configuring access router, ACL

Hi, i wanting to configure an access router for an internet connection, using an ACL to stop incoming traffic that wasnt intended for my small network.
for example the networks on 170.15.51.0, 255.255.255.240. I'm just looking for someone to give me a generic cisco example, please?

 

What is the router you are using? Configuring ACLs can be a pain in the butt on a command based router, such as the Cisco 1700 series. It can be considerably easier with a router such as the LinkSys WRT54G. I'll get back with more info.

 

I'm just looking for the bear esstentials for a simple Cisco router

 

Ok, a Cisco router, I will assume it has command based console. Configuring ACLs can be tiring and in depth. So, I could spend all day trying to remember and then explaining ACLs. So here are some links to comfiguring ACLs.

http://www.samspublishing.com/articles/article.asp?p=376125&seqNum=6&rl=1
http://www.networkclue.com/routing/Cisco/access-lists/index.php
http://techrepublic.com.com/5102-1035-5731134.html

 

Hi, thanks for the links. I'm gonna give it a go now

 

sorry I can't find a edit button. I wish to make the ACL in a .txt file so will them sites still be of use?

 

Edit button?
Usually the best way to configure an ACL would be like you said, type it out in notepad, copy the text to the config console, and save the text file as a backup for if your router goes down.

At least whenever people I know and I make an ACL we type it in notepad first. Example:
(In this example I will make a standard ACL and apply to the inbound direction of the FastEthernet 0 interface)

In notepad your ACL may look like this:
_______________________________________________________________
access-list 1 deny 192.168.214.0 0.0.0.255
access-list 1 deny 192.168.5.0 0.0.0.255
access-list 1 deny 172.34.0.0 0.0.255.255
access-list 1 permit any

ip access-group 1 in
_______________________________________________________________
(You want the "permit any" at the end of you ACL because at the end of the ACL there is an implicit "deny any" statement.)

In the router's configuration your ACL may look like this, when you enter it in:
_______________________________________________________________
(You will need to enter the global configuration mode. You will then need to go into the configure terminal mode.)
Router(config)#access-list 1 deny 192.168.214.0 0.0.0.255
Router(config)#access-list 1 deny 192.168.5.0 0.0.0.255
Router(config)#access-list 1 deny 172.34.0.0 0.0.255.255
Router(config)#access-list 1 permit any
Router(config)#interface fastethernet 0
(This will enter you into config mode for the FastEthernet 0 interface)
Router(config-if)#ip access-group 1 in
(Exit the interface config mode and the terminal config mode, to get back to the global config mode. You will need to save your new settings by doing this
Router#copy running-config startup-config
(You can now exit the configuration console.)
_______________________________________________________________

That is a basic example of applying a standard ACL.

 

Ok think I understand it a little how's this...

My network address for example is 180.30.30.0, wildcard mask of 0.0.0.255 (its incorrect but still, i'll use it for the example)

I want to allow my 3 computers on my networks access to the internet and block any unwanted inbound traffic (stuff that wasnt initiated from within the network).

this will be the .txt file...

access-list 1 deny 180.30.30.0.0.0.0.255
access-list 1 deny 180.30.30.0.0.0.0.255
access-list 1 deny 180.30.30.0.0.0.0.255
access-list 1 permit any

ip access-group 1 in

Does that do what i stated above?

 

No, that will block ANY traffic to or from, depending on what interface and direction the ACL is applied to, the 180.30.30.0 network.

For the moment, lets suppose this is what you want to do. The text file would look more like this:
_______________________________________________________________
access-list 1 deny 180.30.0.0 0.0.255.255
access-list 1 permit any

ip access-group 1 in
_______________________________________________________________

First, I put a noticable space between the IP address and the wildcard mask. I did this only to show you that there is a space between the IP address and the wildcard mask, not a decimal.

Second, typing " access-list 1 deny 180.30.30.0 0.0.255.255" three times is being redudant. Your access list only needs to be as short or as long as needed.

Thrid, 180.30.30.0 is a class B IP address, which means its network address would be 180.30.0.0. 180.30.30.0 could be a subnetwork IP address.

Fourth, your wildcard mask will correspond to your subnet mask. 0.0.0.255 is a wild card mask for the subnet mask of 255.255.255.0. Which would be correct for you if 180.30.30.0 is a subnetwork address.

I have to leave soon, so I will fiinsh up. Basically, you want to block certant IP addresses from reaching you, which means you need to know exactly what you want to block.

Well, I better get going, I will get back to you possibly sunday night, probably thursday though.

 

Hi thanks for your help. Hows this then?...

access-list 101
allow 180.30.0.0 0.0.255.255
permit any

ip access-group 1 in

deny any

I'm following your advice and trying to get my head round the cisco online tutorials
the network ip and subnet mask are all purly fictional, just examples.

 

Router(config)#

int ser0/0
access-group 101 out
access-group 102 in


access-list 101 permit tcp 180.30.0.0 0.0.255.255 any eq 80

access-list 102 permit tcp any 180.30.0.0 0.0.255.255 established

access-list 101 tcp permit 180.30.0.0 0.0.255.255 any eq 443

deny everything else

sorry, but hows this, any good? (i only want to use browsers, nothing like kazaa or such)

 

Ok so what you want to do is allow your 3 networks to access the internet but you dont want any traffic to get to your networks.

Router(config)#access-list 101 permit tcp 172.64.0.0 0.0.255.255 any eq 80
Router(config)#access-list 101 permit tcp 172.65.0.0 0.0.255.255 any eq 80
Router(config)#access-list 101 permit tcp 172.66.0.0 0.0.255.255 any eq 80
Router(config)#inter s0/0
Router(config-if)#access-group 101 out

Router(config)#access-list 1 deny any
Router(config)#inter s0/0
Router(config-if)#access-group 1 in

Now i have no idea if this will work or not but its something else to try. ACLS ARE SO FRUSTRATING!!!!!

 

Yes, ACLs can be really frustrating.

This ACL looks almost fine. First, you can only have ONE ACL applied to an interface. Second, you never need the "deny any" statement in an ACL, there is always an implicit "deny any" statement at the end of every ACL. Instead, when we want to permit all other traffic we use the "permit any" statement. So, that whole last part (access-list 1) can be excluded.

Also, you might want to allow the ports for FTP, SMTP, POP3, POP3S, NETBIOS, DHCP, and possibly some other.

 

i dont know if you knew this or not Pure-D but instead of using the port numbers you can just put the word. i find its a lot easier than remembering port numbers.

Example: instead of putting eq 80 you could put eq http