Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
269
Views
0
Helpful
3
Replies

877 WAN interface drops all traffic

richardwhit
Level 1
Level 1

‎07-31-2006 01:59 AM - edited ‎03-03-2019 01:30 PM

Hi,

I'm part way through configuring an 877W and I have been following the config guide here: http://www.cisco.com/en/US/products/hw/routers/ps380/products_configuration_guide_chapter09186a008045d275.html

I've applied an access-list to the WAN interface as shown in the above guide i.e. access-list 103 deny ip any any then on the WAN interface applied the access-list as follows: access-group 103 in.

The problem I have is that all incoming traffic is now dropped by this interface, whether it relates to an existing outbound connection or not. For example if I initiate an outgoing connection, the response is dropped. I can't even ping a host from the CLI of the router itself. If I remove the access-list from the interface, everything is fine. I've never had this problem before and I've always used this kind of access-list on a WAN interface.

Logging the access list shows this for example: %SEC-6-IPACCESSLOGP: list 103 denied tcp 64.156.132.140(0)

-> x.x.x.x(0), 1 packet

where x.x.x.x is my IP address. There's nothing logged for the outgoing packets so I'm assuming that traffic is allowed out but the corresponding response is not allowed back in?

I think the relevant parts of the config are here, I can post it all if that would be helpful:

bridge irb

!

!

interface ATM0

no ip address

no cdp enable

no atm ilmi-keepalive

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Dot11Radio0

interface Vlan1

no ip address

ip inspect firewall in

bridge-group 1

!

interface Vlan2

no ip address

ip inspect firewall in

bridge-group 2

!

interface Dialer0

ip address x.x.x.x 255.0.0.0

ip access-group 103 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap callin

ppp chap hostname username

ppp chap password password

!

!

interface BVI1

ip address 192.168.80.1 255.255.255.0

ip nat inside

ip access-group 100 in

ip virtual-reassembly

!

interface BVI2

ip address 172.17.0.1 255.255.255.0

ip nat inside

ip access-group 101 in

ip virtual-reassembly

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

!

!

no ip http server

no ip http secure-server

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source list 2 interface Dialer0 overload

!

access-list 1 permit 192.168.80.0 0.0.0.255

access-list 2 permit 172.17.0.0 0.0.0.255

access-list 3 deny 172.17.0.0 0.0.0.255

access-list 100 permit ip 192.168.80.0 0.0.0.255 any

access-list 100 permit ip any any

access-list 101 permit ip 172.17.0.0 0.0.0.255 any

access-list 101 permit ip any any

access-list 103 deny ip any any

dialer-list 1 protocol ip permit

!

!

!

!

!

end

Labels:
0 Helpful
3 Replies 3

attrgautam
Level 5
Level 5

‎07-31-2006 02:15 AM

What is happening looks ok to me. Any access-list with deny ip any any will drop any connection. What you need to do is specifically allow traffic destined to your network specifically.

For example

access-list 103 permit tcp any eq www

access-list 103 deny ip any any

Or as in the example in the link you gave

! acl 103 defines traffic allowed from the peer for the IPSec tunnel.

access-list 103 permit udp host 200.1.1.1 any eq isakmp

access-list 103 permit udp host 200.1.1.1 eq isakmp any

access-list 103 permit esp host 200.1.1.1 any

! Allow ICMP for debugging but should be disabled because of security implications.

access-list 103 permit icmp any any

access-list 103 deny ip any any

0 Helpful

richardwhit
Level 1
Level 1
In response to attrgautam

‎07-31-2006 04:20 AM

Thankyou, that makes sense. But what bothers me is I have never had to do this before. My existing 837 routers have the following config so why does this work fine? i.e. traffic goes straight out to the and internet works OK. I recognise there are some differences in the config here but I don't know what the effects are.

!

interface Dialer0

ip address x.x.x.x 255.0.0.0

ip access-group 101 in

ip nat outside

encapsulation ppp

dialer pool 1

ppp authentication chap callin

ppp chap hostname username

ppp chap password password

crypto map nolan

!

ip nat inside source route-map nonat interface Dialer0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

ip http server

!

!

access-list 1 permit 192.168.10.0 0.0.0.255

access-list 100 permit ip 192.168.10.0 0.0.0.255 any

access-list 100 permit ip any any

access-list 101 permit ip host x.x.x.x host x.x.x.x

access-list 101 permit ip 172.31.0.0 0.0.255.255 192.168.10.0 0.0.0.255

access-list 101 deny ip any any

access-list 120 permit ip 192.168.10.0 0.0.0.255 172.31.0.0 0.0.255.255

access-list 130 deny ip 192.168.10.0 0.0.0.255 172.31.0.0 0.0.255.255

access-list 130 permit ip 192.168.10.0 0.0.0.255 any

route-map nonat permit 10

match ip address 130

0 Helpful

jdsalminen
Level 1
Level 1

‎08-29-2006 09:36 PM

I see that you have 'ip inspect firewall in' specified on your inside interfaces, but I don't see any inspect policy definitions like 'ip inspect name firewall tcp'. Without specifying anything nothing is permitted.

You should put the inspect parameter under your dialer interface where the inbound access-group is applied.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card