ACL problems

Unanswered Question
Oct 23rd, 2008

I have a Cisco 857 router.

I have given it a basic configuration and can now use it to get web access.

I want to allow incoming access to my network 192.168.2.0 from three external locations, and also to allow any outgoing connection

I have set up these access lists:

access-list 101 permit ip host 84.92.xxx.xxx any

access-list 101 permit ip host 84.92.xxx.xxx any

access-list 101 permit ip host 84.92.xxx.xxx any

access-list 101 permit tcp any 192.168.2.0 0.0.0.255 established

access-list 102 permit tcp 192.168.2.0 0.0.0.25 any

int dialer0

ip access-group 101 in

int vlan1

ip access-group 102 out

The problem is that 102 doesn't appear to be working, I can't use the internet on the local network. If I change 102 to:

access-list 102 permit ip any any

then I get internet access again.

show ip int for vlan1 shows the ip address as 192.168.2.1/24

Any suggestions??

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 10/23/2008 - 05:52

Nick

Is this is a typo

access-list 102 permit tcp 192.168.2.0 0.0.0.25 any

ie. the mask is 0.0.0.25 rather than 0.0.0.255

Also are you changing the addressing because 192.168.2.0/24 is not routable on the internet so are you natting somewhere.

Jon

nickc1976 Thu, 10/23/2008 - 05:57

Hi Jon,

Thanks for the quick reply

Sorry, yes, that is a typo, the mask is 0.0.0.255.

Also, I do have NAT set up for 192.168.2.0/24. My internet access works fine, until I start adding ACL's

Nick

Jon Marshall Thu, 10/23/2008 - 06:02

Nick

Apologies but this is where i'm getting confused ie.

access-list 101 permit tcp any 192.168.2.0 0.0.0.255 established

this line is part of your inbound acl on dialer interface. But packets coming back would not be going to 192.168.2.0/24 - they would be coming back from the Internet to whatever you have Natted the 192.168.2.0/24 addresses to ?

So your acl should be

access-list 101 permit tcp any established

But you are saying this works without acl 102 ?

Am i making sense :)

Jon

nickc1976 Thu, 10/23/2008 - 07:58

Jon

I understand what you're saying - because of NAT, my returning packets won't have the destination address 192.168.2.0/24.

In my config, I have the following:

interface vlan1

ip nat inside

interface dialer0

ip nat outside

So I'm presuming my 192.168.2.0/24 address would be natted to my external IP provided by my isp - is that right? ie. 84.92.xxx.xxx

So I tried changing my acl to:

access-list 101 permit tcp any host 84.92.xxx.xxx established

but still I can't get an internet connection

Jon Marshall Thu, 10/23/2008 - 08:11

Nick

Yes your acl 101 should refer to the natted address.

Also Giuseppe is right. Outbound packets on a vlan interface are packets going to machines on that vlan. Inbound packet on a vlan interface are packets coming from that vlan.

Don't think of inbound/outbound in terms of the machines think of it in terms of the interface.

Jon

Giuseppe Larosa Thu, 10/23/2008 - 06:49

Hello Nick,

because ACL 102 is applied outbound should be

access-list 102 permit tcp any 192.168.2.0 0.0.0.255

from the point of view of internal Lan outbound traffic is directed to 192.168.2.0/24 not coming from it

Hope to help

Giuseppe

nickc1976 Thu, 10/23/2008 - 08:05

Giuseppe

I'm not sure I understand. 102 is being applied out of vlan1 or 192.168.2.1. So I would expect my source address for out going packets to be 192.168.2.0 0.0.0.255 and destination to be any

Giuseppe Larosa Thu, 10/23/2008 - 08:30

Hello Nick,

here it is the point:

packets that exit Vlan1 are directed to what ?

users in vlan1

think of a routed interface

int f0/0

ip address 192.168.2.1 255.255.255.0

ip access-group 102 in

this matches

try to use ip accounting output packets

a packet for 192.168.2.112 will exit this f0/0 and will have destination 192.168.2.112 not source 192.168.2.112

here Vlan1 is used to have a gateway for the few lan ports associated to L2 Vlan1 (like 877) but it is the same concept

to test do the following:

apply your ACL 102 inbound instead of outbound and verify if you can access internet

Hope to help

Giuseppe

nickc1976 Fri, 10/24/2008 - 03:26

Guys,

Thanks for your help so far. I understand what you are saying. I was looking at vlan1 in terms of the router rather than the interface.

I have changed my ACL's as follows:

access-list 101 permit ip host 84.92.xxx.xxx any (remote site IP)

access-list 101 permit ip host 84.92.xxx.xxx any (remote site IP)

access-list 101 permit ip host 84.92.xxx.xxx any (remote site IP)

access-list 101 permit tcp any host 84.92.xxx.xxx established (local site IP)

int dialer0

ip access-group 101 in

access-list 102 permit ip host 84.92.xxx.xxx any (local site IP)

int dialer0

ip access-group 102 out

access-list 103 permit ip 192.168.2.0 0.0.0.255 any

int vlan1

ip access-group 103 in

However, I still cannot get internet access when using a pc on the 192.168.2.0 network

Jon Marshall Fri, 10/24/2008 - 04:00

Nick

Can you remove from your config

int dialer0

no ip access-group 102 out

and then let me know how you get on

Jon

Jon Marshall Fri, 10/24/2008 - 04:51

Right - lets start again :)

If you want to allow incoming access to network 192.168.2.0 do you mean connections initiated from outside. If so you need to use static NAT to setup a one-to-one translation for the 192.168.2.x hosts you want to give access to ie. you cannot rely on the dynamic NAT as you go out. It got a bit confusing because we kept using 84.92.xxx.xxx so lets use some dummy public IP addresses.

Outside interface of your router =

84.72.31.10

int dialer0

ip nat outside

ip access-group 101 in

int vlan 1

ip nat inside

ip access-group 102 in

So easy access-list first.

access-list 102 permit ip 192.168.2.0 0.0.0.255 any

then you need to make sure all 192.168.2.x hosts are natted so

access-list 103 permit ip 192.168.2.0 0.0.0.255 any

ip nat inside source list 103 interface dialer0 overload

the above allows all IP to be initiated from the 192.168.2.0 network to the internet and NAT's it to the outside interface.

Now for the harder bit

access-list 101 permit tcp any host 84.72.31.10 established

** this line allows return traffic for TCP connections to be allowed back in.

The established keyword only works for TCP so if you needed udp to be allowed back in then you need to add that in for each port you want eg.

access-list 101 permit udp any 84.72.31.10

Notice the way round this is. This is because the source UDP port coming back will the service and it will be in response to a connection initiated from inside eg.

if 192.168.2.15 initiates a DNS request to a DNS server then this will be allowed out because of acl 102 on vlan 1 interface. The destination port would be UDP 53 but the source port could be anything. When the packet returns the source port is now 53 because it is a response back from a DNS server.

Now the rest of your acl 101 is dependant what you want to give access to and how many spare public IP addresses you have. Lets say you have 1 spare public IP

84.72.31.11

and you wanted to give access to host 192.168.2.20 using http

you would need to add the following line to your config

ip nat inside source static 84.72.31.11 192.168.2.20

and then update your acl

access-list 101 permit tcp any host 84.72.31.11 eq www

Key thing is when traffic is initiated from 192.168.2.x network to internet you can hide all the 192.168.2.x addresses behind the one public IP of your outside interface. But when traffic is initiated from outside you need to tell the router which 192.168.2.x private IP the public IP is attached to.

Really sorry if i have confused you.

Jon

nickc1976 Fri, 10/24/2008 - 05:31

Thanks. I will go and test this and let you know how I get on.

I'll give you a bit more information about what I am trying to acheive.

The router is at a main office. There are two other offices that are permanently connected to the main office by IPsec VPN.

There is another office which occasionally connects to the main office via a VPN connection, then uses the software VNC to give remote support.

I don't mind what traffic is allowed out of the main office, but I want to restrict the incoming VPN so that only specified sites can make the connection.

nickc1976 Mon, 10/27/2008 - 10:02

Jon,

I'm having some problems still.

When should I apply this command:

ip nat inside source list 103 interface dialer0 overload

I have tried

int vlan1

ip nat inside source list 103 interface dialer0 overload

and I get a message saying 'Configuration failed'

Jon Marshall Mon, 10/27/2008 - 10:06

Nick

"ip nat inside source list 103 interface dialer0 overload"

this is not configured under an interface it is configured in global config mode ie.

router(conf t)# ip nat inside source list 103 interface dialer0 overload

Jon

nickc1976 Fri, 10/31/2008 - 05:24

Hi,

I'm still not getting this, and starting to get confused. So I'll sumarise what I am trying to do, and what I have done so far.

I have a router in office A, the local network is on interface vlan1, ip address 192.168.2.0

the outside network is on interface dialer0, ip address 84.92.224.225

I want to create a vpn connection from office A to office B, and another from office A to office C.

office B is 84.92.217.194

office C is 84.92.216.206

I don't want any traffic other than the vpn traffic from office B and office C to be able to access the network

I don't want to restrict any outgoing traffic.

int dialer0

ip nat outside

ip access-group 101 in

ip access-group 102 out

int vlan1

ip nat inside

access-list 1 permit 192.168.2.0 0.0.0.255

ip nat inside source list 1 interface dialere0 overload

access-list 101 permit ip host 84.92.217.194 any

access-list 101 permit ip host 84.92.216.206 any

access-list 101 permit tcp any host 84.92.224.225 established

access-list 102 permit ip host 84.92.224.225 any

The problem is with 101, when I apply, I lose my internet connection.

Jon Marshall Fri, 10/31/2008 - 05:37

Nick

When you say you lose Internet connection is this all internet traffic. For example if you browse to a web site by URL you would need to do a DNS lookup - DNS uses UDP not TCP so that would not resolve and you wouldn't get to the page. What happens if you try to get to a web page by typing

http://198.133.219.25 (this is Cisco's homepage)

Jon

nickc1976 Fri, 10/31/2008 - 07:49

Jon,

You're right, I added the following line, and it worked!

access-list 101 permit udp any eq 53 host 84.92.224.225

I have a few other things to test with this config, so may be back for some more advice.

Nick

Jon Marshall Fri, 10/31/2008 - 07:53

Nick

Glad we are getting somewhere :)

Obviously anything that uses UDP will need to have a separate entry in your acl.

Jon

nickc1976 Fri, 10/31/2008 - 10:03

Many thanks to Jon and Guiseppe for their help, I now have the router config working as I want it to.

Nick

Jon Marshall Fri, 10/31/2008 - 10:52

Nick

No problem, glad we got there in the end and thanks for letting us know it is all working.

Jon

Giuseppe Larosa Fri, 10/24/2008 - 05:10

Hello Nick,

ACL 103 now is fine.

But as Jon has explained in his last post it is also ACL 101 that need to be reverted

what is received on dialer0 the wan interface ?

packets destined to 84.92.x.x not coming from 84.92.x.x.

If ACL 102 is

access-list 102 permit ip host 84.92.xxx.xxx any (local site IP)

and is correct

ACL 101 cannot be

access-list 101 permit ip host 84.92.xxx.xxx any (remote site IP)

access-list 101 permit ip host 84.92.xxx.xxx any (remote site IP

...

with extended ACLs you match both source and destination addresses so ACLs in opposite directions have to swap source and destination

Hope to help

Giuseppe

Actions

This Discussion