cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
543
Views
0
Helpful
4
Replies

ACL blocks www even when it's allowed

Ricky Sandhu
Level 1
Level 1

Hi everyone, I was wandering if anyone of you can help me with an issue I am having with an inbound ACL on my router's public interface. Even though I allow web traffic, it still blocks it as I am not able to surf out. What am I doing wrong?

ip access-list extended BLOCK

permit udp any eq bootps any eq bootpc

remark Block antispoofing

deny   ip host 255.255.255.255 any log

deny   ip 127.0.0.0 0.255.255.255 any log

deny   ip 10.0.0.0 0.255.255.255 any log

deny   ip 172.16.0.0 0.15.255.255 any log

deny   ip 192.168.0.0 0.0.255.255 any log

deny   ip any 10.0.0.0 0.255.255.255 log

deny   ip any 172.16.0.0 0.15.255.255 log

deny   ip any 192.168.0.0 0.0.255.255 log

remark permit web traffic

permit tcp any any eq www

remark allow reply to an echo request

permit icmp any any echo-reply

deny   icmp any any redirect

deny   ip any any

4 Replies 4

John Blakley
VIP Alumni
VIP Alumni

Can you post the counts for the acl?

sh access-list BLOCK

HTH, John *** Please rate all useful posts ***

Here you go, few extra PERMIT statements here as I had narrowed it down earlier

r-exp-lab-1#sh access-lists BLOCK

Extended IP access list BLOCK

    10 permit udp any eq bootps any eq bootpc

    20 deny ip host 255.255.255.255 any log

    30 deny ip 127.0.0.0 0.255.255.255 any log

    40 deny ip 10.0.0.0 0.255.255.255 any log

    50 deny ip 172.16.0.0 0.15.255.255 any log

    60 deny ip 192.168.0.0 0.0.255.255 any log

    70 deny ip any 10.0.0.0 0.255.255.255 log

    80 deny ip any 172.16.0.0 0.15.255.255 log

    90 deny ip any 192.168.0.0 0.0.255.255 log

    100 permit tcp any any eq www

    110 permit tcp any any eq 22

    120 permit udp any any eq isakmp (28 matches)

    130 permit esp any any (19 matches)

    140 permit gre any any

    150 permit udp any any eq non500-isakmp

    160 permit icmp any any echo-reply (6 matches)

    170 deny icmp any any redirect

    180 deny ip any any (199 matches)

Okay...a couple of things:

1. Are you trying to surf the web through the tunnel?

2. It doesn't look like you're allowing dns. Try adding:

ip access-list ext BLOCK

5 permit udp any any eq dns

HTH, John *** Please rate all useful posts ***

Hi there, so I made some modifications and now it seems to be working.

ip access-list extended BLOCK

permit udp any eq bootps any eq bootpc

remark Block antispoofing

deny   ip host 255.255.255.255 any log

deny   ip 127.0.0.0 0.255.255.255 any log

deny   ip 10.0.0.0 0.255.255.255 any log

deny   ip 172.16.0.0 0.15.255.255 any log

deny   ip 192.168.0.0 0.0.255.255 any log

deny   ip any 10.0.0.0 0.255.255.255 log

deny   ip any 172.16.0.0 0.15.255.255 log

deny   ip any 192.168.0.0 0.0.255.255 log

permit tcp any any eq 22

remark gre tunnels permitted

permit udp any any eq isakmp

permit esp any any

permit gre any any

permit udp any any eq non500-isakmp

remark allow reply to an echo request

permit icmp any any echo-reply

deny   icmp any any redirect

deny   ip any any

I created a NAT ACL

ip access-list extended nat_control

deny   ip 172.18.0.0 0.0.255.255 10.0.0.0 0.255.255.255

deny   ip 172.18.0.0 0.0.255.255 172.16.0.0 0.0.255.255

deny   ip 172.18.0.0 0.0.255.255 192.168.0.0 0.0.255.255

deny   ip 172.18.0.0 0.0.255.255 211.128.0.0 0.0.255.255

deny   ip 172.18.0.0 0.0.255.255 199.126.0.0 0.0.255.255

permit ip 172.18.0.0 0.0.255.255 any

Created a route-map and applied nat_control to my outside interface

route-map primary_nat permit 10

description primary_nat

match ip address nat_control

match interface GigabitEthernet0/0

ip nat inside source route-map primary_nat interface GigabitEthernet0/0 overload

Also added an outbound inspect for http on GigabitEthernet0/0

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: