Networks

General discussion

Gravatar
0 Votes
Locked

Extented Access list on Cisco 2600Router

By coconut88 ·
Dear, Sir/Madam
I've some questions about the extented access-lists, why that block the FTP port.
We've two segment in my network, Fastethernet0/1 is 10.125.96.0 255.255.255.0 other Fastethernet 0/0 is 10.125.111.0 255.255.255.0
The access list is pastes on ethernet 0/1 network:
access-list 101 permit tcp any 10.125.111.0 0.0.0.255 gt 1023 established
access-list 101 permit udp any 10.125.111.0 0.0.0.255 gt 1023
access-list 101 permit udp host 10.125.96.21 eq netbios-dgm 10.125.111.0 0.0.0.255 eq netbios-dgm
access-list 101 permit tcp host 10.125.96.21 gt 1023 10.125.111.0 0.0.0.255 eq 139
access-list 101 permit udp host 10.125.96.22 eq netbios-dgm 10.125.111.0 0.0.0.255 eq netbios-dgm
access-list 101 permit tcp host 10.125.96.22 gt 1023 10.125.111.0 0.0.0.255 eq 139
access-list 101 permit udp host 10.125.125.181 eq netbios-dgm 10.125.111.0 0.0.0.255 eq netbios-dgm
access-list 101 permit tcp host 10.125.125.181 gt 1023 10.125.111.0 0.0.0.255 eq 139
access-list 101 permit icmp 10.125.96.0 0.0.0.255 10.125.111.0 0.0.0.255 echo-reply
access-list 101 permit icmp any 10.125.111.0 0.0.0.255 packet-too-big
access-list 101 permit tcp host 10.125.125.171 host 10.125.111.150 eq 8009
access-list 101 permit tcp host 10.125.125.171 host 10.125.111.150 eq 7009
access-list 101 deny ip any any log
How can i solve the problem?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

gravatar
Collapse -

by mshavrov In reply to Extented Access list on C ...

access-list 101 permit tcp any 10.125.111.0 0.0.0.255 gt 1023 established

Permit traffic from ANY computer to access TCP ports greater than 1023 on 10.125.111.0/24 network, but ONLY WHEN CONNECTION ESTABLIUSHED!


access-list 101 permit tcp host 10.125.96.21 gt 1023 10.125.111.0 0.0.0.255 eq 139
access-list 101 permit tcp host 10.125.96.22 gt 1023 10.125.111.0 0.0.0.255 eq 139
access-list 101 permit tcp host 10.125.125.181 gt 1023 10.125.111.0 0.0.0.255 eq 139

Permit NETBIOS traffic (TCP Port 139) ONLY from these 3 hosts to 10.125.111.0/24 network and only when SOURCE TCP port is greater than 1023.

access-list 101 permit tcp host 10.125.125.171 host 10.125.111.150 eq 8009
access-list 101 permit tcp host 10.125.125.171 host 10.125.111.150 eq 7009

Permit TCP traffic from host 10.125.125.171 to host 10.125.111.150 on TCP ports 8009 and 7009. But network 10.125.125.0 is not your local network ? your networks are 10.125.111.0/24 and 10.125.96.0/24.

access-list 101 permit udp any 10.125.111.0 0.0.0.255 gt 1023

Permit UDP traffic form ANY host to network 10.125.11.0/24 if UDP port is greater than 1023.

access-list 101 permit udp host 10.125.96.21 eq netbios-dgm 10.125.111.0 0.0.0.255 eq netbios-dgm
access-list 101 permit udp host 10.125.96.22 eq netbios-dgm 10.125.111.0 0.0.0.255 eq netbios-dgm
access-list 101 permit udp host 10.125.125.181 eq netbios-dgm 10.125.111.0 0.0.0.255 eq netbios-dgm

Permit UDP NetBIOS traffic from ONLY these 3 hosts and ONLY if Source UDP Port is greater than 1023.

access-list 101 permit icmp 10.125.96.0 0.0.0.255 10.125.111.0 0.0.0.255 echo-reply
access-list 101 permit icmp any 10.125.111.0 0.0.0.255 packet-too-big

Permit ICMP Echo-Reply traffic from 10.125.96.0/24 to 10.125.111.0/24. It means that hosts in 10.125.96.0 will be able to respond to ICMP pings.

access-list 101 deny ip any any log

Deny everything else.

gravatar
Collapse -

by mshavrov In reply to

Now the question. Do you see anywhere PERMIT statement to allow FTP traffic? That?s the problem.

Best method to troubleshoot ACCESS-LISTs is turning ?logging? function on on ?deny? statement. Check your log on the router to see what kind of traffic is denied during FTP session and permit this traffic.

If you need additional information, just e-mail me.

Good luck,

Michael Shavrov
CCNP, CCDP, CCSP, CSS1, MCSE W2K, Checkpoint CSSA, Security+, ...

Back to Networks Forum

Start or search

Related Discussions

Related Forums