{"id":5985,"date":"2017-01-10T23:37:21","date_gmt":"2017-01-10T23:37:21","guid":{"rendered":"https:\/\/stevepedwards.today\/DebianAdmin\/?p=5985"},"modified":"2023-10-28T23:24:07","modified_gmt":"2023-10-28T22:24:07","slug":"cisco-setup-acl-settings-and-basic-routing-concepts","status":"publish","type":"post","link":"https:\/\/stevepedwards.today\/DebianAdmin\/cisco-setup-acl-settings-and-basic-routing-concepts\/","title":{"rendered":"Cisco Setup ACL Settings and Basic Routing Concepts"},"content":{"rendered":"
<\/div>\n

<\/path><\/svg><\/i> \"Loading\"<\/p>\n

<\/div>\n

Routers have two main\u00a0methods of transferring traffic across different interfaces\/networks; using static routes or routing protocols.<\/p>\n

I can't teach a year long CCNA course here, but just as a simple intro, the routes set and available on routers and PCs can be seen with various commands. In linux, the command is simply:<\/p>\n

stevee@Dell490 ~ $ route<\/span>
\nKernel IP routing table<\/span>
\nDestination Gateway Genmask Flags Metric Ref Use Iface<\/span>
\ndefault 192.168.1.100 0.0.0.0 UG 0 0 0 eth1<\/span>
\n192.168.1.0 * 255.255.255.0 U 1 0 0 eth1<\/span><\/p>\n

This shows that I have a network interface up that has a default static route for traffic from the PC's network connector to be sent via the IP address of the Cisco 877 Vlan1 of 192.168.1.100.<\/p>\n

The linux IP addresses is shown as:<\/p>\n

stevee@Dell490 ~ $ ifconfig<\/span><\/p>\n

eth1 Link encap:Ethernet HWaddr 00:e0:4c:53:44:58 <\/span>
\n inet addr:192.168.1.22<\/strong> Bcast:192.168.1.255 Mask:255.255.255.0<\/span>
\n inet6 addr: fe80::2e0:4cff:fe53:4458\/64 Scope:Link<\/span>
\n UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<\/span>
\n RX packets:1892 errors:8 dropped:3 overruns:2 frame:11<\/span>
\n TX packets:2114 errors:0 dropped:0 overruns:0 carrier:0<\/span>
\n collisions:0 txqueuelen:1000 <\/span>
\n RX bytes:1411870 (1.4 MB) TX bytes:384752 (384.7 KB)<\/span><\/p>\n

This shows I am connected to the 877 via eth1 which is a very handy yet cheap \u00a31.39 USB to RJ45 connector - great for connecting a PC to multiple different networks\/devices!<\/p>\n

New HIGH SPEED USB 2.0 TO 10\/100MBPS RJ45 ETHERNET ADAPTER CONVERTER CABLE LEAD<\/p>\n

\"\"<\/a><\/p>\n

Routes set on a Cisco can be shown by:<\/p>\n

cisco877#sh ip route<\/span>
\nCodes: C - connected, S - static, R - RIP, M - mobile, B - BGP<\/span>
\n D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area <\/span>
\n N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2<\/span>
\n E1 - OSPF external type 1, E2 - OSPF external type 2<\/span>
\n i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2<\/span>
\n ia - IS-IS inter area, * - candidate default, U - per-user static route<\/span>
\n o - ODR, P - periodic downloaded static route<\/span><\/p>\n

Gateway of last resort is 195.166.130.248<\/strong> to network 0.0.0.0<\/strong><\/span><\/p>\n

195.166.130.0\/32 is subnetted, 1 subnets<\/span>
\nC 195.166.130.248<\/strong> is directly connected, Dialer1<\/span>
\n 212.159.16.0\/32 is subnetted, 1 subnets<\/span>
\nC 212.159.16.47<\/strong> is directly connected, Dialer1<\/span>
\nC 192.168.1.0\/24<\/strong> is directly connected, Vlan1<\/span>
\nS* 0.0.0.0\/0 [1\/0] via 195.166.130.248<\/span><\/strong>
\n is directly connected, Dialer1<\/span><\/p>\n

This info\u00a0is mostly self-explanatory from the key, e.g. that the default static route of 0.0.0.0 is connected directly to the Plusnet gateway server at 195.166.130.248. Just because many different routing protocols are listed in the key:\u00a0EIGRP, OSPF etc. it doesn't mean they are available on a particular model or IOS. To see which may be, use:<\/p>\n

cisco877#conf t<\/span><\/p>\n

cisco877(config)# router ?<\/span>
\nbgp Border Gateway Protocol (BGP)<\/span>
\n eigrp Enhanced Interior Gateway Routing Protocol (EIGRP)<\/span>
\n odr On Demand stub Routes<\/span>
\n ospf Open Shortest Path First (OSPF)<\/span>
\n rip Routing Information Protocol (RIP)<\/span><\/p>\n

 <\/p>\n

No routing protocols are set as they are not required as there are only 2 main routes between 2 main networks that are directly connected to the router interfaces. If there were more interfaces\/routes on a more capable router, then a routing protocol may be used for ease of admin but higher overhead cost, rather than having to manually set and administer many static routes that are inflexible to network changes.<\/p>\n

In the conf file, this static route defines the default route with the command:<\/p>\n

ip route 0.0.0.0 0.0.0.0 Dialer1<\/span><\/p>\n

stevee@Dell490 ~ $ ping 192.168.1.100<\/span>
\nPING 192.168.1.100 (192.168.1.100) 56(84) bytes of data.<\/span>
\n64 bytes from 192.168.1.100: icmp_seq=2 ttl=255 time=3.93 ms<\/span>
\n64 bytes from 192.168.1.100: icmp_seq=3 ttl=255 time=2.91 ms<\/span><\/p>\n

I can ping the Vlan1 interface of the 877 above and the WAN IP address below and get a reply - fine.<\/p>\n

stevee@Dell490 ~ $ ping 212.159.16.47<\/span>
\nPING 212.159.16.47 (212.159.16.47) 56(84) bytes of data.<\/span>
\n64 bytes from 212.159.16.47: icmp_seq=1 ttl=255 time=2.12 ms<\/span>
\n64 bytes from 212.159.16.47: icmp_seq=2 ttl=255 time=1.92 ms<\/span><\/p>\n

So why can't I ping the Internet from the PC or the 877 command line, yet I can write this Post?<\/p>\n

cisco877#ping 8.8.8.8<\/span><\/p>\n

Type escape sequence to abort.<\/span>
\nSending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:<\/span>
\n.....<\/span>
\nSuccess rate is 0 percent (0\/5)<\/span><\/p>\n

stevee@Dell490 ~ $ ping 8.8.8.8<\/span>
\nPING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.<\/span>
\n^C<\/span>
\n--- 8.8.8.8 ping statistics ---<\/span>
\n3 packets transmitted, 0 received, 100% packet loss, time 1999ms<\/span><\/p>\n

The ACL section of the conf file comprised:<\/p>\n

cisco877#sh ip access-lists<\/span>
\nExtended IP access list BLOCKWAN<\/span>
\n 10 permit tcp any any established (91905 matches)<\/span>
\n 20 permit udp any any (2557 matches)<\/span>
\n 30 permit udp host 91.189.89.198 eq ntp any<\/span>
\n 40 deny ip any any (499 matches)<\/span><\/strong>
\nExtended IP access list LAN2WEB<\/span>
\n 10 permit ip any any (67109 matches)<\/span><\/p>\n

This means the Vlan1 interface permits any IP traffic (which defines TCP, ICMP and UDP amongst others) to enter from and exit to the LAN. This single ACL rule is\u00a0set on both LAN incoming and outgoing directions of the Vlan1 interface with the reference point being the centre of the unit. Any IP protocol (TCP\/UDP) can pass unmolested from both sides of this interface, through\u00a0<\/em>the interface.\u00a0<\/em><\/p>\n

A ping is an ICMP packet so it can pass via the Vlan1 interface, hit the WAN\/Dialer1 interface and have a reply be returned from it, that can pass back through the LAN interface to the PC.<\/p>\n

A ping sent further afield cannot exit from the WAN interface though, as only TCP and UDP protocols have been specifically allowed to pass in both in and out directions from the WAN interface, with anything other protocol being dropped by the line:<\/p>\n

\u00a040 deny ip any any (499 matches)<\/span><\/p>\n

This is a standard \"catchall\" deny line set at the end of an ACL which prevents any protocols except those specifically allowed. To modify ACLs, extra lines can be inserted before the line 40 to allow for additional services without totally removing and re-writing a new ACL. The router has to be reloaded after this change to embed the settings in the IOS - for example:<\/p>\n

cisco877# conf t<\/span>
\ncisco877(config)#ip access-list extended BLOCKWAN<\/span>
\ncisco877(config-ext-nacl)#35 permit icmp any any<\/span><\/p>\n

cisco877(config-ext-nacl)#end<\/span><\/p>\n

cisco877#reload<\/span><\/p>\n

Now view the ACLs - the lines have been shifted up for the new rule:<\/p>\n

cisco877#sh ip access-lists<\/span>
\nExtended IP access list BLOCKWAN<\/span>
\n 10 permit tcp any any established (139 matches)<\/span>
\n 20 permit udp any any (97 matches)<\/span>
\n 30 permit udp host 91.189.89.198 eq ntp any<\/span>
\n 40 permit icmp any any (15 matches)<\/span><\/strong>
\n 50 deny ip any any<\/span>
\nExtended IP access list LAN2WEB<\/span>
\n 10 permit ip any any (669 matches)<\/span><\/p>\n

