cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
900
Views
0
Helpful
10
Replies

Incoming Access List blocking Outgoing Internet Access on 877W

shaw.chris
Level 1
Level 1

Hi,

I have set up my 877w with the following config, I wanted to block incoming access to the ATM0.1 interface so created the "OUTSIDEIN" access list.

I also created the INSPECTOUT list for outgoing packet inspection (which I believed would bypass the incoming access list restriction)

When I apply the OUTSIDEIN access list to my ATM 0.1 interface internet access stops for my clients.

Any idea why this could be? or any debugs I could use to find out why?

Many Thanks, Chris

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname router

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

no logging buffered

!

no aaa new-model

clock timezone gmt 0

clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00

!

dot11 syslog

!

dot11 ssid wirelessnet

authentication open

authentication key-management wpa

guest-mode

wpa-psk ascii 0 xxxxxxxx

!

ip source-route

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.70.1

!

ip dhcp pool internal

network 192.168.70.0 255.255.255.0

default-router 192.168.70.1

dns-server 192.168.70.1

lease 0 2

!

!

ip cef

ip domain name router.com

ip name-server 87.x.x.x

ip name-server 87.x.x.x

ip inspect name INSPECTOUT tcp

ip inspect name INSPECTOUT udp

ip inspect name INSPECTOUT http

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

username xxxxx privilege 15 secret 5 xxxxxxxx

!

!

!

!

!

archive

log config

hidekeys

!

!

!

bridge irb

!

!

interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode adsl2+

!

interface ATM0.1 point-to-point

ip address xx.xx.xx.xx 255.255.240.0

ip access-group OUTSIDEIN in

ip nat outside

ip inspect INSPECTOUT out

ip virtual-reassembly

atm route-bridged ip

pvc 0/101

oam-pvc manage

encapsulation aal5snap

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Dot11Radio0

no ip address

!

encryption mode ciphers tkip

!

ssid wirelessnet

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Vlan1

no ip address

bridge-group 1

!

interface BVI1

ip address 192.168.70.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx

ip http server

ip http authentication local

ip http secure-server

!

!

ip dns server

ip nat inside source list 130 interface ATM0.1 overload

!

ip access-list extended OUTSIDEIN

deny udp any any

deny tcp any any

deny ip any any

!

access-list 130 permit ip 192.168.70.0 0.0.0.255 any

!

!

!

!

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

!

line con 0

login local

no modem enable

line aux 0

line vty 0 4

login local

transport input telnet ssh

!

scheduler max-task-time 5000

ntp server 192.43.244.18

end

10 Replies 10

shaw.chris
Level 1
Level 1

Hi, does anyone have any idea what could be causing this or debugs to use? Thanks Chris

shaw.chris
Level 1
Level 1

Hi, could anyone help me with this please, I still haven't been able to get this problem resolved

Thanks, Chris

Hi,

Are you still having problems with your config?

I could help you but I don't wanna type here too much in case you resolved your problem.

Thanks,

Remi

Fernando_Meza
Level 7
Level 7

Hi,

Try removing the inspection from the ATM0.1 interface and place it on the BVI1 instead in the inbound direction i.e

ip inspect INSPECTOUT in

I hope it helps .. please rate helpful posts !!!

You would need to rewrite your config a little bit. First of all I would apply your inspect rule to your inside interface in "in" direction. Also create ACL to allow all ip traffic out if you wish and apply it to the inside interface also in "in" direction.

In order for CBAC feature to work you need to specify inspected traffic like tcp or udp by creating an ACL an allowing this traffic through the interface.

For the outside interface block all the traffic "in" unless you need to allow some of it and you don't need to apply the inspect rule over there unless you allow traffic through from the outside.

The traffic once allowed from inside to outside will be inspected and allowed back into inside.

Let me know if you have any more troubles.

Remi

Hi,

I tried adding an access-rule to allow all traffic inward into the BVI1 interface along with the inspect rule inward into the BVI1 interface.

I also added the access-group inward to the ATM0.1 interface that blocks all traffic

Unfortunately the same issue occured and I can not access out from the LAN to the Internet

Regards,

Chris

Thanks I'll give this a go,

BTW adding "ip inspect INSPECTOUT in" to the BVI interface inbound didn't work

Strange thing is, I set up another 877w which worked ok with the same inspect/ACL rules as in my config. The only difference was that it had a Dialer0 interface that I applied the rules to.

Thanks,

Chris

Hi,

What is this interface BVI1? I didn't work with 877W series yet, soon I'll be buying one but probably 881W. I guess it's not for wireless access.

Why don't you create a VLAN interface, add certain FastEthernet to it, add inspect rule in the same direction as you apply ACL to it. Don't forget you may need to adjust mss on the inside interface. Or even work with VLAN1 and apply rules to this interface just to check whether your config works.

Let me know how it works.

Remi

BVI1 is needed to set up a Bridge in order to use both the LAN ports and WLAN

Yeah, I found out already but thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: