07-31-2006 01:59 AM - edited 03-03-2019 01:30 PM
Hi,
I'm part way through configuring an 877W and I have been following the config guide here: http://www.cisco.com/en/US/products/hw/routers/ps380/products_configuration_guide_chapter09186a008045d275.html
I've applied an access-list to the WAN interface as shown in the above guide i.e. access-list 103 deny ip any any then on the WAN interface applied the access-list as follows: access-group 103 in.
The problem I have is that all incoming traffic is now dropped by this interface, whether it relates to an existing outbound connection or not. For example if I initiate an outgoing connection, the response is dropped. I can't even ping a host from the CLI of the router itself. If I remove the access-list from the interface, everything is fine. I've never had this problem before and I've always used this kind of access-list on a WAN interface.
Logging the access list shows this for example: %SEC-6-IPACCESSLOGP: list 103 denied tcp 64.156.132.140(0)
-> x.x.x.x(0), 1 packet
where x.x.x.x is my IP address. There's nothing logged for the outgoing packets so I'm assuming that traffic is allowed out but the corresponding response is not allowed back in?
I think the relevant parts of the config are here, I can post it all if that would be helpful:
bridge irb
!
!
interface ATM0
no ip address
no cdp enable
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
interface Vlan1
no ip address
ip inspect firewall in
bridge-group 1
!
interface Vlan2
no ip address
ip inspect firewall in
bridge-group 2
!
interface Dialer0
ip address x.x.x.x 255.0.0.0
ip access-group 103 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname username
ppp chap password password
!
!
interface BVI1
ip address 192.168.80.1 255.255.255.0
ip nat inside
ip access-group 100 in
ip virtual-reassembly
!
interface BVI2
ip address 172.17.0.1 255.255.255.0
ip nat inside
ip access-group 101 in
ip virtual-reassembly
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 2 interface Dialer0 overload
!
access-list 1 permit 192.168.80.0 0.0.0.255
access-list 2 permit 172.17.0.0 0.0.0.255
access-list 3 deny 172.17.0.0 0.0.0.255
access-list 100 permit ip 192.168.80.0 0.0.0.255 any
access-list 100 permit ip any any
access-list 101 permit ip 172.17.0.0 0.0.0.255 any
access-list 101 permit ip any any
access-list 103 deny ip any any
dialer-list 1 protocol ip permit
!
!
!
!
!
end
07-31-2006 02:15 AM
What is happening looks ok to me. Any access-list with deny ip any any will drop any connection. What you need to do is specifically allow traffic destined to your network specifically.
For example
access-list 103 permit tcp any eq www
access-list 103 deny ip any any
Or as in the example in the link you gave
! acl 103 defines traffic allowed from the peer for the IPSec tunnel.
access-list 103 permit udp host 200.1.1.1 any eq isakmp
access-list 103 permit udp host 200.1.1.1 eq isakmp any
access-list 103 permit esp host 200.1.1.1 any
! Allow ICMP for debugging but should be disabled because of security implications.
access-list 103 permit icmp any any
access-list 103 deny ip any any
07-31-2006 04:20 AM
Thankyou, that makes sense. But what bothers me is I have never had to do this before. My existing 837 routers have the following config so why does this work fine? i.e. traffic goes straight out to the and internet works OK. I recognise there are some differences in the config here but I don't know what the effects are.
!
interface Dialer0
ip address x.x.x.x 255.0.0.0
ip access-group 101 in
ip nat outside
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp chap hostname username
ppp chap password password
crypto map nolan
!
ip nat inside source route-map nonat interface Dialer0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
!
!
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 100 permit ip any any
access-list 101 permit ip host x.x.x.x host x.x.x.x
access-list 101 permit ip 172.31.0.0 0.0.255.255 192.168.10.0 0.0.0.255
access-list 101 deny ip any any
access-list 120 permit ip 192.168.10.0 0.0.0.255 172.31.0.0 0.0.255.255
access-list 130 deny ip 192.168.10.0 0.0.0.255 172.31.0.0 0.0.255.255
access-list 130 permit ip 192.168.10.0 0.0.0.255 any
route-map nonat permit 10
match ip address 130
08-29-2006 09:36 PM
I see that you have 'ip inspect firewall in' specified on your inside interfaces, but I don't see any inspect policy definitions like 'ip inspect name firewall tcp'. Without specifying anything nothing is permitted.
You should put the inspect parameter under your dialer interface where the inbound access-group is applied.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide