Announcement

Collapse
No announcement yet.

cisco 1921 problem with access list

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • cisco 1921 problem with access list

    I have cisco router 1921 that connect two networks 192.168.0.0/24 and 192.168.200.0/24. on network 192.168.200.0/24 are my servers DC 2008, DNS, SQL etc. networks 192.168.8.0/24,192.168.7.0/24 192.168.5.0/24 192.168.4.0/24, 192.168.3.0/24, 192.168.3.0/24, 192.168.2.0/24, 192.168.1.0/24, also access to these servers. I created access list inbound on interfaces gigabitethernet0/0 where is at the bottom of the access-list access rule permit ip object-group DRI_mreze 192.168.200.0 0.0.0.255 log. my access list permit all from object group DRI_mreze where are 192.168.8.0/24,192.168.7.0/24 192.168.5.0/24 192.168.4.0/24, 192.168.3.0/24, 192.168.3.0/24, 192.168.2.0/24, 192.168.1.0/24 192.168.0.0/24 to network 192.168.200.0/24 except servers ports that denied of accesse rules that above of rule permit ip object-group DRI_mreze 192.168.200.0 0.0.0.255 log. in this configuration of access list my workstations from for example network 192.168.3.0/24 can access all servers on network 192.168.200.0/24 except at the ports on servers that is denied deny rules.but my servers cannot access workstations for example I cannot ping no one workstations. why? also, I want different configuration of my access list. I want block all except the ports that I allow with access rules. how that I reconfigure access-list?

    configuration of my cisco router 1921


    object-group network DRI_mreze
    192.168.0.0 255.255.255.0
    192.168.1.0 255.255.255.0
    192.168.2.0 255.255.255.0
    192.168.3.0 255.255.255.0
    192.168.4.0 255.255.255.0
    192.168.5.0 255.255.255.0
    192.168.7.0 255.255.255.0
    192.168.8.0 255.255.255.0
    192.168.50.0 255.255.255.0
    !
    object-group network backup_server
    host 192.168.0.152
    host 192.168.0.32
    range 192.168.0.29 192.168.0.30
    !
    object-group network SQL_servers
    host 192.168.200.14
    host 192.168.200.34
    host 192.168.200.16
    !
    object-group network wsus_servers
    host 192.168.200.12
    host 192.168.200.27
    host 192.168.200.15
    !
    object-group network sharepoint_web_servers
    range 192.168.200.36 192.168.200.37
    host 192.168.200.13
    host 192.168.200.17
    !
    object-group network virtual_servers
    host 192.168.200.11
    host 192.168.200.25
    host 192.168.200.41
    !
    object-group network domain_controllers
    host 192.168.200.20
    host 192.168.200.24
    !
    object-group network Pinged_server
    group-object backup_server
    group-object SQL_servers
    group-object wsus_servers
    group-object sharepoint_web_servers
    group-object virtual_servers
    group-object domain_controllers
    host 192.168.200.22
    host 192.168.200.26
    host 192.168.200.23
    host 192.168.200.31
    host 192.168.200.28
    host 192.168.200.33
    !
    object-group service RDP_service
    tcp eq 3389
    !
    object-group network REMOTE_DESKTOP_client
    host 192.168.0.123
    host 192.168.0.188
    host 192.168.0.61
    192.168.50.0 255.255.255.0
    host 192.168.0.20
    !
    object-group service SPSQL_server
    description sql server for sharepoint
    tcp eq 5357
    tcp eq 49207
    tcp range 49152 49155
    tcp eq 49177
    tcp eq 47001
    tcp eq 5985
    !
    object-group service WDS_server
    tcp eq 5985
    tcp eq 5357
    tcp eq 1027
    tcp eq 14236
    tcp eq 1033
    tcp eq 5040
    tcp eq 3389
    icmp echo
    icmp echo-reply
    !
    object-group service backup_servers
    tcp eq 135
    tcp eq 139
    tcp eq 3389
    tcp eq 9876
    tcp eq 445
    tcp eq 2301
    tcp eq 2381
    tcp eq 3260
    !
    object-group service domain_controller
    tcp eq 49188
    tcp eq 49177
    tcp eq 47001
    tcp eq 5985
    tcp eq 5357
    icmp echo
    icmp echo-reply
    tcp lt 3389
    !
    object-group service dri-net_server
    tcp eq www
    tcp eq 1025
    tcp range 1029 1030
    !
    object-group service finansije_server
    tcp eq 135
    tcp eq 139
    tcp eq 3389
    tcp eq 445
    tcp eq www
    tcp eq 5357
    !
    object-group service paragraflex_server
    tcp eq 5357
    tcp eq 5985
    tcp eq 47001
    icmp echo
    icmp echo-reply
    !
    object-group network ping_server
    host 192.168.0.61
    192.168.50.0 255.255.255.0
    !
    object-group service pinging_service
    icmp echo-reply
    icmp echo
    !
    object-group service sharepoint_application_service
    tcp eq 135
    tcp eq 139
    tcp eq 3389
    tcp eq 2103
    tcp eq 2105
    tcp eq 2107
    tcp eq 1801
    tcp eq smtp
    tcp eq 4361
    tcp eq 8080
    tcp eq 4860
    tcp eq 445
    tcp eq 1053
    tcp eq 5357
    tcp range www 82
    !
    object-group service sharepoint_web_application
    tcp eq 2103
    tcp eq 2105
    tcp eq 2107
    tcp eq 1801
    tcp range 1025 1028
    tcp eq 49098
    tcp eq 1065
    tcp eq 1063
    tcp eq 1043
    tcp eq 47001
    tcp eq 5985
    tcp eq 1110
    tcp eq 5357
    tcp eq 23456
    tcp range 32843 32844
    !
    object-group service terminal_server
    tcp eq 135
    tcp eq 139
    tcp eq 3389
    tcp eq 1947
    tcp eq 445
    tcp eq 5357
    !
    object-group service virtual_server_services
    tcp eq 2179
    tcp eq 2301
    tcp eq 2381
    tcp eq 49166
    tcp eq 55478
    tcp eq 47001
    tcp eq 5985
    tcp eq 55480
    tcp range 49152 49155
    tcp range 49161 49163
    !
    object-group service wsus_services
    tcp eq 5357
    tcp range 49152 49155
    tcp eq 49194
    tcp eq 49176
    !
    username administrator privilege 15 password 7 01230717481C091D250D1F5B4A
    !
    !
    ip tcp synwait-time 10
    !
    !
    !
    !
    interface Null0
    no ip unreachables
    !
    interface Embedded-Service-Engine0/0
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip flow ingress
    shutdown
    !
    interface GigabitEthernet0/0
    description $ETH-WAN$$FW_OUTSIDE$
    ip address 192.168.0.253 255.255.255.0
    ip access-group Outside_in in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nbar protocol-discovery
    ip flow ingress
    ip flow egress
    ip verify unicast reverse-path
    duplex auto
    speed auto
    no mop enabled
    !
    interface GigabitEthernet0/1
    description $ETH-LAN$$FW_INSIDE$
    ip address 192.168.200.254 255.255.255.0
    ip access-group Inside_in in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip flow ingress
    duplex auto
    speed auto
    no mop enabled
    !
    ip forward-protocol nd
    !
    ip http server
    ip http access-class 1
    ip http authentication local
    ip http secure-server
    ip flow-export destination 192.168.0.61 2055
    ip flow-top-talkers
    top 10
    sort-by packets
    cache-timeout 1000
    !
    ip route 0.0.0.0 0.0.0.0 192.168.0.254 255 permanent
    ip route 192.168.1.0 255.255.255.0 192.168.0.254 4 permanent
    ip route 192.168.2.0 255.255.255.0 192.168.0.254 5 permanent
    ip route 192.168.3.0 255.255.255.0 192.168.0.254 3 permanent
    ip route 192.168.4.0 255.255.255.0 192.168.0.254 7 permanent
    ip route 192.168.5.0 255.255.255.0 192.168.0.254 2 permanent
    ip route 192.168.7.0 255.255.255.0 192.168.0.254 6 permanent
    ip route 192.168.8.0 255.255.255.0 192.168.0.254 8 permanent
    ip route 192.168.50.0 255.255.255.0 192.168.0.10 permanent
    !
    ip access-list extended Inside_in
    remark CCP_ACL Category=1
    remark Auto generated by CCP for NTP (123) 192.168.0.20
    permit udp host 192.168.0.20 eq ntp host 192.168.200.254 eq ntp
    permit ip any any
    ip access-list extended Outside_in
    remark CCP_ACL Category=1
    remark Auto generated by CCP for NTP (123) 192.168.0.20
    permit udp host 192.168.0.20 eq ntp host 192.168.0.253 eq ntp
    permit ip host 192.168.0.61 host 192.168.0.253
    permit udp host 192.168.0.20 192.168.200.0 0.0.0.255 range 49152 56535
    permit tcp host 192.168.0.20 192.168.200.0 0.0.0.255 range 49152 56535
    permit object-group pinging_service object-group REMOTE_DESKTOP_client object-group Pinged_server log
    permit object-group RDP_service object-group REMOTE_DESKTOP_client object-group Pinged_server log
    deny object-group virtual_server_services object-group DRI_mreze object-group virtual_servers
    deny object-group paragraflex_server object-group DRI_mreze host 192.168.200.26
    deny object-group wsus_services object-group DRI_mreze object-group wsus_servers
    deny object-group sharepoint_web_application object-group DRI_mreze object-group sharepoint_web_servers log
    deny object-group SPSQL_server object-group DRI_mreze object-group SQL_servers
    deny object-group dri-net_server 192.168.0.0 0.0.0.255 host 192.168.200.31 log
    deny object-group domain_controller object-group DRI_mreze object-group domain_controllers log
    deny object-group WDS_server object-group DRI_mreze host 192.168.200.28
    permit ip object-group DRI_mreze 192.168.200.0 0.0.0.255 log
    ip access-list extended outside_out
    remark CCP_ACL Category=1
    permit icmp 192.168.200.0 0.0.0.255 object-group DRI_mreze
    permit ip any any
    !
    logging facility local6
    logging source-interface GigabitEthernet0/0
    logging 192.168.0.9
    access-list 1 permit 192.168.0.61
    access-list 1 remark Auto generated by SDM Management Access feature
    access-list 1 remark CCP_ACL Category=1
    access-list 1 permit 192.168.200.0 0.0.0.255
    access-list 2 remark CCP_ACL Category=1
    access-list 2 permit 192.168.200.26
    access-list 100 remark Auto generated by SDM Management Access feature
    access-list 100 remark CCP_ACL Category=1
    access-list 100 permit ip 192.168.200.0 0.0.0.255 any
    access-list 100 permit ip host 192.168.0.61 any
    !
    no cdp run
    !
    snmp-server ifindex persist
    snmp-server enable traps entity-sensor threshold
    !
    !
    !
    control-plane
    !
    !
    banner login ^CDRI serveri dobro dosli!^C
    !
    line con 0
    login authentication local_authen
    transport output telnet
    line aux 0
    login authentication local_authen
    transport output telnet
    line 2
    no activation-character
    no exec
    transport preferred none
    transport input all
    transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
    stopbits 1
    line vty 0 4
    access-class 100 in
    password 7 097C4F1A0A1218000F4D557878
    authorization exec local_author
    login authentication local_authen
    transport input telnet ssh
    !
    scheduler allocate 20000 1000
    ntp update-calendar
    ntp server 192.168.0.20 prefer source GigabitEthernet0/0
    !
    end

Working...
X