Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACL Inbound and Outbound Question

Hi Community

Below is a config example but I'd like to understand how the ACL's work on the BVI and dialer0 interface. The BVI has OUTBOUND-ACL coming IN which is permit ip any any, however the dialer0 interface has INBOUND-ACL coming IN which only has a host and a external network for telnet and deny everything else, so how do users still manage to get out to the internet when the returning traffic coming back IN to the dialer0 interface has a deny all....

Thanks in advance for your assistance...

ip dhcp pool DHCP_POOL
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.254
   dns-server 208.****
   domain-name *****
!
!
ip cef
ip inspect name FIREWALL tcp
ip inspect name FIREWALL udp
ip inspect name FIREWALL ftp
ip inspect name FIREWALL icmp
ip inspect name FIREWALL cuseeme
ip inspect name FIREWALL h323
ip inspect name FIREWALL rcmd
ip inspect name FIREWALL realaudio
ip inspect name FIREWALL rtsp
ip inspect name FIREWALL sqlnet
ip inspect name FIREWALL streamworks
ip inspect name FIREWALL tftp
ip inspect name FIREWALL vdolive
no ip domain lookup
ip domain name *****
ip name-server 20.*.*.*
ip name-server 20.*.*.*
vpdn enable


vpdn-group pptp
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
!
!
!
crypto pki trustpoint sshcert
 revocation-check crl
 rsakeypair sshcert
!
!
!
!
!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
!
crypto isakmp policy 20
 encr aes
 authentication pre-share
 group 5
crypto isakmp key **** address ********
crypto isakmp key **** address **********
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set VPN-TRANSET esp-aes 256 esp-sha-hmac
!
crypto map VPN-CRYPTOMAP 10 ipsec-isakmp
 set peer ********
 set transform-set VPN-TRANSET
 match address VPNTRAFFIC-ACL
crypto map VPN-CRYPTOMAP 20 ipsec-isakmp
 set peer ********
 set transform-set VPN-TRANSET
 match address HS-VPNTRAFFIC-ACL
!
bridge irb
!
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1
 ip unnumbered BVI1
 ip mroute-cache
 peer default ip address pool pptp
 ppp encrypt mppe auto required
 ppp authentication ms-chap-v2 ms-chap
!
interface Vlan1
 no ip address
 bridge-group 1
!
interface Dialer0
 ip address negotiated
 ip access-group INBOUND-ACL in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1492
 ip inspect FIREWALL out
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname **********
 ppp chap password ***********
 crypto map VPN-CRYPTOMAP
!
interface BVI1
 ip address 192.168.1.254 255.255.255.0
 ip access-group OUTBOUND-ACL in
 ip nat inside
 ip virtual-reassembly
!
ip local pool pptp 192.168.1.201 192.168.1.220
ip route 0.0.0.0 0.0.0.0 Dialer0
!

ip nat source static 192.168.1.2 79.******* route-map NAT-MAP extendable
ip nat inside source static tcp 192.168.1.2 80 interface Dialer0 80
ip nat inside source static tcp 192.168.1.2 443 interface Dialer0 443
ip nat inside source static tcp 192.168.1.1 3389 interface Dialer0 3389
ip nat inside source static tcp 192.168.1.2 25 interface Dialer0 25
ip nat inside source route-map NAT-MAP interface Dialer0 overload
!
ip access-list extended HS-VPNTRAFFIC-ACL
 permit ip 192.168.0.0 0.0.0.255 172.*.*.* *.*.*.*
ip access-list extended INBOUND-ACL
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip host 255.255.255.255 any
 deny   ip host 0.0.0.0 any
 permit tcp any any eq 1723
 permit gre any any
 permit icmp any any echo-reply
 permit icmp any any time-exceeded
 permit icmp any any unreachable
 permit tcp host #.#.#.# any eq 22
 permit tcp  *.*.* *.*.*.* any eq 22
 deny   tcp any any eq smtp
 deny   ip any any
ip access-list extended NONVPNTRAFFIC-ACL
 deny   ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
 deny   ip 192.168.1.0 0.0.0.255 172.0.0.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended OUTBOUND-ACL
 deny   ip host 255.255.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 permit ip any any
ip access-list extended VPNTRAFFIC-ACL
 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
ip access-list extended VTY-ACL
 permit ip 192.168.1.0 0.0.0.255 any
 permit ip  #.#.#.# #.#.#.# any
!
route-map NAT-MAP permit 10
 match ip address NONVPNTRAFFIC-ACL
!

1 REPLY
New Member

This discussion has been

This discussion has been reposted from Community Ideas to the Firewalling community.

86
Views
0
Helpful
1
Replies