cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
355
Views
0
Helpful
6
Replies

857 acl problem

brentsergent
Level 1
Level 1

My 857 ver 12.3(8r)Y14 doesn't use acl in for anything inbound from public side rather pat translations. This works for one port translation to a server on the trusted side but not for another port to the same server. When I add an inbound acl for public access outbound traffic for web doesn't work. Even with a specific acl to permit outbound ip traffic. What im trying to understand is if there is some virtual interface whereby content filtering is occuring. Note: no cbac (ip inspect) or any other acl's are working. ip virtual-assembly is applied to both private nat int and public nat int. stumped...

6 Replies 6

John Blakley
VIP Alumni
VIP Alumni

No filtering exists if you don't use an acl on your public interface and not using cbac. It's hard to tell what's going on without seeing your config, but if you have public addresses going to the same internal host, rather than specifying by port, I would do a one to one translation and then control access with an acl.

HTH,

John

HTH, John *** Please rate all useful posts ***

Agree that there shouldn't be any filtering- here's the relevant parts of the config, wanting to move to acl control but when I enable an acl outbound web traffic is blocked. You will see acl 101 allows for all traffic out. My thinking is now to debug ip nat port and see why 2222 isn't working. Can you reload acls without a restart? or once they are removed from an interface the int is clean?

interface Vlan1

ip address <###>

ip nat inside

ip virtual-reassembly

!

interface Vlan100

no ip address

!

interface Dialer0

ip address negotiated

ip access-group 101 out

no ip redirects

no ip unreachables

ip nat outside

ip virtual-reassembly

encapsulation ppp

no ip route-cache cef

no ip route-cache

dialer pool 1

dialer-group 1

ppp pap sent-username <###>

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source static udp <###> 162 interface Dialer0 162

ip nat inside source static udp <###> 161 interface Dialer0 161

ip nat inside source static tcp <###> 2222 interface Dialer0 2222

ip nat inside source static tcp <###> 3389 interface Dialer0 3389

access-list 101 permit ip any any

Try taking the acl off completely and see if everything works. If you need an acl to block inside traffic going out, place your acl on the vlan1 interface in the inbound direction. Everything else looks "okay."

You can't "reload" acls per se. You just take them off of the interface and reapply, but that generally doesn't fix anything. =)

HTH,

John

HTH, John *** Please rate all useful posts ***

thanks John y

our help is appreciated.

The outbound ruleset was left in place for inbound acl testing; however I get same result having no outbound acl.

This has changed my mindset to accept that there isn't filtering im not aware of going on with these 800 series routers.

thanks again

From the config excerpt that you posted, I can't see any problems. Can you post your full config minus passwords and public addresses?

HTH,

John

HTH, John *** Please rate all useful posts ***

version 12.4

no service pad

service tcp-keepalives-in

service timestamps debug datetime localtime

service timestamps log datetime localtime

service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

!

!

aaa session-id common

clock timezone

!

crypto pki

!

no ip gratuitous-arps

no ip dhcp use vrf connected

ip dhcp excluded-address

ip dhcp excluded-address

!

ip dhcp pool cogentlab02

network

default-router

dns-server

lease 0 4

!

!

ip cef

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

ip domain name onesource.co.nz

ip name-server

login on-failure log

login on-success log

!

archive

log config

logging enable

logging size 200

notify syslog contenttype plaintext

hidekeys

!

ip ssh time-out 60

ip ssh authentication-retries 2

ip ssh source-interface Dialer0

ip ssh logging events

ip ssh version 2

!

interface ATM0

no ip address

no atm ilmi-keepalive

pvc 0/100

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

!

interface FastEthernet0

duplex full

!

interface FastEthernet1

!

interface FastEthernet2

duplex full

speed 100

!

interface FastEthernet3

duplex full

speed 100

!

interface Vlan1

ip address

ip nat inside

ip virtual-reassembly

!

interface Vlan100

no ip address

!

interface Dialer0

ip address negotiated

ip access-group 101 out

no ip redirects

no ip unreachables

ip nat outside

ip virtual-reassembly

encapsulation ppp

no ip route-cache cef

no ip route-cache

dialer pool 1

dialer-group 1

ppp pap sent-username

!

ip default-gateway

no ip forward-protocol nd

no ip forward-protocol udp domain

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 10.0.171.0 255.255.255.0 192.168.249.253

ip route 172.16.0.0 255.255.255.0 192.168.0.254

ip route 172.16.1.0 255.255.255.0 192.168.0.252

ip route 172.17.100.240 255.255.255.240 192.168.0.254

ip route 172.30.254.0 255.255.255.0 192.168.0.254

ip route 172.30.255.252 255.255.255.252 Dialer0

ip route 172.30.255.252 255.255.255.252 192.168.0.254

ip route 192.168.2.0 255.255.255.0 192.168.0.254

ip route 192.168.249.0 255.255.255.0 192.168.0.254

!

no ip http server

ip http authentication local

ip http secure-server

ip dns server

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source static udp 162 interface Dialer0 162

ip nat inside source static udp 161 interface Dialer0 161

ip nat inside source static tcp 2222 interface Dialer0 2222

ip nat inside source static tcp 3389 interface Dialer0 3389

!

logging trap debugging

logging 192.168.0.200

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 1 permit 192.168.249.0 0.0.0.255

access-list 1 permit 192.168.2.0 0.0.0.255

access-list 1 permit 172.16.1.0 0.0.0.255

access-list 1 permit 172.16.0.0 0.0.0.255 log

access-list 1 permit 172.17.100.0 0.0.0.255

access-list 101 permit ip any any

access-list 101 permit tcp any eq 443 any

access-list 101 permit tcp any eq www any

access-list 103 permit udp any eq domain any

access-list 103 permit udp any any eq domain

access-list 103 permit tcp any host 192.168.0.1 eq 22

access-list 103 permit tcp any host 192.168.0.200 eq 2222

access-list 103 permit tcp any host 192.168.0.200 eq 3389

access-list 103 permit icmp any any

access-list 103 permit ip 192.168.249.0 0.0.0.255 any

dialer-list 1 protocol ip permit

snmp-server group

snmp-server group

snmp-server community alu RW

snmp-server trap link ietf

snmp-server location cogent lab

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server host

!

control-plane

!

!

line con 0

no modem enable

line aux 0

line vty 0 4

exec-timeout 5 0

password

transport input ssh

!

scheduler max-task-time 5000

end

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: