12-07-2011 06:17 AM - edited 03-11-2019 03:00 PM
Hello everyone,
I am trying to add some security to my cisco with access lists with no luck.
Although i try to follow by example my ACL configuration just blocks all traffik and
i cannot find what am i doing wrong. I am not experienced with cisco so i could use some help.
Below is part of my config...
As soon as i activate the lists i cant access anything from inside out.
If i add access-list 100 permit ip any any everything starts to work.
I am under the impression that the tcp any any established rule doesnt work for some reason.
Help ? :-D
debug ip packet shows the following:
*Dec 6 14:28:55.163: IP: s=91.132.1.131 (Dialer1), d=224.0.0.1, len 32, input feature, Stateful Inspection(4), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Dec 6 14:28:55.163: IP: s=91.132.1.131 (Dialer1), d=224.0.0.1, len 32, input feature, Dialer i/f override(12), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Dec 6 14:28:55.163: IP: s=91.132.1.131 (Dialer1), d=224.0.0.1, len 32, input feature, Virtual Fragment Reassembly(21), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Dec 6 14:28:55.163: IP: s=91.132.1.131 (Dialer1), d=224.0.0.1, len 32, access denied
interface Dialer1
ip address negotiated
ip access-group 100 in
ip access-group 101 out
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp authentication chap pap callin
ppp chap hostname kkouts
ppp chap password 7 000816010B095B5656
ppp pap sent-username kkouts password 7 10420C1E0A45425B55
ppp ipcp dns request
!
interface BVI1
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip http server
ip http authentication local
no ip http secure-server
!
ip dns server
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static udp 192.168.2.4 60000 interface Dialer1 60000
ip nat inside source static tcp 192.168.2.4 60000 interface Dialer1 60000
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 100 remark ACL Outside ADSL
access-list 100 remark CCP_ACL Category=1
access-list 100 deny ip 10.0.0.0 0.0.0.255 any
access-list 100 deny ip 172.16.0.0 0.0.15.255 any
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 permit icmp any any administratively-prohibited
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 deny ip any 91.132.81.0 0.0.0.255
access-list 100 permit udp any eq domain any
access-list 100 permit tcp any any established
access-list 101 remark Outgoing Access List
access-list 101 remark CCP_ACL Category=1
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
!
!
Solved! Go to Solution.
12-07-2011 10:33 AM
Your debug is actually showing multicast packets being dropped which won't have TCP flags but i'm assuming that all access is denied.
I think the problem is access-list 101 ie.
access-list 101 remark Outgoing Access List
access-list 101 remark CCP_ACL Category=1
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
your are permitting 192.168.0.0/24 outbound but the problem is the 192.168.0.x addresses have already been natted to the outside interface address because NAT on IOS happens before an outbound access-list is checked. So you need to change the access-list. Because you haven't got a fixed IP ie. it is negotiated then you cannot specify the actual IP in the access-list. The ASA supports using the "interface" keyword but i am not sure IOS does. Apologies but i don't have a router to test with at the moment. If you can't find that option you have a couple of alternatives -
1) change access-list 101 to
access-list 101 permit ip any any
the first any in the acl would include the negotiated address
2) move acl 101 to the BVI interface because inbound acls are checked before any NAT on IOS.
It is questionable what this acl is doing anyway. Your NAT config includes 192.168.1.0/2.0 and 3.0 but you are only allowing out 192.168.0.0/24 to the internet. Also unless you are running the firewall on this router then you have some static NATs for 192.168.2.x addresses. But again the return traffic from these devices would be blocked by acl 101 as it tried to return to the internet.
Perhaps if i have misunderstood you could clarify further.
Jon
12-07-2011 10:33 AM
Your debug is actually showing multicast packets being dropped which won't have TCP flags but i'm assuming that all access is denied.
I think the problem is access-list 101 ie.
access-list 101 remark Outgoing Access List
access-list 101 remark CCP_ACL Category=1
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
your are permitting 192.168.0.0/24 outbound but the problem is the 192.168.0.x addresses have already been natted to the outside interface address because NAT on IOS happens before an outbound access-list is checked. So you need to change the access-list. Because you haven't got a fixed IP ie. it is negotiated then you cannot specify the actual IP in the access-list. The ASA supports using the "interface" keyword but i am not sure IOS does. Apologies but i don't have a router to test with at the moment. If you can't find that option you have a couple of alternatives -
1) change access-list 101 to
access-list 101 permit ip any any
the first any in the acl would include the negotiated address
2) move acl 101 to the BVI interface because inbound acls are checked before any NAT on IOS.
It is questionable what this acl is doing anyway. Your NAT config includes 192.168.1.0/2.0 and 3.0 but you are only allowing out 192.168.0.0/24 to the internet. Also unless you are running the firewall on this router then you have some static NATs for 192.168.2.x addresses. But again the return traffic from these devices would be blocked by acl 101 as it tried to return to the internet.
Perhaps if i have misunderstood you could clarify further.
Jon
12-07-2011 10:40 AM
Jon thanks a lot for your reply,
The reason you see so many contradictive entries is because i am still experimenting to make a full working config.
The proper config is without any ACL references. It is a NAT setup that will allow me to access the internet from my 3 internal interfaces. 192.168.0.0 - 1.0 - 2.0 /24
What i found out was that i was able to telnet and ping my router from the outside world on its external interface.
What i need is a secure box that will restrict any kind of access to its outside interface (dialer 1) while allow all kind of services.
The 192.168.0.0/24 network is my wireless BVI 1 interface which i now use for my testing so you can ignore the other 2 networks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide