no Internet connection when applied ACL to WAN interface

Unanswered Question
Nov 4th, 2007
User Badges:

Hi Everyone,


The following configuration is on a cisco router 2514. When I apply the ACL 101 on interface "0" or WAN it just blocks all connection.


Can you please, check it and recommend appropiate changes.


R2514#sh run

Building configuration...

Current configuration : 4237 bytes

!

version 12.2

no service pad

service tcp-keepalives-in

service timestamps debug uptime

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname R2514

!

logging rate-limit all 10 except errors

aaa new-model

enable secret xxx$#134dfo9L4.

enable password xxx

!

username abcdef password xxx

clock timezone EST -5

clock summer-time EST recurring 2 Sun Mar 2:00 1 Sun Nov 2:00

ip subnet-zero

no ip source-route

ip cef

ip domain-name abc.net

no ip bootp server

class-map match-all VoIP

description This is VoIP priority Critical

match access-group 100

policy-map VoIP

class VoIP

priority 200

class class-default

fair-queue

!

interface Ethernet0

description connected to WAN

ip address 74.x.x.78 255.255.255.248

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

service-policy output VoIP

ntp disable

no cdp enable

!

interface Ethernet1

description connected to EthernetLAN

ip address 192.168.1.254 255.255.255.0

no ip proxy-arp

ip nat inside

no ip mroute-cache

!

interface Serial0

no ip address

shutdown

!

interface Serial1

no ip address

shutdown

!

ip nat inside source list 1 interface Ethernet0 overload

ip nat inside source static tcp 192.168.1.78 80 74.169.188.78 80 extendable

ip nat inside source static tcp 192.168.1.77 80 74.169.188.77 80 extendable

ip nat inside source static tcp 192.168.1.76 80 74.169.188.76 80 extendable

ip nat inside source static tcp 192.168.1.75 5500 74.169.188.75 5500 extendable

ip nat inside source static tcp 192.168.1.74 5500 74.169.188.74 5500 extendable

no ip classless

ip route 0.0.0.0 0.0.0.0 74.1.1.73

ip route 172.16.1.0 255.255.255.0 192.168.1.1

no ip http server

!

logging facility local6

logging 172.16.1.7

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 2 permit 192.168.1.0 0.0.0.255

access-list 20 permit 192.168.1.0 0.0.0.255

access-list 21 permit 192.168.1.0 0.0.0.255

access-list 100 permit ip any any precedence critical

access-list 101 permit tcp any host 74.1.1.78 eq www

access-list 101 permit tcp any host 74.1.1.77 eq www

access-list 101 permit tcp any host 74.1.1.76 eq www

access-list 101 permit tcp any host 74.1.1.75 eq 5500

access-list 101 permit tcp any 192.168.1.0 0.0.0.255 established

access-list 101 permit icmp any any echo-reply

no cdp run

!

privilege exec level 15 connect

privilege exec level 15 telnet

privilege exec level 15 show ip access-lists

privilege exec level 15 show access-lists

privilege exec level 15 show logging

privilege exec level 1 show ip

!

line con 0

exec-timeout 0 0

password xxx

line aux 0

line vty 0 4

access-class 2 in

password xxx

transport input ssh

!

ntp authentication-key 10 xxx

ntp authenticate

ntp trusted-key 10

ntp source Ethernet1

ntp access-group peer 20

ntp access-group serve-only 21

ntp max-associations 10

ntp server 18.145.0.30 prefer

end


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
thotsaphon Sun, 11/04/2007 - 03:12
User Badges:
  • Gold, 750 points or more

Hi Ramon

Just my thought. Make sure that you already allow udp/53 for solving name resolution. Where is the DNS server? When you wanted to connect to 74.1.1.76-78. Are you using the names or ip addresses?


please let me know what are your problems exactly?.


Hopes this helps

Thot



rvelazquez777 Sun, 11/04/2007 - 06:19
User Badges:

Hi Thot,


I had another ACL where I used to allow DNS or domain resolution as well.


access-list 101 permit udp 192.168.1.0 0.0.0.255 any eq domain


But it didn't work either. I like to add that pinging doesn't work as well. Besides, I'm using the keyword "established" which indicates to allow a TCP protocol with an established connection.


Thanks for your help Thot. Any other recomendation?

thotsaphon Sun, 11/04/2007 - 06:56
User Badges:
  • Gold, 750 points or more

Ramon.

Firstly I missed reading the entire configuration.

I assumed that you've used 192.168.1.x acting be DNS server. I assumed that you've had 192.168.1.0/24 acting be internal hosts.I assumed that you've used OUTBOUND ACL on E0 interface.

{

int e0

access-list 101 out

}

For testing.Please only use 3 ACEs as below

access-list 101 permit udp host 74.1.1.78 any eq domain

access-list 101 permit tcp host 74.1.1.78 any eq www

access-list 101 permit tcp host 74.1.1.78 any eq https


Please let me know what are outputs when you do "sh ip nat translation" command.

Please let me know what's going on when you do "sh access-list 101" command. Do you see the matching acls?

Nat has been done before the output access-list. ;-)


Hopes this helps

Thot



Richard Burts Sun, 11/04/2007 - 08:12
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Ramon


In your post you mention applying access list 101 to interface ethernet 0. But you fail to mention whether you were applying the access list inbound or outbound. The addresses would make sense if it were applied inbound and would certainly prevent any connectivity if it were applied outbound. So can you clarify for us whether the access list was applied inbound or outbound?


HTH


Rick

thotsaphon Sun, 11/04/2007 - 08:25
User Badges:
  • Gold, 750 points or more

Hi Rick , Ramon

I totally agree with Rick on this.what is your points of doing ACLs. Let's say if you want to restrict some traffics(192.168.1.1-55) to go to the internet you should apply inbound ACLs.

The configuration I posted should work but not make classical network. ;-)


Hopes this helps

Thot

rvelazquez777 Sun, 11/04/2007 - 10:21
User Badges:

Hi Everyone.


Yes... My # 1 objective is to allow inbound connection to internal three different web servers & eventually to internal Asterisk server through SIP protocol.


Please, disregard the ip nat static source addresses. They are wrong. They are supposed to be 74.1.1.74-78 :)


In regards to DNS server I'm using 74.1.1.73 which is the modem or I can use covad DNS server. So far, the router resolves domain name to ip address without any problem.


If you take a look at the static NAT settings I need to allow remote access to my web servers. So, I was thinking to apply it to:

{

int e0

access-list 101 in

}

However, I've applied both ways. In & Out, without success, except, I was able to ping out....uhhmmm.


Anyway, keep in mind that in order for me to browse the internet(post any message, got to take ACL 101 off)


Thot, I did put on it your 3 ACEs on except:

{

int e0

access-list 102 out

access-list 102 permit udp host 74.1.1.78 any eq domain

access-list 102 permit tcp host 74.1.1.78 any eq www

access-list 102 permit tcp host 74.1.1.78 any eq https


I changed them to ACL 102 so I wouldn't keep changing & deleting ACL 101.


It doesn't work. Not even from the web server that is being statically mapped to 74.1.1.78. So, I changed 74.1.1.78 for 74.1.1.74 which is the external int e0 on the router.


Then it works like a charm!. But again, I don't achieve my objective.


What do you guys think? Thanks in advance for all your help!

thotsaphon Sun, 11/04/2007 - 11:26
User Badges:
  • Gold, 750 points or more

Ah.. I'm completely wrong on your requirement.

Keep in mind : The acl is stateless so please carefully think before doing things.

-You want to restrict the outside to access to the internal Servers by using static nats.

-You want to allow internal users to access to the internet.

Let me try

When you apply ACL101 then you can resolve name. right?

If so the configuration below should be OK.

##Start##

ip nat inside source list 1 interface Ethernet0 overload

ip nat inside source static tcp 192.168.1.78 80 74.1.1.78 80 extendable

ip nat inside source static tcp 192.168.1.77 80 74.1.1.77 80 extendable

ip nat inside source static tcp 192.168.1.76 80 74.1.1.76 80 extendable

ip nat inside source static tcp 192.168.1.75 5500 74.1.1.75 5500 extendable

ip nat inside source static tcp 192.168.1.74 5500 74.1.1.74 5500 extendable

##

access-list 1 permit 192.168.1.0 0.0.0.255

##

access-list 103 permit ip any host 74.1.1.78

access-list 103 permit tcp any host 74.1.1.77 eq 80

access-list 103 permit tcp any host 74.1.1.76 eq 80

access-list 103 permit tcp any host 74.1.1.75 eq 5500

access-list 103 permit tcp any host 74.1.1.74 eq 5500

##

int e0

access-list 103 in

ip nat outside

##

int e1

ip nat inside

##End##


Why I change from "access-list xxx permit tcp any host 74.1.1.78 80" to"access-list xxx permit ip any host 74.1.1.78" because

1.It's overlapping if we use both.

2. Users use 74.1.1.78 for doing nat-source with the RANDOM PORTs.

What about? If it doesn't work please let me know when users try to surf the internet.

What do you see in the nat table?

What do you see when you do "sh access-l 103" command?


Hope this work!

Thot

rvelazquez777 Mon, 11/05/2007 - 06:27
User Badges:

Hi Guys,


Thanks for all your support! Thot, you got it! It works! :) Here is the config!

!

interface Ethernet0

description connected to WAN

ip address 74.x.x.74 255.255.255.248

ip access-group 101 in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

service-policy output VoIP

ntp disable

no cdp enable

!

interface Ethernet1

description connected to EthernetLAN

ip address 192.168.1.254 255.255.255.0

no ip proxy-arp

ip nat inside

no ip mroute-cache

!

ip nat inside source list 1 interface Ethernet0 overload

ip nat inside source static tcp 192.168.1.78 80 74.1.1.78 80 extendable

ip nat inside source static tcp 192.168.1.77 80 74.1.1.77 80 extendable

ip nat inside source static tcp 192.168.1.76 80 74.1.1.76 80 extendable

ip nat inside source static tcp 192.168.1.75 5500 74.1.1.75 5500 extendable

ip nat inside source static tcp 192.168.1.74 5500 74.1.1.74 5500 extendable

no ip classless

ip route 0.0.0.0 0.0.0.0 74.1.1.73

ip route 172.16.1.0 255.255.255.0 192.168.1.1

no ip http server

!

logging facility local6

logging 172.16.1.75

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 2 permit 192.168.1.0 0.0.0.255

access-list 20 permit 192.168.1.0 0.0.0.255

access-list 21 permit 192.168.1.0 0.0.0.255

access-list 100 permit ip any any precedence critical

access-list 101 permit udp 74.1.1.72 0.0.0.7 any eq domain

access-list 101 permit tcp 74.1.1.72 0.0.0.7 any established

access-list 101 permit tcp any host 74.1.1.78 eq www

access-list 101 permit tcp any host 74.1.1.77 eq www

access-list 101 permit tcp any host 74.1.1.76 eq www

access-list 101 permit tcp any host 74.1.1.75 eq 5500

access-list 101 permit tcp any host 74.1.1.74 eq 5500

access-list 101 permit ip any host 74.1.1.74

access-list 101 permit icmp 74.1.1.72 0.0.0.7 any

access-list 101 permit icmp 192.168.1.0 0.0.0.255 any

access-list 101 permit icmp any any 3 4

access-list 101 deny icmp any 74.1.1.72 0.0.0.7

thotsaphon Mon, 11/05/2007 - 07:35
User Badges:
  • Gold, 750 points or more

Hi Ramon

Good to know your job has been done.


Cheers

Thot


thotsaphon Mon, 11/05/2007 - 19:03
User Badges:
  • Gold, 750 points or more

Hi Ramon

You can use the rating system for the answer that you appreciate.To be honest It's not a big deal for me.Just say "Thanks" to me that's a big impression.


;-)

Thot

rvelazquez777 Wed, 11/07/2007 - 08:06
User Badges:

Thot,


You are the BEST man. Thank you very much! :)


Hey... seriously, I din't know about that "access-list permit ip " command and overlapping ACL for same address. I learned a great deal from you.


Thanks,

Actions

This Discussion