stevepedwards.com/DebianAdmin linux mint IT admin tips info

Cisco Setup – ACL Settings and Basic Routing Concepts

Routers have two main methods of transferring traffic across different interfaces/networks; using static routes or routing protocols.

I can't teach a year long CCNA course here, but just as a simple intro, the routes set and available on routers and PCs can be seen with various commands. In linux, the command is simply:

stevee@Dell490 ~ $ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.1.100 0.0.0.0 UG 0 0 0 eth1
192.168.1.0 * 255.255.255.0 U 1 0 0 eth1

This shows that I have a network interface up that has a default static route for traffic from the PC's network connector to be sent via the IP address of the Cisco 877 Vlan1 of 192.168.1.100.

The linux IP addresses is shown as:

stevee@Dell490 ~ $ ifconfig

eth1 Link encap:Ethernet HWaddr 00:e0:4c:53:44:58
inet addr:192.168.1.22 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::2e0:4cff:fe53:4458/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1892 errors:8 dropped:3 overruns:2 frame:11
TX packets:2114 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1411870 (1.4 MB) TX bytes:384752 (384.7 KB)

This shows I am connected to the 877 via eth1 which is a very handy yet cheap £1.39 USB to RJ45 connector - great for connecting a PC to multiple different networks/devices!

New HIGH SPEED USB 2.0 TO 10/100MBPS RJ45 ETHERNET ADAPTER CONVERTER CABLE LEAD

Routes set on a Cisco can be shown by:

cisco877#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 195.166.130.248 to network 0.0.0.0

195.166.130.0/32 is subnetted, 1 subnets
C 195.166.130.248 is directly connected, Dialer1
212.159.16.0/32 is subnetted, 1 subnets
C 212.159.16.47 is directly connected, Dialer1
C 192.168.1.0/24 is directly connected, Vlan1
S* 0.0.0.0/0 [1/0] via 195.166.130.248
is directly connected, Dialer1

This info is mostly self-explanatory from the key, e.g. that the default static route of 0.0.0.0 is connected directly to the Plusnet gateway server at 195.166.130.248. Just because many different routing protocols are listed in the key: EIGRP, OSPF etc. it doesn't mean they are available on a particular model or IOS. To see which may be, use:

cisco877#conf t

cisco877(config)# router ?
bgp Border Gateway Protocol (BGP)
eigrp Enhanced Interior Gateway Routing Protocol (EIGRP)
odr On Demand stub Routes
ospf Open Shortest Path First (OSPF)
rip Routing Information Protocol (RIP)

 

No routing protocols are set as they are not required as there are only 2 main routes between 2 main networks that are directly connected to the router interfaces. If there were more interfaces/routes on a more capable router, then a routing protocol may be used for ease of admin but higher overhead cost, rather than having to manually set and administer many static routes that are inflexible to network changes.

In the conf file, this static route defines the default route with the command:

ip route 0.0.0.0 0.0.0.0 Dialer1

stevee@Dell490 ~ $ ping 192.168.1.100
PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data.
64 bytes from 192.168.1.100: icmp_seq=2 ttl=255 time=3.93 ms
64 bytes from 192.168.1.100: icmp_seq=3 ttl=255 time=2.91 ms

I can ping the Vlan1 interface of the 877 above and the WAN IP address below and get a reply - fine.

stevee@Dell490 ~ $ ping 212.159.16.47
PING 212.159.16.47 (212.159.16.47) 56(84) bytes of data.
64 bytes from 212.159.16.47: icmp_seq=1 ttl=255 time=2.12 ms
64 bytes from 212.159.16.47: icmp_seq=2 ttl=255 time=1.92 ms

So why can't I ping the Internet from the PC or the 877 command line, yet I can write this Post?

cisco877#ping 8.8.8.8

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

stevee@Dell490 ~ $ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms

The ACL section of the conf file comprised:

cisco877#sh ip access-lists
Extended IP access list BLOCKWAN
10 permit tcp any any established (91905 matches)
20 permit udp any any (2557 matches)
30 permit udp host 91.189.89.198 eq ntp any
40 deny ip any any (499 matches)
Extended IP access list LAN2WEB
10 permit ip any any (67109 matches)

This means the Vlan1 interface permits any IP traffic (which defines TCP, ICMP and UDP amongst others) to enter from and exit to the LAN. This single ACL rule is set on both LAN incoming and outgoing directions of the Vlan1 interface with the reference point being the centre of the unit. Any IP protocol (TCP/UDP) can pass unmolested from both sides of this interface, through the interface

A ping is an ICMP packet so it can pass via the Vlan1 interface, hit the WAN/Dialer1 interface and have a reply be returned from it, that can pass back through the LAN interface to the PC.

A ping sent further afield cannot exit from the WAN interface though, as only TCP and UDP protocols have been specifically allowed to pass in both in and out directions from the WAN interface, with anything other protocol being dropped by the line:

 40 deny ip any any (499 matches)

This is a standard "catchall" deny line set at the end of an ACL which prevents any protocols except those specifically allowed. To modify ACLs, extra lines can be inserted before the line 40 to allow for additional services without totally removing and re-writing a new ACL. The router has to be reloaded after this change to embed the settings in the IOS - for example:

cisco877# conf t
cisco877(config)#ip access-list extended BLOCKWAN
cisco877(config-ext-nacl)#35 permit icmp any any

cisco877(config-ext-nacl)#end

cisco877#reload

Now view the ACLs - the lines have been shifted up for the new rule:

cisco877#sh ip access-lists
Extended IP access list BLOCKWAN
10 permit tcp any any established (139 matches)
20 permit udp any any (97 matches)
30 permit udp host 91.189.89.198 eq ntp any
40 permit icmp any any (15 matches)
50 deny ip any any
Extended IP access list LAN2WEB
10 permit ip any any (669 matches)

Now pings to the Internet from the 877 and the LAN get a response:

stevee@Dell490 ~ $ ping bbc.co.uk
PING bbc.co.uk (212.58.244.22) 56(84) bytes of data.
64 bytes from 212.58.244.22: icmp_seq=1 ttl=53 time=22.6 ms

cisco877#ping bbc.co.uk

Translating "bbc.co.uk"...domain server (8.8.8.8) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 212.58.244.22, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/22/24 ms

This does of course mean that your router is not stealthy anymore as it replies to WAN side pings itself.

Apart from ping response it is still a good simple ACL overall with common ports stealthed:

Another point - if you wondered - is that nmap run against the WAN IP from the LAN side shows responses from the INSIDE of the WAN interface so shows a different result - Telnet open in this case:

stevee@Dell490 ~ $ nmap 212.159.16.47

Starting Nmap 6.40 ( http://nmap.org ) at 2017-01-11 00:21 GMT
Nmap scan report for remote.securicomservices.co.uk (212.159.16.47)
Host is up (0.030s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
23/tcp open telnet

The conf at this point is:

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cisco877
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$e/g3$ceiyt/4dt/GK9gSm7vbkN.
enable password 7 03145404161F2E435E
!
no aaa new-model
ip cef
!
!
ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.20
!
ip dhcp pool CLIENTS
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.100
dns-server 8.8.8.8
!
!
ip domain name workgroup
ip name-server 8.8.8.8
ip name-server 212.159.13.49
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
interface ATM0
no ip address
ip nat outside
ip virtual-reassembly
logging event atm pvc state
logging event atm pvc autoppp
no atm ilmi-keepalive
dsl operating-mode auto adsl2 adsl2+
dsl enable-training-log
!
interface ATM0.1 point-to-point
ip address dhcp
ip nat outside
ip virtual-reassembly
no snmp trap link-status
atm route-bridged ip
atm pppatm link reset
pvc 0/38
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
ip addr inarp
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Vlan1
ip address 192.168.1.100 255.255.255.0
ip access-group LAN2WEB in
ip nat inside
ip nat enable
ip virtual-reassembly
!
interface Dialer1
ip address negotiated previous
ip access-group BLOCKWAN in
ip nat outside
ip nat enable
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
autodetect encapsulation ppp
ppp authentication chap pap callin
ppp chap hostname stevepedwards@plus.net
ppp chap password 7 071C3549580C1C031B0B1B0B50
ppp ipcp wins request
ppp ipcp mask request
ppp ipcp route default
ppp ipcp address accept
!
ip default-gateway 195.166.130.250
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
no ip http server
no ip http secure-server
ip nat pool CLIENTS 192.168.1.20 192.168.1.25 netmask 255.255.255.0
ip nat inside source list LAN2WEB interface Dialer1 overload
!
ip access-list extended BLOCKWAN
permit tcp any any established
permit udp any any
permit udp host 91.189.89.198 eq ntp any
permit icmp any any
deny ip any any
ip access-list extended LAN2WEB
permit ip any any
!
dialer-list 1 protocol ip permit
snmp-server community public RO
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password 7 051B090031
login
!
scheduler max-task-time 5000
end

Comments are closed.

Post Navigation