-
November 25th, 2003, 03:30 AM
#1
Cisco 1700 configuration problems
I have this network security problem I can't wrap my brain around. I will attach an image of the network layout so hopefully people can see what I'm getting at. My access rules must be configured as follow using Cisco 1700 series routers.
- Workstaions 1 and 2 (subnet 192.168.5.0/24) are on the management network. Any device on this network can access any other device on the network
- Workstations on Eva and Boaz LANs are not permitted outside of thier subnet except to access the file server
- Each router can telnet to the other routers and access any other router on the network.
I have satisfied all of these conditions except two. I can telnet to any router from anywhere, but that I can solve in a little while. My big problem is in allowing workstation 2 to initiate communication with any other device while blocking all access from Eva and Boaz LANs. If I filter traffic coming from these LANs to this workstation, I am also unable to send a reply. I must configure this network so that Eva and Boaz LANs can be pinged from workstation 2, however no workstations except for the file server may ping workstation 2.
I am trying access rules such as
access-list 101 permit ip 192.168.5.0 0.0.0.255 any
on centre router. This will allow outbound traffic from subnet 192.168.5.0/24, however echo replies are not permitted back in. Two-way communication cannot be established with this rule. If I permit traffic the other way, then all workstations may initiate communications with workstation 2.
What access rule will allow workstation 2 to initiate communications with hosts on Eva and Boaz LANs, but not allow Eva and Boaz LANs to initiate communication with workstation 2?
Government is like fire - a handy servant, but a dangerous master - George Washington
Government is not reason, it is not eloquence - it is force. - George Washington.
Join the UnError community!
-
November 25th, 2003, 06:10 AM
#2
I haven't done this myself, but this line might help you out when applied in the correct place, with the proper access-list number of course, and replace the Eva/Boaz with IP info.
access-list 110 permit icmp Eva 192.168.5.0/24 echo-reply
access-list 110 permit icmp Boaz 192.168.5.0/24 echo-reply
from
http://www.oreillynet.com/pub/a/netw...ps.html?page=2
-
November 25th, 2003, 06:20 AM
#3
A rule like that would only allow ping replies back. I need to allow all requested traffic back, while blocking all unrequested traffic.
How does a Cisco router know the difference?
(maybe I need to review the TCP/IP stack again)
Government is like fire - a handy servant, but a dangerous master - George Washington
Government is not reason, it is not eloquence - it is force. - George Washington.
Join the UnError community!
-
November 25th, 2003, 07:02 AM
#4
Hmm, I took your statement about replying to pings too literally.
Would this help perhaps?
ip reflexive-list timeout 120
interface Ethernet0/1
ip address 172.16.1.2 255.255.255.0
ip access-group inboundfilters in
ip access-group outboundfilters out
ip access-list extended inboundfilters
permit icmp 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255
evaluate tcptraffic
!--- This ties the reflexive ACL part of the outboundfilters ACL,
!--- called tcptraffic, to the inboundfilters ACL.
ip access-list extended outboundfilters
permit icmp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 reflect tcptraffic
from
http://www.psionic.com/en/US/product...800a5b9a.shtml
-
November 26th, 2003, 06:39 PM
#5
I think what you are asking is you dont want any traffic sourced from Eva and Boaz to go leave the router, but if a connection is initiated from say Computer 1, you want to hosts on Eva and Boaz to respond. Is this correct? The way routers handle this is by using SYN and ACK packets. When you make a request you are sending a SYN packet, and when you respond you send ACK packets. If you are looking at blocking SYN and permitting ACK try messing with the "established" command. Here look at an exampe. Their example is the other way around, so just swap the commands around. Look at the last example.
http://www.cisco.com/en/US/products/...08007ce05.html
-
November 26th, 2003, 07:53 PM
#6
That work for TCP communication, but UDP is connectionless and therefore there are no SYN or ACK packets. Some goes for ICMP packets and I think IGRP and SNMP as well. I need to block all communication this wqy, not just TCP communication.
Government is like fire - a handy servant, but a dangerous master - George Washington
Government is not reason, it is not eloquence - it is force. - George Washington.
Join the UnError community!
-
November 27th, 2003, 01:17 AM
#7
Striek,
You just answered your question, UDP is connectionless, meaning there is no relationship to each other and no state is maintained between the end devices. And if you want to block icmp, just permit echo reply. And IGRP is Cisco Proprietary. Your PCs behind your router wont ever send this type of data. SNMP is UDP.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|