Now pings to the Internet from the 877 and the LAN get a response:<\/p>\n

stevee@Dell490 ~ $ ping bbc.co.uk<\/span>
\nPING bbc.co.uk (212.58.244.22) 56(84) bytes of data.<\/span>
\n64 bytes from 212.58.244.22: icmp_seq=1 ttl=53 time=22.6 ms<\/span><\/p>\n

cisco877#ping bbc.co.uk<\/span><\/p>\n

Translating \"bbc.co.uk\"...domain server (8.8.8.8) [OK]<\/span><\/p>\n

Type escape sequence to abort.<\/span>
\nSending 5, 100-byte ICMP Echos to 212.58.244.22, timeout is 2 seconds:<\/span>
\n!!!!!<\/span>
\nSuccess rate is 100 percent (5\/5), round-trip min\/avg\/max = 20\/22\/24 ms<\/span><\/p>\n

This does of course mean that your router is not stealthy anymore as it replies to WAN side pings itself.<\/p>\n

\"\"<\/a><\/p>\n

Apart from ping response it is still a good simple ACL overall with common ports stealthed:<\/p>\n

\"\"<\/a><\/p>\n

Another point - if you wondered - is that nmap run against the WAN IP from the LAN side shows responses from the INSIDE of the WAN interface so shows a different result - Telnet open in this case:<\/p>\n

stevee@Dell490 ~ $ nmap 212.159.16.47<\/span><\/p>\n

Starting Nmap 6.40 ( https:\/\/nmap.org ) at 2017-01-11 00:21 GMT<\/span>
\nNmap scan report for remote.securicomservices.co.uk (212.159.16.47)<\/span>
\nHost is up (0.030s latency).<\/span>
\nNot shown: 999 closed ports<\/span>
\nPORT STATE SERVICE<\/span>
\n23\/tcp open telnet<\/span><\/strong><\/p>\n

The conf at this point is:<\/p>\n

!<\/span>
\nversion 12.4<\/span>
\nno service pad<\/span>
\nservice timestamps debug datetime msec<\/span>
\nservice timestamps log datetime msec<\/span>
\nservice password-encryption<\/span>
\n!<\/span>
\nhostname cisco877<\/span>
\n!<\/span>
\nboot-start-marker<\/span>
\nboot-end-marker<\/span>
\n!<\/span>
\nenable secret 5 $1$e\/g3$ceiyt\/4dt\/GK9gSm7vbkN.<\/span>
\nenable password 7 03145404161F2E435E<\/span>
\n!<\/span>
\nno aaa new-model<\/span>
\nip cef<\/span>
\n!<\/span>
\n!<\/span>
\nip dhcp use vrf connected<\/span>
\nip dhcp excluded-address 192.168.1.1 192.168.1.20<\/span>
\n! <\/span>
\nip dhcp pool CLIENTS<\/span>
\n import all<\/span>
\n network 192.168.1.0 255.255.255.0<\/span>
\n default-router 192.168.1.100 <\/span>
\n dns-server 8.8.8.8 <\/span>
\n!<\/span>
\n!<\/span>
\nip domain name workgroup<\/span>
\nip name-server 8.8.8.8<\/span>
\nip name-server 212.159.13.49<\/span>
\n!<\/span>
\nmultilink bundle-name authenticated<\/span>
\n!<\/span>
\n!<\/span>
\n!<\/span>
\n!<\/span>
\n!<\/span>
\n! <\/span>
\n!<\/span>
\n!<\/span>
\n!<\/span>
\n!<\/span>
\ninterface ATM0<\/span>
\n no ip address<\/span>
\n ip nat outside<\/span>
\n ip virtual-reassembly<\/span>
\n logging event atm pvc state<\/span>
\n logging event atm pvc autoppp<\/span>
\n no atm ilmi-keepalive<\/span>
\n dsl operating-mode auto adsl2 adsl2+ <\/span>
\n dsl enable-training-log <\/span>
\n!<\/span>
\ninterface ATM0.1 point-to-point<\/span>
\n ip address dhcp<\/span>
\n ip nat outside<\/span>
\n ip virtual-reassembly<\/span>
\n no snmp trap link-status<\/span>
\n atm route-bridged ip<\/span>
\n atm pppatm link reset<\/span>
\n pvc 0\/38 <\/span>
\n encapsulation aal5snap<\/span>
\n protocol ppp dialer<\/span>
\n dialer pool-member 1<\/span>
\n ip addr inarp<\/span>
\n !<\/span>
\n! <\/span>
\ninterface FastEthernet0<\/span>
\n!<\/span>
\ninterface FastEthernet1<\/span>
\n!<\/span>
\ninterface FastEthernet2<\/span>
\n!<\/span>
\ninterface FastEthernet3<\/span>
\n!<\/span>
\ninterface Dot11Radio0<\/span>
\n no ip address<\/span>
\n shutdown<\/span>
\n speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0<\/span>
\n station-role root<\/span>
\n!<\/span>
\ninterface Vlan1<\/span>
\n ip address 192.168.1.100 255.255.255.0<\/span>
\n ip access-group LAN2WEB in<\/span>
\n ip nat inside<\/span>
\n ip nat enable<\/span>
\n ip virtual-reassembly<\/span>
\n!<\/span>
\ninterface Dialer1<\/span>
\n ip address negotiated previous<\/span>
\n ip access-group BLOCKWAN in<\/span>
\n ip nat outside<\/span>
\n ip nat enable<\/span>
\n ip virtual-reassembly<\/span>
\n encapsulation ppp<\/span>
\n dialer pool 1<\/span>
\n dialer-group 1<\/span>
\n autodetect encapsulation ppp<\/span>
\n ppp authentication chap pap callin<\/span>
\n ppp chap hostname stevepedwards@plus.net<\/span>
\n ppp chap password 7 071C3549580C1C031B0B1B0B50<\/span>
\n ppp ipcp wins request<\/span>
\n ppp ipcp mask request<\/span>
\n ppp ipcp route default<\/span>
\n ppp ipcp address accept<\/span>
\n!<\/span>
\nip default-gateway 195.166.130.250<\/span>
\nip route 0.0.0.0 0.0.0.0 Dialer1<\/span>
\n!<\/span>
\n!<\/span>
\nno ip http server<\/span>
\nno ip http secure-server<\/span>
\nip nat pool CLIENTS 192.168.1.20 192.168.1.25 netmask 255.255.255.0<\/span>
\nip nat inside source list LAN2WEB interface Dialer1 overload<\/span>
\n!<\/span>
\nip access-list extended BLOCKWAN<\/span>
\n permit tcp any any established<\/span>
\n permit udp any any<\/span>
\n permit udp host 91.189.89.198 eq ntp any<\/span>
\n permit icmp any any<\/span>
\n deny ip any any<\/span>
\nip access-list extended LAN2WEB<\/span>
\n permit ip any any<\/span>
\n!<\/span>
\ndialer-list 1 protocol ip permit<\/span>
\nsnmp-server community public RO<\/span>
\n!<\/span>
\n!<\/span>
\n!<\/span>
\n!<\/span>
\ncontrol-plane<\/span>
\n!<\/span>
\n!<\/span>
\nline con 0<\/span>
\n no modem enable<\/span>
\nline aux 0<\/span>
\nline vty 0 4<\/span>
\n password 7 051B090031<\/span>
\n login<\/span>
\n!<\/span>
\nscheduler max-task-time 5000<\/span>
\nend<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/div>\n

<\/path><\/svg><\/i> \"Loading\"<\/p>\n

<\/div>\n

Routers have two main\u00a0methods of transferring traffic across different interfaces\/networks; using static routes or routing protocols. I can't teach a year long CCNA course here, but just as a simple intro, the routes set and available on routers and PCs can be seen with various commands. In linux, the command is simply: stevee@Dell490 ~ $ ...\u00a0 Cisco Setup ACL Settings and Basic Routing Concepts<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-5985","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"a3_pvc":{"activated":true,"total_views":2,"today_views":0},"_links":{"self":[{"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/posts\/5985","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/comments?post=5985"}],"version-history":[{"count":1,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/posts\/5985\/revisions"}],"predecessor-version":[{"id":10068,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/posts\/5985\/revisions\/10068"}],"wp:attachment":[{"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/media?parent=5985"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/categories?post=5985"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/tags?post=5985"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}