Solved: 1841 adsl Access-List Problem.

nemiath76 · ‎12-07-2011

Hello everyone,

I am trying to add some security to my cisco with access lists with no luck.

Although i try to follow by example my ACL configuration just blocks all traffik and

i cannot find what am i doing wrong. I am not experienced with cisco so i could use some help.

Below is part of my config...

As soon as i activate the lists i cant access anything from inside out.

If i add access-list 100 permit ip any any everything starts to work.

I am under the impression that the tcp any any established rule doesnt work for some reason.

Help ? :-D

debug ip packet shows the following:

*Dec 6 14:28:55.163: IP: s=91.132.1.131 (Dialer1), d=224.0.0.1, len 32, input feature, Stateful Inspection(4), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Dec 6 14:28:55.163: IP: s=91.132.1.131 (Dialer1), d=224.0.0.1, len 32, input feature, Dialer i/f override(12), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Dec 6 14:28:55.163: IP: s=91.132.1.131 (Dialer1), d=224.0.0.1, len 32, input feature, Virtual Fragment Reassembly(21), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Dec 6 14:28:55.163: IP: s=91.132.1.131 (Dialer1), d=224.0.0.1, len 32, access denied

interface Dialer1

ip address negotiated

ip access-group 100 in

ip access-group 101 out

ip mtu 1492

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

ppp authentication chap pap callin

ppp chap hostname kkouts

ppp chap password 7 000816010B095B5656

ppp pap sent-username kkouts password 7 10420C1E0A45425B55

ppp ipcp dns request

!

interface BVI1

ip address 192.168.0.254 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1

!

ip http server

ip http authentication local

no ip http secure-server

!

ip dns server

ip nat inside source list 1 interface Dialer1 overload

ip nat inside source static udp 192.168.2.4 60000 interface Dialer1 60000

ip nat inside source static tcp 192.168.2.4 60000 interface Dialer1 60000

!

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 1 permit 192.168.2.0 0.0.0.255

access-list 100 remark ACL Outside ADSL

access-list 100 remark CCP_ACL Category=1

access-list 100 deny ip 10.0.0.0 0.0.0.255 any

access-list 100 deny ip 172.16.0.0 0.0.15.255 any

access-list 100 deny ip 192.168.0.0 0.0.255.255 any

access-list 100 deny ip host 255.255.255.255 any

access-list 100 permit icmp any any administratively-prohibited

access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any unreachable

access-list 100 deny ip any 91.132.81.0 0.0.0.255

access-list 100 permit udp any eq domain any

access-list 100 permit tcp any any established

access-list 101 remark Outgoing Access List

access-list 101 remark CCP_ACL Category=1

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

dialer-list 1 protocol ip permit

no cdp run

!

Jon Marshall · ‎12-07-2011

Your debug is actually showing multicast packets being dropped which won't have TCP flags but i'm assuming that all access is denied.

I think the problem is access-list 101 ie.

access-list 101 remark Outgoing Access List

access-list 101 remark CCP_ACL Category=1

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

your are permitting 192.168.0.0/24 outbound but the problem is the 192.168.0.x addresses have already been natted to the outside interface address because NAT on IOS happens before an outbound access-list is checked. So you need to change the access-list. Because you haven't got a fixed IP ie. it is negotiated then you cannot specify the actual IP in the access-list. The ASA supports using the "interface" keyword but i am not sure IOS does. Apologies but i don't have a router to test with at the moment. If you can't find that option you have a couple of alternatives -

1) change access-list 101 to

access-list 101 permit ip any any

the first any in the acl would include the negotiated address

2) move acl 101 to the BVI interface because inbound acls are checked before any NAT on IOS.

It is questionable what this acl is doing anyway. Your NAT config includes 192.168.1.0/2.0 and 3.0 but you are only allowing out 192.168.0.0/24 to the internet. Also unless you are running the firewall on this router then you have some static NATs for 192.168.2.x addresses. But again the return traffic from these devices would be blocked by acl 101 as it tried to return to the internet.

Perhaps if i have misunderstood you could clarify further.

Jon

View solution in original post

Jon Marshall · ‎12-07-2011

Your debug is actually showing multicast packets being dropped which won't have TCP flags but i'm assuming that all access is denied.

I think the problem is access-list 101 ie.

access-list 101 remark Outgoing Access List

access-list 101 remark CCP_ACL Category=1

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

your are permitting 192.168.0.0/24 outbound but the problem is the 192.168.0.x addresses have already been natted to the outside interface address because NAT on IOS happens before an outbound access-list is checked. So you need to change the access-list. Because you haven't got a fixed IP ie. it is negotiated then you cannot specify the actual IP in the access-list. The ASA supports using the "interface" keyword but i am not sure IOS does. Apologies but i don't have a router to test with at the moment. If you can't find that option you have a couple of alternatives -

1) change access-list 101 to

access-list 101 permit ip any any

the first any in the acl would include the negotiated address

2) move acl 101 to the BVI interface because inbound acls are checked before any NAT on IOS.

It is questionable what this acl is doing anyway. Your NAT config includes 192.168.1.0/2.0 and 3.0 but you are only allowing out 192.168.0.0/24 to the internet. Also unless you are running the firewall on this router then you have some static NATs for 192.168.2.x addresses. But again the return traffic from these devices would be blocked by acl 101 as it tried to return to the internet.

Perhaps if i have misunderstood you could clarify further.

Jon

nemiath76 · ‎12-07-2011

Jon thanks a lot for your reply,

The reason you see so many contradictive entries is because i am still experimenting to make a full working config.

The proper config is without any ACL references. It is a NAT setup that will allow me to access the internet from my 3 internal interfaces. 192.168.0.0 - 1.0 - 2.0 /24

What i found out was that i was able to telnet and ping my router from the outside world on its external interface.

What i need is a secure box that will restrict any kind of access to its outside interface (dialer 1) while allow all kind of services.

The 192.168.0.0/24 network is my wireless BVI 1 interface which i now use for my testing so you can ignore the other 2 networks.