Unable to access the Internet with Access Lists

seanwy · ‎09-14-2005

hi folks,

i'm facing an issue with accessing the Internet via a Sonicwall firewall from a cisco 1841 router.

I'm required to direct all Internet access to the Sonicwall firewall (192.168.1.3), which would then do the processing. As such, I have all http traffic directed to it, with ports 80 & 443 with access-lists.

However, when i tried assessing the internet from a desktop, it does not work. But if the access was taken out from the interface, internet browsing was fine.

the setup & configuration are as follow :

Internet --- Router --- Sonicwall FW --- 1841 router --- desktop

hostname 1841-Router

!

boot-start-marker

boot-end-marker

!

no logging buffered

enable password password

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

no aaa new-model

ip subnet-zero

ip cef

!

ip dhcp excluded-address 192.168.100.1 192.168.100.100

ip dhcp excluded-address 192.168.100.111 192.168.100.254

!

ip dhcp pool E-Corner

network 192.168.100.0 255.255.255.0

default-router 192.168.100.3

dns-server 165.21.83.88 165.21.100.88

!

ip ips po max-events 100

ip name-server 192.168.1.3

no ftp-server write-enable

!

username cisco privilege 15 password 0 password

!

interface FastEthernet0/0

description Private-LAN

ip address 192.168.100.3 255.255.255.0

ip access-group 102 out

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

no mop enabled

!

interface FastEthernet0/1

description To the Sonicfirewall

ip address 192.168.1.13 255.255.255.0

ip access-group 101 out

duplex auto

speed auto

no mop enabled

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.1.3

ip http server

ip http authentication local

ip http secure-server

ip nat inside source list 103 interface FastEthernet0/1 overload

!

access-list 101 remark SDM_ACL Category=17

access-list 101 permit ip 192.168.100.0 0.0.0.255 host 192.168.1.3

access-list 101 permit icmp 192.168.100.0 0.0.0.255 host 192.168.1.3 echo

access-list 101 permit ip 192.168.100.0 0.0.0.255 host 192.168.1.209

access-list 101 permit tcp 192.168.100.0 0.0.0.255 eq 5800 host 192.168.1.5

access-list 101 permit tcp 192.168.100.0 0.0.0.255 eq 5900 host 192.168.1.5

access-list 102 remark SDM_ACL Category=17

access-list 102 permit ip host 192.168.1.3 192.168.100.0 0.0.0.255

access-list 102 permit icmp host 192.168.1.3 192.168.100.0 0.0.0.255 echo-reply

access-list 102 permit ip host 192.168.1.209 192.168.100.0 0.0.0.255

access-list 102 permit tcp host 192.168.1.5 192.168.100.0 0.0.0.255 eq 5800

access-list 102 permit tcp host 192.168.1.5 192.168.100.0 0.0.0.255 eq 5900

access-list 103 remark SDM_ACL Category=2

access-list 103 permit ip 192.168.100.0 0.0.0.255 any

!

I would appreciate very much if someone would point me in the right direction.

Thank u!

spremkumar · ‎09-14-2005

hi

from your post i feel its ur sonic firewall which is supposed to do the natting but in the config posted by you clearly shows that you are making you internal ethernet interface as a inside and also making a overload on the 0/1 interface.

the second thing is you didnt add a nat ouside command too under your 0/1 interface which is reqd if u go/follow the funda followed by you.

so do revert whether the sonic firewall does any nating or not.

also confirm the other router which is kept in the edge belongs to u or to the SP.

if it belongs to u then do revert any natting enabled on that also.

if the natting is there in the edge then theres no need to doing another nat in ur 1841.in that case you can remove the ip nat inside command from the ethernet interface.

Also looking into your ACLs which i feel created using the GUI mode is not in proper shape.

you have enabled only some specific ips to be access by your local lan and others will be denied since at the end of all ACLs you have implicit deny attached by default.

so do check out about the natting desing deployed in your edge and also in the sonic firewall and bettter watch without the ACLs in place under your 0/1 interface.

regds

Richard Burts · ‎09-14-2005

Sean

There are a few things about your post that I am not clear about. In the beginning description you mention ports 80 and 443 but I do not see anything in either of the access lists that mention these ports.

Also I see that FastEthernet has nat inside configured and there is a ip nat inside source list 103, but there is no nat outside configured.

The router has two interfaces. Am I correct in assuming that users are on FastEthernet0/0 and that FastEthernet0/1 is the connection to outside? Is there anything on FastEthernet0/1 other than the Sonciwall?

I see that the router has a default route configured with the Sonicwall as the next hop. So all Internet traffic will surely go through the Sonicwall.

I think there are serious issues with both access lists. Access list 101 is outbound on traffic going to the Sonicwall. There are permits for traffic with Sonicwall as the destination address, there are permits for traffic with as the destination, and permits for TCP traffic with 192.168.1.5 destination for two specific TCP ports. But there are no permits with any Internet address as destination.

Similarly access list 102 which is outbound to your users permits with sources as mentioned above but has no permits for any traffic with Internet addresses as source.

If you change the access lists to address this I think it will work much better.

HTH

Rick

HTH

Rick

seanwy · ‎09-14-2005

Hi Rick!

Oh, the accesslist which I had provide was errorneous. sorry about it as I had made some changes then.

Yes, the desktops users are behind the FE0/0 whilst the FE0/1 is the outside connection. The are also other subnets interconnected via switches, but all of the users' desktop in these subnets has their gateway pointed to the sonicfirewall, with ip add 192.168.1.3.

regardig the NAT, the user had requested to have the 192.168.100.0 network to be 'hidden' from the other subnets. hence, users from these other subnets will view them as traffic from the FE0/1 interface (192.168.1.13) then.

I have the FE0/0 interface config. as 'Inside', thus I should have FE0/1 as 'outside' then?

here is my supposed access-list configuration :

access-list 101 permit tcp 192.168.100.0 0.0.0.255 host 192.168.1.3 eq www

access-list 101 permit tcp 192.168.100.0 0.0.0.255 host 192.168.1.3 eq 443

access-list 101 permit icmp 192.168.100.0 0.0.0.255 host 192.168.1.3 echo

access-list 101 permit ip 192.168.100.0 0.0.0.255 host 192.168.1.209

access-list 101 permit tcp 192.168.100.0 0.0.0.255 eq 5800 host 192.168.1.5

access-list 101 permit tcp 192.168.100.0 0.0.0.255 eq 5900 host 192.168.1.5

!

access-list 102 permit tcp host 192.168.1.3 0.0.0.0 eq www 192.168.100.0 0.0.0.255

access-list 102 permit tcp host 192.168.1.3 0.0.0.0 eq 443 192.168.100.0 0.0.0.255

access-list 102 permit icmp host 192.168.1.3 192.168.100.0 0.0.0.255 echo-reply

access-list 102 permit ip host 192.168.1.209 192.168.100.0 0.0.0.255

access-list 102 permit tcp host 192.168.1.5 192.168.100.0 0.0.0.255 eq 5800

access-list 102 permit tcp host 192.168.1.5 192.168.100.0 0.0.0.255 eq 5900

!

access-list 103 remark SDM_ACL Category=2

access-list 103 permit ip 192.168.100.0 0.0.0.255 any

!

interface FastEthernet0/0

description Private-LAN

ip address 192.168.100.3 255.255.255.0

ip access-group 102 out

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

no mop enabled

!

interface FastEthernet0/1

description To the Sonicfirewall

ip address 192.168.1.13 255.255.255.0

ip access-group 101 out

duplex auto

speed auto

no mop enabled

I was thinking, should i simply use access-list 101 permit any any instead ?

Thank u!

regards,

Richard Burts · ‎09-14-2005

Sean

These access lists are a bit different but most of the problems that I pointed out before are still not resolved. I am most concerned that neither the access list 101 or 102 makes any permit for addresses that are in Internet address space.

Beyond that part of the issue I question in access list 101 that the only traffic you permit to the Sonicwall (and I assume that you probably mean through the Sonicwall) is www, 443, and icmp echo. So how will things like DNS work? If someone starts their web browser and enters www.cisco.com, how will the PC get to a DNS server to resolve the name to an address?

As far as the idea of making access list 101 permit ip any any, then I question why to have the access list at all?

As far as NAT is concerned, yes you need nat outside on FastEthernet0/1 if you want the users addresses to be translated going to other subnets.

HTH

Rick

HTH

Rick

seanwy · ‎09-14-2005

Hi Rick,

yes, I get what you mean by the DNS ip address issue.I believe tts where I went wrong. I do have the public ip address of 2 DNS servers on the ISP side. Am I right to followup the acl 101/102 with the DNS tcp port 53 with the following :

access-list 101 permit tcp 192.168.100.0 0.0.0.255 eq 53

access-list 102 permit tcp eq 53 192.168.100.0 0.0.0.255

am I in the right direction?

regards,

Sean.

Richard Burts · ‎09-14-2005

Sean

The DNS request will need to permit UDP 53 (probably in addition to TCP 53).

HTH

Rick

HTH

Rick

seanwy · ‎09-14-2005

Hi Kumar,

The user has requested the 192.168.100.0 (via F0/0; inside) network to be "Nat"ed so tt the desktops in this subnet will be 'hidden' from external subnets (via F0/1; such as 192.168.1.0 network). So am I right to say I will need to specify NAT OUTSIDE for the F0/1 interface? thus, any traffic from the 192.168.100.0 network will be 'seen' as coming from 192.168.1.3 interface ?

the sonicfirewall is definitely providing NATing for traffics coming from/leading to the Internet.

oh, I have provide an errorneous configuration after several trials. the actual accesslist should read :

access-list 101 permit tcp 192.168.100.0 0.0.0.255 host 192.168.1.3 eq www

access-list 101 permit tcp 192.168.100.0 0.0.0.255 host 192.168.1.3 eq 443

access-list 101 permit icmp 192.168.100.0 0.0.0.255 host 192.168.1.3 echo

access-list 101 permit ip 192.168.100.0 0.0.0.255 host 192.168.1.209

access-list 101 permit tcp 192.168.100.0 0.0.0.255 eq 5800 host 192.168.1.5

access-list 101 permit tcp 192.168.100.0 0.0.0.255 eq 5900 host 192.168.1.5

!

access-list 102 permit tcp host 192.168.1.3 0.0.0.0 eq www 192.168.100.0 0.0.0.255

access-list 102 permit tcp host 192.168.1.3 0.0.0.0 eq 443 192.168.100.0 0.0.0.255

access-list 102 permit icmp host 192.168.1.3 192.168.100.0 0.0.0.255 echo-reply

access-list 102 permit ip host 192.168.1.209 192.168.100.0 0.0.0.255

access-list 102 permit tcp host 192.168.1.5 192.168.100.0 0.0.0.255 eq 5800

access-list 102 permit tcp host 192.168.1.5 192.168.100.0 0.0.0.255 eq 5900

!

access-list 103 remark SDM_ACL Category=2

access-list 103 permit ip 192.168.100.0 0.0.0.255 any

!

interface FastEthernet0/0

description Private-LAN

ip address 192.168.100.3 255.255.255.0

ip access-group 102 out

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

no mop enabled

!

interface FastEthernet0/1

description To the Sonicfirewall

ip address 192.168.1.13 255.255.255.0

ip access-group 101 out

duplex auto

speed auto

no mop enabled

Thank u!

regards,

Sean.