ACL Issue when access websites

Unanswered Question

I am having a problem with my ACL configuration on a 1720 router. When users try to surf with the following ACL they get blocked:


ip access-list extended PERIMETER

permit udp host 17.29.14.73 host 21.31.116.209 eq isakmp

permit esp host 17.29.14.73 host 21.31.116.209

permit ip 172.18.3.0 0.0.0.255 172.22.3.0 0.0.0.255

permit icmp any any unreachable

permit icmp any any echo-reply

permit tcp any any eq www

deny ip any any log


Here are the log messages from the deny statement:


*Mar 1 17:03:13: %SEC-6-IPACCESSLOGP: list PERIMETER denied tcp 74.125.91.113(80) -> 21.31.116.209(2791), 1 packet

*Mar 1 17:03:17: %SEC-6-IPACCESSLOGP: list PERIMETER denied tcp 69.28.155.49(80) -> 21.31.116.209(2794), 1 packet

*Mar 1 17:03:18: %SEC-6-IPACCESSLOGP: list PERIMETER denied tcp 63.245.209.93(80) -> 21.31.116.209(2796), 1 packet

*Mar 1 17:03:31: %SEC-6-IPACCESSLOGP: list PERIMETER denied tcp 74.125.91.139(80) -> 21.31.116.209(2731), 2 packets

*Mar 1 17:03:37: %SEC-6-IPACCESSLOGP: list PERIMETER denied tcp 74.125.91.138(80) -> 21.31.116.209(2769), 2 packets


So I can see that the packet goes out on port 80 but comes back on a dynamic port. How can I allow this traffic without opening a ton of ports?


Complete config:


1720#sh run

Building configuration...


Current configuration : 2197 bytes

!

version 12.1

no service single-slot-reload-enable

service timestamps debug datetime

service timestamps log datetime

service password-encryption

!

hostname 1720

!

no logging buffered

no logging buffered

logging rate-limit console 10 except errors

!

memory-size iomem 25

clock timezone EST -5

ip subnet-zero

no ip finger

no ip domain-lookup

ip dhcp excluded-address 172.22.3.1 172.22.3.20

!

ip dhcp pool dhcppool

network 172.22.3.0 255.255.255.0

default-router 172.22.3.1

dns-server 172.18.3.24 172.18.3.26

!

ip audit notify log

ip audit po max-events 100

!

!

crypto isakmp policy 10

hash md5

authentication pre-share

group 2

crypto isakmp key cisco123 address 17.29.14.73

!

!

crypto ipsec transform-set ASA5510 esp-des esp-md5-hmac

!

crypto map VPNmap 10 ipsec-isakmp

set peer 17.29.14.73

set transform-set ASA5510

set pfs group2

match address ASA5510

!

!

!

!

interface Ethernet0

ip address 21.31.116.209 255.255.255.252

ip access-group PERIMETER in

ip nat outside

half-duplex

crypto map VPNmap

!

interface FastEthernet0

description LAN

ip address 172.22.3.1 255.255.255.0

ip nat inside

speed auto

!

ip nat inside source list NAT_ADDRESSES interface Ethernet0 overload

ip kerberos source-interface any

ip classless

ip route 0.0.0.0 0.0.0.0 21.31.116.210

no ip http server

!

!

ip access-list extended NAT_ADDRESSES

deny ip 172.22.3.0 0.0.0.255 172.18.3.0 0.0.0.255

permit ip 172.22.3.0 0.0.0.255 any

ip access-list extended PERIMETER

permit udp host 17.29.14.73 host 21.31.116.209 eq isakmp

permit esp host 17.29.14.73 host 21.31.116.209

permit ip 172.18.3.0 0.0.0.255 172.22.3.0 0.0.0.255

permit icmp any any unreachable

permit icmp any any echo-reply

permit tcp any any eq www

deny ip any any log

ip access-list extended ASA5510

permit ip 172.22.3.0 0.0.0.255 172.18.3.0 0.0.0.255

alias exec sr show run

alias exec s sh ip int br

alias exec srt show ip route

!

line con 0

logging synchronous

transport input none

line aux 0

line vty 0 4

exec-timeout 0 0

logging synchronous

login local

!

no scheduler allocate

end

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 10/15/2009 - 13:32
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

In your acl PERMIETER change this line


permit tcp any any eq www


to


permit tcp any eq 80 any


Jon

miraportuga Thu, 10/15/2009 - 14:11
User Badges:

A reflexife access-list would do the job as well...


something like


ip access-list extended LAN

permit ip any any reflect LAN


Apply this do the fast0/0 on the inbound direction and then you would add this line to the beginning of you perimeter acl


evaluate LAN


Cheers

miraportuga Thu, 10/15/2009 - 15:13
User Badges:

Im sorry, made a mistake here "ip access-list extended LAN", you should name your acl with a different name then the one after the "reflect" command.


Cheers


P.S. - with this reflexive access-list all you lan traffic to the internet will be permited to pass through the firewall back in....



Actions

This Discussion