11-13-2013 03:02 AM - edited 03-04-2019 09:34 PM
HI,
We have one router connected to Internet.
Fa 0/0 have WAN ip with subnet 255.255.255.252 to ISP
Fa 0/1 have Public LAN pool with Subnet 255.255.255.248 using for DMZ servers
Now we want to apply Access list in Fa0/0 interface in" IN "Direction , so that we can restrict Access from Internet to the Inside DMZ servers ,( allow only https,http and RDP from Specific host in the internet to DMZ servers)
But from DMZ server we need to allow http and https to Internet.
The problem is, when we apply access-list in the Outside (Fa0/0 ) interface in IN direction, it is blocking the http and https returun traffic for DMZ servers.
How to overcome this?
Thanks
Solved! Go to Solution.
11-15-2013 04:24 AM
Hi,
if you want to permit anything from inside to outside, you don't need the Permit-ALC_Out at all.
You can use the ACL Alain suggested already.
Best regards,
Milan
11-15-2013 04:36 AM
Hi,
Do you have logs when you get disconnected ?
Maybe you could try permitting icmp unreachable in for path MTU discovery.
ip access-list extended Permit-ALC
10 permit icmp any any unreachable
Regards
Alain
Don't forget to rate helpful posts.
11-13-2013 03:17 AM
Hi,
post sh run interface f0/0 and sh run interface f0/1 and sh access-list
Regards
Alain
Don't forget to rate helpful posts.
11-13-2013 04:43 AM
Alain has asked for good information which will be helpful in advising you on a solution for your question. The title of this thread hints at the most common way to achieve the requirement that hosts inside should be able to establish TCP sessions and that the response traffic should be permitted. This is to use the established parameter on a permit statement with these hosts or this subnet as the destination. It is also likely that some other traffic, such as DNS traffic (which typically uses UDP and therefore not affected by established) will also need to be permitted.
HTH
Rick
11-13-2013 08:08 PM
Hi Alain,
These are the output.
interface FastEthernet0/0
ip address 123.123.4X.56 255.255.255.252
ip access-group Permit-ALC in
ip accounting output-packets
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 123.456.5X.65 255.255.255.248
Description Public-WAN Pool
ip accounting output-packets
duplex auto
speed auto
!
!
!
ip route 0.0.0.0 0.0.0.0 123.123.4X.55
!
ip access-list extended Permit-ALC
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 8080
permit tcp any any eq domain
permit tcp host XX.XX.XX.XX host 123.456.5X.66 eq 3389
permit tcp host XX.XX.XX.XX host 123.456.5X.67 eq 3389
permit tcp host XX.XX.XX.XX host 123.456.5X.68 eq 3389
deny tcp any any
If i apply access-list in the Fa0/0 , then from the hosts in Fa0/1 i am not able to reach internet.Because in Fa0/0 it is blocking the return traffic .
I tried allowing established seession in ACL (with allow established command) , but packets are getting dropped and it is getting disconnected in the middle of browsing session.
11-13-2013 11:56 PM
Hi,
no ip access-list extended Permit-ALC
ip access-list extended Permit-ALC
permit tcp any any established
permit udp host x.x.x.x eq 53 any where host is your external DNS server
permit tcp host x.x.x.x eq 53 any same as above
permit tcp host XX.XX.XX.XX host 123.456.5X.66 eq 3389
permit tcp host XX.XX.XX.XX host 123.456.5X.67 eq 3389
permit tcp host XX.XX.XX.XX host 123.456.5X.68 eq 338
deny ip any any log
Regards
Alain
Don't forget to rate helpful posts.
11-15-2013 04:02 AM
Hi Alain,
I tried giving "permit tcp any any established " , internet will work from inside for sometime and gets disconnected.
And i tried allowing port greater than 1023. But still it is not stable.
Thanks & Regards
Shibi Dev
11-15-2013 04:36 AM
Hi,
Do you have logs when you get disconnected ?
Maybe you could try permitting icmp unreachable in for path MTU discovery.
ip access-list extended Permit-ALC
10 permit icmp any any unreachable
Regards
Alain
Don't forget to rate helpful posts.
11-14-2013 12:15 AM
Hi,
do I understand correctly the sense of your ACL beginning
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 8080
permit tcp any any eq domain
is to permit www and similar traffic connections originated from your netwrok to the Internet?
And
permit tcp host XX.XX.XX.XX host 123.456.5X.66 eq 3389
permit tcp host XX.XX.XX.XX host 123.456.5X.67 eq 3389
permit tcp host XX.XX.XX.XX host 123.456.5X.68 eq 3389
is here to permit connections from the Internet to your network?
In that case, IMHO you would probably need two ACLs:
ip access-list extended Permit-ALC_out
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 8080
permit tcp any any eq domain
permit udp any any eq domain
permit tcp host 123.456.5X.66 eq 3389 host XX.XX.XX.XX established
permit tcp host 123.456.5X.67 eq 3389 host XX.XX.XX.XX established
permit tcp host 123.456.5X.68 eq 3389 host XX.XX.XX.XX established
and
ip access-list extended Permit-ALC_in
permit tcp any eq www any established
permit tcp any eq 443 any established
permit tcp any eq 8080 any established
permit tcp any eq domain any established
permit udp any eq domain any
permit tcp host XX.XX.XX.XX host 123.456.5X.66 eq 3389
permit tcp host XX.XX.XX.XX host 123.456.5X.67 eq 3389
permit tcp host XX.XX.XX.XX host 123.456.5X.68 eq 3389
And on your ISP interface:
interface FastEthernet0/0
ip address 123.123.4X.56 255.255.255.252
ip access-group Permit-ALC_in in
ip access-group Permit-ALC_out out
Note I've added DNS running on UDP to your ACL, as I believe most clients are sending DNS requests over UDP to the DNS servers?
Best regards,
Milan
11-15-2013 04:10 AM
Hi Milan,
I will try this and let you know.But in Permit-ALC_Out we can allow" any any" right? Because we can allow all the traffic from inside to Outside.
Thanks & Regards
Shibi Dev
11-15-2013 04:24 AM
Hi,
if you want to permit anything from inside to outside, you don't need the Permit-ALC_Out at all.
You can use the ACL Alain suggested already.
Best regards,
Milan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide