11-04-2008 02:36 PM - edited 03-11-2019 07:08 AM
Hi,
I have set up my 877w with the following config, I wanted to block incoming access to the ATM0.1 interface so created the "OUTSIDEIN" access list.
I also created the INSPECTOUT list for outgoing packet inspection (which I believed would bypass the incoming access list restriction)
When I apply the OUTSIDEIN access list to my ATM 0.1 interface internet access stops for my clients.
Any idea why this could be? or any debugs I could use to find out why?
Many Thanks, Chris
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging buffered
!
no aaa new-model
clock timezone gmt 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00
!
dot11 syslog
!
dot11 ssid wirelessnet
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 0 xxxxxxxx
!
ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.70.1
!
ip dhcp pool internal
network 192.168.70.0 255.255.255.0
default-router 192.168.70.1
dns-server 192.168.70.1
lease 0 2
!
!
ip cef
ip domain name router.com
ip name-server 87.x.x.x
ip name-server 87.x.x.x
ip inspect name INSPECTOUT tcp
ip inspect name INSPECTOUT udp
ip inspect name INSPECTOUT http
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username xxxxx privilege 15 secret 5 xxxxxxxx
!
!
!
!
!
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode adsl2+
!
interface ATM0.1 point-to-point
ip address xx.xx.xx.xx 255.255.240.0
ip access-group OUTSIDEIN in
ip nat outside
ip inspect INSPECTOUT out
ip virtual-reassembly
atm route-bridged ip
pvc 0/101
oam-pvc manage
encapsulation aal5snap
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
!
encryption mode ciphers tkip
!
ssid wirelessnet
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
no ip address
bridge-group 1
!
interface BVI1
ip address 192.168.70.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx
ip http server
ip http authentication local
ip http secure-server
!
!
ip dns server
ip nat inside source list 130 interface ATM0.1 overload
!
ip access-list extended OUTSIDEIN
deny udp any any
deny tcp any any
deny ip any any
!
access-list 130 permit ip 192.168.70.0 0.0.0.255 any
!
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
login local
transport input telnet ssh
!
scheduler max-task-time 5000
ntp server 192.43.244.18
end
11-05-2008 03:06 AM
Hi, does anyone have any idea what could be causing this or debugs to use? Thanks Chris
11-16-2008 01:48 PM
Hi, could anyone help me with this please, I still haven't been able to get this problem resolved
Thanks, Chris
11-18-2008 06:13 PM
Hi,
Are you still having problems with your config?
I could help you but I don't wanna type here too much in case you resolved your problem.
Thanks,
Remi
11-16-2008 10:22 PM
Hi,
Try removing the inspection from the ATM0.1 interface and place it on the BVI1 instead in the inbound direction i.e
ip inspect INSPECTOUT in
I hope it helps .. please rate helpful posts !!!
11-18-2008 06:27 PM
You would need to rewrite your config a little bit. First of all I would apply your inspect rule to your inside interface in "in" direction. Also create ACL to allow all ip traffic out if you wish and apply it to the inside interface also in "in" direction.
In order for CBAC feature to work you need to specify inspected traffic like tcp or udp by creating an ACL an allowing this traffic through the interface.
For the outside interface block all the traffic "in" unless you need to allow some of it and you don't need to apply the inspect rule over there unless you allow traffic through from the outside.
The traffic once allowed from inside to outside will be inspected and allowed back into inside.
Let me know if you have any more troubles.
Remi
11-22-2008 03:39 AM
Hi,
I tried adding an access-rule to allow all traffic inward into the BVI1 interface along with the inspect rule inward into the BVI1 interface.
I also added the access-group inward to the ATM0.1 interface that blocks all traffic
Unfortunately the same issue occured and I can not access out from the LAN to the Internet
Regards,
Chris
11-19-2008 12:33 AM
Thanks I'll give this a go,
BTW adding "ip inspect INSPECTOUT in" to the BVI interface inbound didn't work
Strange thing is, I set up another 877w which worked ok with the same inspect/ACL rules as in my config. The only difference was that it had a Dialer0 interface that I applied the rules to.
Thanks,
Chris
11-19-2008 07:36 AM
Hi,
What is this interface BVI1? I didn't work with 877W series yet, soon I'll be buying one but probably 881W. I guess it's not for wireless access.
Why don't you create a VLAN interface, add certain FastEthernet to it, add inspect rule in the same direction as you apply ACL to it. Don't forget you may need to adjust mss on the inside interface. Or even work with VLAN1 and apply rules to this interface just to check whether your config works.
Let me know how it works.
Remi
11-19-2008 07:45 AM
BVI1 is needed to set up a Bridge in order to use both the LAN ports and WLAN
11-19-2008 07:47 AM
Yeah, I found out already but thanks.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: