13C284C8 4F9A2B76 7C09A712 C3089C4C 78CBAF49 5B46C730 1CB54B07 
  FA860D1E C1E2D929 EB880FBD 1A514376 908CE414 1A762A26 DC9EDA1B 12903225 
  AF1AEE53 801D39FA 1B567369 20CF3BC3 522845CD 55B139BB F0FDF321 1712822F 
  2D1A1A56 9273351A 60708709 C1C2F678 75212690 8E00E338 C2AC9B69 866CBC0B 
  BDAF0203 010001A3 81833081 80300F06 03551D13 0101FF04 05300301 01FF302D 
  0603551D 11042630 24822242 53475F45 64696E61 5F526F75 7465722E 62757965 
  72737375 70706F72 742E636F 6D301F06 03551D23 04183016 80145507 31A6CD79 
  07FB8262 2DC4BAA6 E4B215A2 2442301D 0603551D 0E041604 14550731 A6CD7907 
  FB82622D C4BAA6E4 B215A224 42300D06 092A8648 86F70D01 01040500 03818100 
  3F754ADF 01555E4E 10866C23 5557AF44 49A46058 EEA7504A FDCF9A2A 40346180 
  86F963E1 7D5CDC0C 0F90273F 3A32A181 7A01E389 8EBF1AC2 6BA633AD 88534350 
  96A243DA 799DADAC 183486F0 5F188602 FA669F16 2B8CA482 9BAB5FD0 B1833DFC 
  86E193FE 23E3C4D3 0C6945AA CCD994C7 E085D732 DE5E530A 6BBDD710 4D819364
  quit
username admin secret 5 $1$PCLO$badbb9J55Xue9.6B96e9A.
!
!
controller T1 0/0/0
 framing esf
 linecode b8zs
 cablelength short 266
 pri-group timeslots 1-24 service mgcp
 description Voice PRI
!
controller T1 0/0/1
 framing esf
 linecode b8zs
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key #bsg#zxc! address 67.77.77.77
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description Tunnel to67.52.62.230
 set peer 67.88.88.88
 set peer 67.99.99.99
 set transform-set ESP-3DES-SHA 
 match address 100
!
!
!
!
interface FastEthernet0/0
 description $FW_INSIDE$$ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
 no ip address
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/0.172
 encapsulation dot1Q 172
 ip address 172.16.1.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no snmp trap link-status
 h323-gateway voip interface
 h323-gateway voip bind srcaddr 172.16.1.254
!
interface FastEthernet0/0.192
 encapsulation dot1Q 192
 ip address 192.168.1.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no snmp trap link-status
!
interface FastEthernet0/1
 description $FW_OUTSIDE$$ETH-WAN$
 ip address 65.22.22.22 255.255.255.240
 ip nat outside
 ip inspect DEFAULT100 out
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface Serial0/0/0:23
 no ip address
 encapsulation hdlc
 isdn switch-type primary-ni
 isdn incoming-voice voice
 isdn bind-l3 ccm-manager
 no cdp enable
!
ip route 0.0.0.0 0.0.0.0 65.11.11.11
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map nonat interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.10 25 65.33.33.33 25 extendable
ip nat inside source static tcp 192.168.1.10 80 65.33.33.33 80 extendable
ip nat inside source static tcp 192.168.1.10 110 65.33.33.33 110 extendable
ip nat inside source static tcp 192.168.1.10 443 65.33.33.33 443 extendable
ip nat inside source static tcp 172.16.1.20 3389 65.33.33.33 3389 extendable
ip nat inside source static tcp 172.16.1.25 3389 65.33.33.33 3390 extendable
ip nat inside source static tcp 192.168.1.25 3391 65.33.33.33 3391 extendable
ip nat inside source static tcp 192.168.1.10 3389 65.33.33.33 4001 extendable
ip nat inside source static tcp 192.168.1.11 3389 65.33.33.33 4002 extendable
ip nat inside source static tcp 192.168.1.30 3389 65.33.33.33 4003 extendable
ip nat inside source static tcp 192.168.1.31 4004 65.33.33.33 4004 extendable
ip nat inside source static tcp 192.168.1.32 3389 65.33.33.33 4005 extendable
ip nat inside source static tcp 192.168.1.33 3389 65.33.33.33 4006 extendable
ip nat inside source static tcp 192.168.1.1 8009 65.33.33.33 8009 extendable
!
access-list 11 permit 209.55.55.55
access-list 11 permit 192.168.1.0 0.0.0.255
access-list 11 permit 172.16.1.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 permit ip 172.16.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 100 permit ip 172.16.1.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp any host 192.168.1.1 eq smtp
access-list 101 permit tcp any host 192.168.1.1 eq www
access-list 101 deny   ip 65.45.22.208 0.0.0.15 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark auto generated by SDM firewall configuration
access-list 102 permit tcp any host 65.45.22.209 eq 4001
access-list 102 permit tcp any host 65.45.22.209 eq 4002
access-list 102 permit tcp any host 65.45.22.209 eq 4003
access-list 102 permit tcp any any eq 3389
access-list 102 remark SDM_ACL Category=1
access-list 102 permit tcp any host 65.44.44.44 eq 443
access-list 102 permit tcp any host 65.44.44.44 eq smtp
access-list 102 permit tcp any host 65.44.44.44 eq pop3
access-list 102 permit tcp any host 65.44.44.44 eq www
access-list 102 permit tcp any host 65.44.44.44 eq 3391
access-list 102 permit ahp host 67.99.99.99 host 65.66.66.66
access-list 102 permit esp host 67.99.99.99 host 65.66.66.66
access-list 102 permit udp host 67.99.99.99 host 65.66.66.66 eq isakmp
access-list 102 permit udp host 67.99.99.99 host 65.66.66.66 eq non500-isakmp
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 deny   ip 192.168.1.0 0.0.0.255 any
access-list 102 permit icmp any host 65.66.66.66 echo-reply
access-list 102 permit icmp any host 65.66.66.66 time-exceeded
access-list 102 permit icmp any host 65.66.66.66 unreachable
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 permit tcp any host 65.45.22.209 eq telnet
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip host 0.0.0.0 any
access-list 102 deny   ip any any log
access-list 110 deny   ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 110 deny   ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 110 deny   ip 172.16.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 110 deny   ip 172.16.1.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 110 permit tcp any any eq 1723
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
access-list 110 permit ip 172.16.1.0 0.0.0.255 any
access-list 110 permit tcp any any eq 4001
access-list 110 permit tcp any any eq 4002
access-list 110 permit tcp any any eq 4003
access-list 110 permit tcp any any eq 4004
access-list 110 permit tcp any any eq 4005
access-list 110 permit tcp any any eq 4006
!
route-map nonat permit 10
 match ip address 110
!
!
!
!
control-plane
!
!
!
voice-port 0/0/0:23
!
ccm-manager mgcp
ccm-manager music-on-hold
!
mgcp
mgcp call-agent 172.16.1.20 service-type mgcp version 0.1
mgcp dtmf-relay voip codec all mode out-of-band
mgcp timer receive-rtcp 1
!
mgcp profile default
!
!
!
dial-peer voice 1 pots
 service mgcpapp
 destination-pattern 9T
 direct-inward-dial
 port 0/0/0:23
!
!
!
!
call-manager-fallback
 secondary-dialtone 9
 max-conferences 4 gain -6
 ip source-address 172.16.1.254 port 2000
 max-ephones 42
 max-dn 144
 system message primary SRST FAILOVER ACTIVE
!
!
line con 0
 login local
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet
line vty 5 15
 privilege level 15
 login local
 transport input telnet
!
scheduler allocate 20000 1000
ntp clock-period 17180263
ntp server 128.101.101.101
!
end
[+][-]08.29.2008 at 04:02PM PDT, ID: 22349818

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]08.29.2008 at 04:02PM PDT, ID: 22349819

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]08.29.2008 at 05:34PM PDT, ID: 22350035

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]08.29.2008 at 05:35PM PDT, ID: 22350038

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]08.29.2008 at 06:12PM PDT, ID: 22350133

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]08.30.2008 at 05:29AM PDT, ID: 22351537

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]09.02.2008 at 06:08AM PDT, ID: 22366875

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]09.02.2008 at 06:11AM PDT, ID: 22366896

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]09.02.2008 at 01:42PM PDT, ID: 22371488

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]09.12.2008 at 03:25PM PDT, ID: 22464414

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
 
Loading Advertisement...
20081112-EE-VQP-42 / EE_QW_2_20070628