Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
755
Views
3
Helpful
7
Replies

ACL Problems

FlorinRobete
Level 1
Level 1

‎10-12-2006 08:10 AM - edited ‎03-03-2019 02:19 PM

Hi guys,

I'm a newbe with Cisco and I need your advice and help, please. Here is the config on my router:

ip ips sdf location flash://128MB.sdf

ip ips notify SDEE

ip ips name sdm_ips_rule_101 list 101

no ip domain lookup

!

!

!

!

!

!

!

!

!

interface FastEthernet0/0

description LAN Connection

ip address 192.168.8.10 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

description WAN Connection

ip address 208.165.199.94 255.255.255.252

ip access-group 101 in

ip ips sdm_ips_rule_101 in

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

ip classless

ip route 0.0.0.0 0.0.0.0 208.165.199.93

!

no ip http server

no ip http secure-server

ip nat pool Test 208.165.197.147 208.165.197.150 netmask 255.255.255.248

ip nat inside source list 1 pool Test overload

ip nat inside source static 192.168.8.2 208.165.197.145 extendable

ip nat inside source static 192.168.8.4 208.165.197.146 extendable

!

access-list 1 permit 192.168.8.0 0.0.0.255

access-list 101 permit tcp any host 208.165.197.145 eq 443

access-list 101 permit tcp any host 208.165.197.145 eq 1494

access-list 101 permit tcp any host 208.165.197.145 eq 2513

access-list 101 permit tcp any host 208.165.197.145 eq 2598

access-list 101 permit tcp any host 208.165.197.146 eq 443

access-list 101 permit tcp any host 208.165.197.146 eq smtp

access-list 101 permit tcp any host 208.165.197.146 eq 995

access-list 101 permit tcp any host 208.165.197.146 eq 993

Everything works fine:) except I cannot get out on the internet :(.What do I do wrong?

Thank you.

Regards,

PS: The ip's are not the real ones, it's just from school lab.

Labels:
0 Helpful
7 Replies 7

vladrac-ccna
Level 5
Level 5

‎10-12-2006 08:16 AM

Hello,

Isnt your ACL 101 blocking the return traffic from internet?

Vlad

0 Helpful

FlorinRobete
Level 1
Level 1
In response to vladrac-ccna

‎10-12-2006 08:35 AM

Thanx for the replay. What should I do about that?...

0 Helpful

vladrac-ccna
Level 5
Level 5
In response to FlorinRobete

‎10-12-2006 08:54 AM

It depends on the security policy you have for your company.

What do you need to access? who can access your system? what kind of service its allowed to use? etc.

If you want traffic from inside network to be allowed to go out to the internet and return. But you dont want traffic from outside to contact your network, unless its a return traffic), you can use a reflexive ACL.

this type of acl will create a ACL on demand, ie. everything you open a connection to outside a reflexive acl will be created permiting traffic to come back.

check the link:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/part15/schreflx.htm

Remember to allow routing protocols or ICMP coming from outside (if needed).

In your scenario, it would be something like:

int fa0/1

ip access-group 101 in

ip access-group 102 out

access-list 101 permit tcp any host 208.165.197.145 eq 443

access-list 101 permit tcp any host 208.165.197.145 eq 1494

access-list 101 permit tcp any host 208.165.197.145 eq 2513

access-list 101 permit tcp any host 208.165.197.145 eq 2598

access-list 101 permit tcp any host 208.165.197.146 eq 443

access-list 101 permit tcp any host 208.165.197.146 eq smtp

access-list 101 permit tcp any host 208.165.197.146 eq 995

access-list 101 permit tcp any host 208.165.197.146 eq 993

access-list 101 evaluate outtraffic

access-list 102 permit ip any any reflect outtraffic

HTH,

Vlad

FlorinRobete
Level 1
Level 1
In response to vladrac-ccna

‎10-13-2006 06:20 AM

Hi Vlad,

Thank you for your help but those commands don't work on my router and the IOS is version 12.4. I did it different way, through SDM. Sorry I cannot post the config here.

Regards,

0 Helpful

jenseike
Level 1
Level 1
In response to FlorinRobete

‎10-13-2006 09:58 PM

You can try using cbac to make your router a firewall. Then you will allow your return traffic from the internet...

Try this (use cli/telnet) :

ip inspect name FW tcp

ip inspect name FW udp

interface fa0/1

ip inspect FW out

This will make your router a statefull firewall, that opens up a hole in your acl for all udp/tcp packets that are initiated from your LAN... You still keep your acl 101 as it is...

If you also need to allow icmp back you can also add :

ip inspect name FW icmp

Jens Petter

0 Helpful

pushkar1782
Level 1
Level 1

‎10-13-2006 01:29 PM

hey

edit your access list 1 to extended access list ...

1) ip access-list 102 permit ip 192.168.8.0 0.0.0.255 any

ip access-list 102 permit ip any any eq 80

the second list would allow this HTTP traffic also ..apart from the LAN range.

if there any any server from which u access the internet just modify the second statement

ip access-list 102 permit ip any (ip of server ) eq 80

Hope this helps ...thnx rate this post

0 Helpful

FlorinRobete
Level 1
Level 1

‎10-16-2006 07:26 AM

Thank you, Jens and Pushkar.

I got everything working through SDM but I'll try your sugesstions today. I'll let you know if those work or not.

Regards,

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card