10-12-2006 08:10 AM - edited 03-03-2019 02:19 PM
Hi guys,
I'm a newbe with Cisco and I need your advice and help, please. Here is the config on my router:
ip ips sdf location flash://128MB.sdf
ip ips notify SDEE
ip ips name sdm_ips_rule_101 list 101
no ip domain lookup
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description LAN Connection
ip address 192.168.8.10 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description WAN Connection
ip address 208.165.199.94 255.255.255.252
ip access-group 101 in
ip ips sdm_ips_rule_101 in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 208.165.199.93
!
no ip http server
no ip http secure-server
ip nat pool Test 208.165.197.147 208.165.197.150 netmask 255.255.255.248
ip nat inside source list 1 pool Test overload
ip nat inside source static 192.168.8.2 208.165.197.145 extendable
ip nat inside source static 192.168.8.4 208.165.197.146 extendable
!
access-list 1 permit 192.168.8.0 0.0.0.255
access-list 101 permit tcp any host 208.165.197.145 eq 443
access-list 101 permit tcp any host 208.165.197.145 eq 1494
access-list 101 permit tcp any host 208.165.197.145 eq 2513
access-list 101 permit tcp any host 208.165.197.145 eq 2598
access-list 101 permit tcp any host 208.165.197.146 eq 443
access-list 101 permit tcp any host 208.165.197.146 eq smtp
access-list 101 permit tcp any host 208.165.197.146 eq 995
access-list 101 permit tcp any host 208.165.197.146 eq 993
Everything works fine:) except I cannot get out on the internet :(.What do I do wrong?
Thank you.
Regards,
PS: The ip's are not the real ones, it's just from school lab.
10-12-2006 08:16 AM
Hello,
Isnt your ACL 101 blocking the return traffic from internet?
Vlad
10-12-2006 08:35 AM
Thanx for the replay. What should I do about that?...
10-12-2006 08:54 AM
It depends on the security policy you have for your company.
What do you need to access? who can access your system? what kind of service its allowed to use? etc.
If you want traffic from inside network to be allowed to go out to the internet and return. But you dont want traffic from outside to contact your network, unless its a return traffic), you can use a reflexive ACL.
this type of acl will create a ACL on demand, ie. everything you open a connection to outside a reflexive acl will be created permiting traffic to come back.
check the link:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/part15/schreflx.htm
Remember to allow routing protocols or ICMP coming from outside (if needed).
In your scenario, it would be something like:
int fa0/1
ip access-group 101 in
ip access-group 102 out
access-list 101 permit tcp any host 208.165.197.145 eq 443
access-list 101 permit tcp any host 208.165.197.145 eq 1494
access-list 101 permit tcp any host 208.165.197.145 eq 2513
access-list 101 permit tcp any host 208.165.197.145 eq 2598
access-list 101 permit tcp any host 208.165.197.146 eq 443
access-list 101 permit tcp any host 208.165.197.146 eq smtp
access-list 101 permit tcp any host 208.165.197.146 eq 995
access-list 101 permit tcp any host 208.165.197.146 eq 993
access-list 101 evaluate outtraffic
access-list 102 permit ip any any reflect outtraffic
HTH,
Vlad
10-13-2006 06:20 AM
Hi Vlad,
Thank you for your help but those commands don't work on my router and the IOS is version 12.4. I did it different way, through SDM. Sorry I cannot post the config here.
Regards,
10-13-2006 09:58 PM
You can try using cbac to make your router a firewall. Then you will allow your return traffic from the internet...
Try this (use cli/telnet) :
ip inspect name FW tcp
ip inspect name FW udp
interface fa0/1
ip inspect FW out
This will make your router a statefull firewall, that opens up a hole in your acl for all udp/tcp packets that are initiated from your LAN... You still keep your acl 101 as it is...
If you also need to allow icmp back you can also add :
ip inspect name FW icmp
Jens Petter
10-13-2006 01:29 PM
hey
edit your access list 1 to extended access list ...
1) ip access-list 102 permit ip 192.168.8.0 0.0.0.255 any
ip access-list 102 permit ip any any eq 80
the second list would allow this HTTP traffic also ..apart from the LAN range.
if there any any server from which u access the internet just modify the second statement
ip access-list 102 permit ip any (ip of server ) eq 80
Hope this helps ...thnx rate this post
10-16-2006 07:26 AM
Thank you, Jens and Pushkar.
I got everything working through SDM but I'll try your sugesstions today. I'll let you know if those work or not.
Regards,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: