Results 1 to 7 of 7

Thread: Cisco 1700 configuration problems

  1. #1
    Senior Member
    Join Date
    Oct 2002
    Posts
    1,130

    Cisco 1700 configuration problems

    I have this network security problem I can't wrap my brain around. I will attach an image of the network layout so hopefully people can see what I'm getting at. My access rules must be configured as follow using Cisco 1700 series routers.

    - Workstaions 1 and 2 (subnet 192.168.5.0/24) are on the management network. Any device on this network can access any other device on the network

    - Workstations on Eva and Boaz LANs are not permitted outside of thier subnet except to access the file server

    - Each router can telnet to the other routers and access any other router on the network.

    I have satisfied all of these conditions except two. I can telnet to any router from anywhere, but that I can solve in a little while. My big problem is in allowing workstation 2 to initiate communication with any other device while blocking all access from Eva and Boaz LANs. If I filter traffic coming from these LANs to this workstation, I am also unable to send a reply. I must configure this network so that Eva and Boaz LANs can be pinged from workstation 2, however no workstations except for the file server may ping workstation 2.

    I am trying access rules such as

    access-list 101 permit ip 192.168.5.0 0.0.0.255 any

    on centre router. This will allow outbound traffic from subnet 192.168.5.0/24, however echo replies are not permitted back in. Two-way communication cannot be established with this rule. If I permit traffic the other way, then all workstations may initiate communications with workstation 2.

    What access rule will allow workstation 2 to initiate communications with hosts on Eva and Boaz LANs, but not allow Eva and Boaz LANs to initiate communication with workstation 2?
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

  2. #2
    Senior Member
    Join Date
    Jul 2001
    Posts
    461
    I haven't done this myself, but this line might help you out when applied in the correct place, with the proper access-list number of course, and replace the Eva/Boaz with IP info.

    access-list 110 permit icmp Eva 192.168.5.0/24 echo-reply
    access-list 110 permit icmp Boaz 192.168.5.0/24 echo-reply

    from
    http://www.oreillynet.com/pub/a/netw...ps.html?page=2

  3. #3
    Senior Member
    Join Date
    Oct 2002
    Posts
    1,130
    A rule like that would only allow ping replies back. I need to allow all requested traffic back, while blocking all unrequested traffic.

    How does a Cisco router know the difference?

    (maybe I need to review the TCP/IP stack again)
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

  4. #4
    Senior Member
    Join Date
    Jul 2001
    Posts
    461
    Hmm, I took your statement about replying to pings too literally.

    Would this help perhaps?
    ip reflexive-list timeout 120

    interface Ethernet0/1
    ip address 172.16.1.2 255.255.255.0
    ip access-group inboundfilters in
    ip access-group outboundfilters out

    ip access-list extended inboundfilters
    permit icmp 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255
    evaluate tcptraffic

    !--- This ties the reflexive ACL part of the outboundfilters ACL,
    !--- called tcptraffic, to the inboundfilters ACL.
    ip access-list extended outboundfilters
    permit icmp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
    permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 reflect tcptraffic

    from
    http://www.psionic.com/en/US/product...800a5b9a.shtml

  5. #5
    Member
    Join Date
    Jun 2002
    Posts
    44
    I think what you are asking is you dont want any traffic sourced from Eva and Boaz to go leave the router, but if a connection is initiated from say Computer 1, you want to hosts on Eva and Boaz to respond. Is this correct? The way routers handle this is by using SYN and ACK packets. When you make a request you are sending a SYN packet, and when you respond you send ACK packets. If you are looking at blocking SYN and permitting ACK try messing with the "established" command. Here look at an exampe. Their example is the other way around, so just swap the commands around. Look at the last example.

    http://www.cisco.com/en/US/products/...08007ce05.html
    Os1LaYr5

  6. #6
    Senior Member
    Join Date
    Oct 2002
    Posts
    1,130
    That work for TCP communication, but UDP is connectionless and therefore there are no SYN or ACK packets. Some goes for ICMP packets and I think IGRP and SNMP as well. I need to block all communication this wqy, not just TCP communication.
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

  7. #7
    Member
    Join Date
    Jun 2002
    Posts
    44
    Striek,

    You just answered your question, UDP is connectionless, meaning there is no relationship to each other and no state is maintained between the end devices. And if you want to block icmp, just permit echo reply. And IGRP is Cisco Proprietary. Your PCs behind your router wont ever send this type of data. SNMP is UDP.
    Os1LaYr5

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •