11-04-2007 12:24 AM - edited 03-03-2019 05:39 AM
Hi Everyone,
The following configuration is on a cisco router 2514. When I apply the ACL 101 on interface "0" or WAN it just blocks all connection.
Can you please, check it and recommend appropiate changes.
R2514#sh run
Building configuration...
Current configuration : 4237 bytes
!
version 12.2
no service pad
service tcp-keepalives-in
service timestamps debug uptime
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname R2514
!
logging rate-limit all 10 except errors
aaa new-model
enable secret xxx$#134dfo9L4.
enable password xxx
!
username abcdef password xxx
clock timezone EST -5
clock summer-time EST recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
ip subnet-zero
no ip source-route
ip cef
ip domain-name abc.net
no ip bootp server
class-map match-all VoIP
description This is VoIP priority Critical
match access-group 100
policy-map VoIP
class VoIP
priority 200
class class-default
fair-queue
!
interface Ethernet0
description connected to WAN
ip address 74.x.x.78 255.255.255.248
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
service-policy output VoIP
ntp disable
no cdp enable
!
interface Ethernet1
description connected to EthernetLAN
ip address 192.168.1.254 255.255.255.0
no ip proxy-arp
ip nat inside
no ip mroute-cache
!
interface Serial0
no ip address
shutdown
!
interface Serial1
no ip address
shutdown
!
ip nat inside source list 1 interface Ethernet0 overload
ip nat inside source static tcp 192.168.1.78 80 74.169.188.78 80 extendable
ip nat inside source static tcp 192.168.1.77 80 74.169.188.77 80 extendable
ip nat inside source static tcp 192.168.1.76 80 74.169.188.76 80 extendable
ip nat inside source static tcp 192.168.1.75 5500 74.169.188.75 5500 extendable
ip nat inside source static tcp 192.168.1.74 5500 74.169.188.74 5500 extendable
no ip classless
ip route 0.0.0.0 0.0.0.0 74.1.1.73
ip route 172.16.1.0 255.255.255.0 192.168.1.1
no ip http server
!
logging facility local6
logging 172.16.1.7
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 20 permit 192.168.1.0 0.0.0.255
access-list 21 permit 192.168.1.0 0.0.0.255
access-list 100 permit ip any any precedence critical
access-list 101 permit tcp any host 74.1.1.78 eq www
access-list 101 permit tcp any host 74.1.1.77 eq www
access-list 101 permit tcp any host 74.1.1.76 eq www
access-list 101 permit tcp any host 74.1.1.75 eq 5500
access-list 101 permit tcp any 192.168.1.0 0.0.0.255 established
access-list 101 permit icmp any any echo-reply
no cdp run
!
privilege exec level 15 connect
privilege exec level 15 telnet
privilege exec level 15 show ip access-lists
privilege exec level 15 show access-lists
privilege exec level 15 show logging
privilege exec level 1 show ip
!
line con 0
exec-timeout 0 0
password xxx
line aux 0
line vty 0 4
access-class 2 in
password xxx
transport input ssh
!
ntp authentication-key 10 xxx
ntp authenticate
ntp trusted-key 10
ntp source Ethernet1
ntp access-group peer 20
ntp access-group serve-only 21
ntp max-associations 10
ntp server 18.145.0.30 prefer
end
11-04-2007 03:12 AM
Hi Ramon
Just my thought. Make sure that you already allow udp/53 for solving name resolution. Where is the DNS server? When you wanted to connect to 74.1.1.76-78. Are you using the names or ip addresses?
please let me know what are your problems exactly?.
Hopes this helps
Thot
11-04-2007 06:19 AM
Hi Thot,
I had another ACL where I used to allow DNS or domain resolution as well.
access-list 101 permit udp 192.168.1.0 0.0.0.255 any eq domain
But it didn't work either. I like to add that pinging doesn't work as well. Besides, I'm using the keyword "established" which indicates to allow a TCP protocol with an established connection.
Thanks for your help Thot. Any other recomendation?
11-04-2007 06:56 AM
Ramon.
Firstly I missed reading the entire configuration.
I assumed that you've used 192.168.1.x acting be DNS server. I assumed that you've had 192.168.1.0/24 acting be internal hosts.I assumed that you've used OUTBOUND ACL on E0 interface.
{
int e0
access-list 101 out
}
For testing.Please only use 3 ACEs as below
access-list 101 permit udp host 74.1.1.78 any eq domain
access-list 101 permit tcp host 74.1.1.78 any eq www
access-list 101 permit tcp host 74.1.1.78 any eq https
Please let me know what are outputs when you do "sh ip nat translation" command.
Please let me know what's going on when you do "sh access-list 101" command. Do you see the matching acls?
Nat has been done before the output access-list. ;-)
Hopes this helps
Thot
11-04-2007 08:12 AM
Ramon
In your post you mention applying access list 101 to interface ethernet 0. But you fail to mention whether you were applying the access list inbound or outbound. The addresses would make sense if it were applied inbound and would certainly prevent any connectivity if it were applied outbound. So can you clarify for us whether the access list was applied inbound or outbound?
HTH
Rick
11-04-2007 08:25 AM
Hi Rick , Ramon
I totally agree with Rick on this.what is your points of doing ACLs. Let's say if you want to restrict some traffics(192.168.1.1-55) to go to the internet you should apply inbound ACLs.
The configuration I posted should work but not make classical network. ;-)
Hopes this helps
Thot
11-04-2007 10:21 AM
Hi Everyone.
Yes... My # 1 objective is to allow inbound connection to internal three different web servers & eventually to internal Asterisk server through SIP protocol.
Please, disregard the ip nat static source addresses. They are wrong. They are supposed to be 74.1.1.74-78 :)
In regards to DNS server I'm using 74.1.1.73 which is the modem or I can use covad DNS server. So far, the router resolves domain name to ip address without any problem.
If you take a look at the static NAT settings I need to allow remote access to my web servers. So, I was thinking to apply it to:
{
int e0
access-list 101 in
}
However, I've applied both ways. In & Out, without success, except, I was able to ping out....uhhmmm.
Anyway, keep in mind that in order for me to browse the internet(post any message, got to take ACL 101 off)
Thot, I did put on it your 3 ACEs on except:
{
int e0
access-list 102 out
access-list 102 permit udp host 74.1.1.78 any eq domain
access-list 102 permit tcp host 74.1.1.78 any eq www
access-list 102 permit tcp host 74.1.1.78 any eq https
I changed them to ACL 102 so I wouldn't keep changing & deleting ACL 101.
It doesn't work. Not even from the web server that is being statically mapped to 74.1.1.78. So, I changed 74.1.1.78 for 74.1.1.74 which is the external int e0 on the router.
Then it works like a charm!. But again, I don't achieve my objective.
What do you guys think? Thanks in advance for all your help!
11-04-2007 11:26 AM
Ah.. I'm completely wrong on your requirement.
Keep in mind : The acl is stateless so please carefully think before doing things.
-You want to restrict the outside to access to the internal Servers by using static nats.
-You want to allow internal users to access to the internet.
Let me try
When you apply ACL101 then you can resolve name. right?
If so the configuration below should be OK.
##Start##
ip nat inside source list 1 interface Ethernet0 overload
ip nat inside source static tcp 192.168.1.78 80 74.1.1.78 80 extendable
ip nat inside source static tcp 192.168.1.77 80 74.1.1.77 80 extendable
ip nat inside source static tcp 192.168.1.76 80 74.1.1.76 80 extendable
ip nat inside source static tcp 192.168.1.75 5500 74.1.1.75 5500 extendable
ip nat inside source static tcp 192.168.1.74 5500 74.1.1.74 5500 extendable
##
access-list 1 permit 192.168.1.0 0.0.0.255
##
access-list 103 permit ip any host 74.1.1.78
access-list 103 permit tcp any host 74.1.1.77 eq 80
access-list 103 permit tcp any host 74.1.1.76 eq 80
access-list 103 permit tcp any host 74.1.1.75 eq 5500
access-list 103 permit tcp any host 74.1.1.74 eq 5500
##
int e0
access-list 103 in
ip nat outside
##
int e1
ip nat inside
##End##
Why I change from "access-list xxx permit tcp any host 74.1.1.78 80" to"access-list xxx permit ip any host 74.1.1.78" because
1.It's overlapping if we use both.
2. Users use 74.1.1.78 for doing nat-source with the RANDOM PORTs.
What about? If it doesn't work please let me know when users try to surf the internet.
What do you see in the nat table?
What do you see when you do "sh access-l 103" command?
Hope this work!
Thot
11-05-2007 06:27 AM
Hi Guys,
Thanks for all your support! Thot, you got it! It works! :) Here is the config!
!
interface Ethernet0
description connected to WAN
ip address 74.x.x.74 255.255.255.248
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
service-policy output VoIP
ntp disable
no cdp enable
!
interface Ethernet1
description connected to EthernetLAN
ip address 192.168.1.254 255.255.255.0
no ip proxy-arp
ip nat inside
no ip mroute-cache
!
ip nat inside source list 1 interface Ethernet0 overload
ip nat inside source static tcp 192.168.1.78 80 74.1.1.78 80 extendable
ip nat inside source static tcp 192.168.1.77 80 74.1.1.77 80 extendable
ip nat inside source static tcp 192.168.1.76 80 74.1.1.76 80 extendable
ip nat inside source static tcp 192.168.1.75 5500 74.1.1.75 5500 extendable
ip nat inside source static tcp 192.168.1.74 5500 74.1.1.74 5500 extendable
no ip classless
ip route 0.0.0.0 0.0.0.0 74.1.1.73
ip route 172.16.1.0 255.255.255.0 192.168.1.1
no ip http server
!
logging facility local6
logging 172.16.1.75
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 20 permit 192.168.1.0 0.0.0.255
access-list 21 permit 192.168.1.0 0.0.0.255
access-list 100 permit ip any any precedence critical
access-list 101 permit udp 74.1.1.72 0.0.0.7 any eq domain
access-list 101 permit tcp 74.1.1.72 0.0.0.7 any established
access-list 101 permit tcp any host 74.1.1.78 eq www
access-list 101 permit tcp any host 74.1.1.77 eq www
access-list 101 permit tcp any host 74.1.1.76 eq www
access-list 101 permit tcp any host 74.1.1.75 eq 5500
access-list 101 permit tcp any host 74.1.1.74 eq 5500
access-list 101 permit ip any host 74.1.1.74
access-list 101 permit icmp 74.1.1.72 0.0.0.7 any
access-list 101 permit icmp 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any any 3 4
access-list 101 deny icmp any 74.1.1.72 0.0.0.7
11-05-2007 07:35 AM
Hi Ramon
Good to know your job has been done.
Cheers
Thot
11-05-2007 12:31 PM
Thot,
How can I give you points that you earned for your help?
11-05-2007 07:03 PM
Hi Ramon
You can use the rating system for the answer that you appreciate.To be honest It's not a big deal for me.Just say "Thanks" to me that's a big impression.
;-)
Thot
11-07-2007 08:06 AM
Thot,
You are the BEST man. Thank you very much! :)
Hey... seriously, I din't know about that "access-list permit ip " command and overlapping ACL for same address. I learned a great deal from you.
Thanks,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: