Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3782
Views
0
Helpful
3
Replies

inbound access list blocks LAN access to internet

Tibor Marchyn
Level 1
Level 1

‎10-07-2010 02:08 AM - edited ‎03-06-2019 01:22 PM

Hi,

I have problems with access lists for Cisco 2801 IOS. I'm more familiar to Cisco ASA but now I need to make access list for IOS.


What I want: I need to block all incoming traffic to public IP address of router except headquarter ip address. Users must connect from LAN to internet without any limitation (tcp, udp, icmp)

What is problem: When I apply access list, internal users are not able to access internet

Before I apply acces list I can ping google from router internal IP with command:

ping 74.125.43.106 source 192.168.12.1

After I apply access I didn't get any responses and clients cant access inet.

Thnk you for your help

My config with applied access lists:

Router public IP: 1.2.3.4

Headquarter IP: 9.9.9.9

Intenal router ip: 192.168.12.1

ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 nntp
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 ntp
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 vdolive
!

ip reflexive-list timeout 120
!

interface FastEthernet0/0
ip address 1.2.3.4 255.255.255.252
ip nat outside
ip inspect DEFAULT100 in

ip access-group acl_inbound in

ip access-group acl_outbound out
ip virtual-reassembly
duplex auto
speed auto
crypto map CMAP-TO-CZ
!
interface FastEthernet0/3/0
switchport access vlan 12
speed 100
spanning-tree portfast
!
interface FastEthernet0/3/1
switchport access vlan 12
speed 100
spanning-tree portfast
!
interface FastEthernet0/3/2
switchport access vlan 12
speed 100
spanning-tree portfast
!
interface FastEthernet0/3/3
switchport access vlan 12
speed 100
spanning-tree portfast
!
interface FastEthernet0/3/4
switchport access vlan 12
speed 100
spanning-tree portfast
!
interface FastEthernet0/3/5
switchport access vlan 12
speed 100
spanning-tree portfast
!
interface FastEthernet0/3/6
switchport access vlan 12
speed 100
spanning-tree portfast
!
interface FastEthernet0/3/7
switchport access vlan 12
speed 100
spanning-tree portfast
!
interface FastEthernet0/3/8
switchport access vlan 12
speed 100
spanning-tree portfast
!
interface Vlan12
description $ES_LAN$
ip address 192.168.12.1 255.255.255.0
ip nat inside
ip virtual-reassembly
h323-gateway voip interface
h323-gateway voip bind srcaddr 192.168.12.1
!
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
!
ip access-list extended acl_inbound
permit ip host 9.9.9.9 host 1.2.3.4
permit esp host 9.9.9.9 host 1.2.3.4
permit ahp host 9.9.9.9 host 1.2.3.4
permit ipinip host 9.9.9.9 host 1.2.3.4
evaluate inettraffic
ip access-list extended acl_outbound
permit tcp any any reflect inettraffic timeout 300
permit udp any any reflect inettraffic timeout 300
permit icmp any any reflect inettraffic timeout 300
!
access-list 101 remark exempt nat
access-list 101 deny   icmp 192.168.12.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 101 deny   icmp 192.168.12.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 deny   icmp 192.168.12.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 deny   icmp 192.168.12.0 0.0.0.255 192.168.210.0 0.0.0.255
access-list 101 deny   ip 192.168.12.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 101 deny   ip 192.168.12.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 deny   ip 192.168.12.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 deny   ip 192.168.12.0 0.0.0.255 192.168.210.0 0.0.0.255
access-list 101 permit ip 192.168.12.0 0.0.0.255 any
!
route-map SDM_RMAP_1 permit 1
match ip address 101

Labels:
0 Helpful
3 Replies 3

Calin C.
Level 5
Level 5

‎10-10-2010 02:32 PM

Hello Tibor,

To be honest, I didn't checked very carefully your configuration (but I think it's correct), as the problem doesn't rely on your config, but on the logic of your expectations:

"What I want: I need to block all incoming traffic to public IP address of router except headquarter ip address. Users must connect from LAN to internet without any limitation (tcp, udp, icmp)"

Now, imagine that a host on the LAN (e.g. 192.168.12.2) want to reach cisco.com (e.g. 84.53.164.170). I see that you're using NAT, so the packet start with a source address of 192.168.12.2, arrive on your NAT router, where the source address is changed with your public IP address 1.2.3.4 and packet is forwarded to cisco.com (84.53.164.170). Until now everything fine.

When cisco.com send the packet back, it send it to 1.2.3.4 (the source address for natted packet), where the packet get dropped, due to the fact that you only accept packets coming from 9.9.9.9.

You understand where the problem is? Communication is bidirectional, so you are sending the packets to multiple IP addresses, but you expect to received them back only from one IP address.

Do I missed anything? Maybe some VPN there between 1.2.3.4 and 9.9.9.9 and all clients should go to Internet through VPN tunnel? This will be in contrast with your NAT configuration that state that packet should be natted on 1.2.3.4 interface.

Cheers,

Calin

0 Helpful

gatlin007
Level 4
Level 4
In response to Calin C.

‎10-10-2010 03:34 PM

It looks like you are using a reflexive access-list and the firewall feature set simultaneously.  Only one of these features should be used as they don't compliment each other.  The IP inspect rule is backwards; when its applied to the outside interface it should be in an 'outbound' direction versus an inbound direction.


Try this:

access-list 102 permit ip host 9.9.9.9 host 1.2.3.4
access-list 102 permit esp host 9.9.9.9 host 1.2.3.4
access-list 102 permit ahp host 9.9.9.9 host 1.2.3.4
access-list 102 permit ipinip host 9.9.9.9 host 1.2.3.4


int fa0/0
no ip access-group acl_outbound out
ip access-access-group 102 in
ip inspect DEFAULT100 out
exit

Can't determine the health of your crypto map as the entire config isn't posted.


Chris

0 Helpful

Tibor Marchyn
Level 1
Level 1
In response to gatlin007

‎10-15-2010 01:36 AM

hi,

thank you, i think you understand what I want but it is not working.

crypto map is for VPN and it is working without any problems.

What I need to know is that when I make these changes I can get to router from outside, but i don't know if internet for users is working...

I have only 1 method how try it and so ping from source ip address to external ip address. I don't have there any server or whatever which I can access through VPN and try if internet is working and problem is time zones i'm sleeping when users there are working

ping X.Y.Z.Z source 192.168.12.1

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card