Re: acl help

rhltechie · ‎04-07-2006

hi all,

i have the followinig in my router, i only want the web and the cisco vpn to work. when i apply these, it stops so apparently i am doing somethign wrong! can someone help? thanks!!

access-list 2 remark <name>

access-list 2 permit <ip> 0.0.0.255

access-list 120 permit udp any any eq isakmp

access-list 120 permit udp any any eq non500-isakmp

access-list 120 deny ip 10.0.0.0 0.255.255.255 any

access-list 120 deny ip 127.0.0.0 0.255.255.255 any

access-list 120 deny ip 172.16.0.0 0.15.255.255 any

access-list 120 deny ip 192.168.0.0 0.0.255.255 any

access-list 120 deny ip 224.0.0.0 31.255.255.255 any

access-list 120 permit tcp any any eq www

access-list 120 permit esp any any

access-list 130 deny ip any any

i have these applied to my wan int with 120 in and 130 out.

TIA,

R

pkhatri · ‎04-07-2006

Hi,

One of the problems I can see immediately is that ACL 130 is blocking absolutely everything.

For starters, I suggest you remove the outbound ACL 130. That will allow you to check whether the inbound ACL 120 works or not.

Paresh

pkhatri · ‎04-07-2006

Another thing I can see is where you have matched on the tcp port... In an extended ACL you can insert the 'eq' keyword after the source and/or the destination, depending on where the server is located. It is sometimes better to have statements that match on both the source and destination.

So you may want to modify ACL 120 so that it looks like this:

access-list 120 permit udp any any eq isakmp

access-list 120 permit udp any eq isakmp any

access-list 120 permit udp any any eq non500-isakmp

access-list 120 permit udp any eq non500-isakmp any

access-list 120 deny ip 10.0.0.0 0.255.255.255 any

access-list 120 deny ip 127.0.0.0 0.255.255.255 any

access-list 120 deny ip 172.16.0.0 0.15.255.255 any

access-list 120 deny ip 192.168.0.0 0.0.255.255 any

access-list 120 deny ip 224.0.0.0 31.255.255.255 any

access-list 120 permit tcp any any eq www

access-list 120 permit tcp any eq www any

access-list 120 permit esp any any

Pls do remember to rate the posts.

Paresh

rhltechie · ‎04-07-2006

thanks for your help.

when i try this, with taking the 130 out totally as well, i can use the vpn but not the web.

pkhatri · ‎04-07-2006

It might help if you pasted a bit more of your config so that we can see the context in which you are applying the ACL and any NAT setup etc.

Paresh

pkhatri · ‎04-07-2006

You might also want to add the following like to ACL 120 to allow https:

access-list 120 permit tcp any any eq 443

access-list 120 permit tcp any eq 443 any

Paresh

rhltechie · ‎04-10-2006

Hi Paresh,

Sorry for the delay, the weekend came around and my work ethic went out the window! ;)

my config is as follows:

interface FastEthernet0/0

description LAN Int

ip address 255.255.255.0

ip nat inside

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface Serial0/0/0:1

no ip address

ip access-group 120 in

ip access-group 130 out

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip route-cache flow

shutdown

no fair-queue

!

interface Serial0/0/1:1

no ip address

!

interface Serial0/1/0

ip address 255.255.255.252

no ip redirects

ip nat outside

encapsulation frame-relay IETF

ip route-cache flow

fair-queue

frame-relay interface-dlci

frame-relay lmi-type ansi

!

no ip classless

ip route 0.0.0.0 0.0.0.0

!

no ip http server

no ip http secure-server

ip http timeout-policy idle 5 life 86400 requests 10000

ip nat inside source list 2 interface Serial0/1/0 overload

!

access-list 2 remark Charlotte_NAT

access-list 2 permit 0.0.0.255

access-list 120 permit udp any any eq isakmp

access-list 120 permit udp any eq isakmp any

access-list 120 permit udp any any eq non500-isakmp

access-list 120 permit udp any eq non500-isakmp any

access-list 120 deny ip 10.0.0.0 0.255.255.255 any

access-list 120 deny ip 127.0.0.0 0.255.255.255 any

access-list 120 deny ip 172.16.0.0 0.15.255.255 any

access-list 120 deny ip 192.168.0.0 0.0.255.255 any

access-list 120 deny ip 224.0.0.0 31.255.255.255 any

access-list 120 permit tcp any any

access-list 120 permit esp any any

access-list 130 deny ip any any

!

olorunloba · ‎04-10-2006

I believe that with this config, if you remove access-;ist 130, everything will work. Access-list 130 is blocking everything.

However, you have permitted all tcp connections. This might not be desirable to you. Initially you permitted http traffic with the line

access-list 120 permit tcp any any eq www.

Since this is an inbound access-list, the line will allow outside users to connect to your locally hosted webservers on port 80. For you to browse and connect to the internet, use the line

access-list 120 permit tcp any eq www any.

What you should note is that when you initiate a connection, the destination port oftens identifies the type of connection. Hence when you launch your web browse and connect to cisco.com, the destination port is 80. However, the response from the web server to you, would have the source port to now be 80. Hence, for an inbound access-list on the wan interface, you should match on the source port. If it was outbound, on the wan interface, then you can match on the destination port.

rhltechie · ‎04-10-2006

Hmm..I could have sworn I removed the 130 acl. Paresh said the same as you, but maybe i was mistaken.

I shall try the suggestions.

Thanks!