Andy

What I am particularly interested in from the log is what specific traffic is being denied. In my previous response I proposed a theory that the problem is that inspect does not examine traffic where the router itself is the source or the destination. So inspect should not create a permit for the router DNS request. And if the hosts are using the router as their DNS server, then that would be the problem. Seeing the log file could help confirm this. Putting an explicit permit into access list 101 for DNS to the router would be one way to fix it (assuming that I am right) or changing your DHCP configuration so that you do not give the router address as the DNS server to clients would be another way to fix it.

So post the file or make one of these changes.

HTH

Rick

Hi, I will get this log for you. If I just add a couple of DNS servers to the users DHCPO scope will I have to do anything else, like remove anything or should that be enough, as you said about those DNS settings in the dialer interface? I will get the log first though as it will be nice to see what this could be.

Andy

If you add a couple of DNS servers to the DHCP scope I do not believe that you would have to do anything else (assuming that the configuration which specifies the router address as DNS server is overwritten in the process of configuring the DNS servers).

I agree that it would be nice to see the log and to see if it verifies my theory.

HTH

Rick

Rick,

Here it is, 80.92.129.253 is my outside address:

Nov 13 19:03:35.086: %SEC-6-IPACCESSLOGP: list 101 denied tcp 207.46.110.90(1863) -> 80.92.129.253(1043), 1 packet

Nov 13 19:03:40.314: %SEC-6-IPACCESSLOGP: list 101 denied udp 90.207.238.97(53) -> 80.92.129.253(53), 1 packet

Nov 13 19:03:51.444: %SEC-6-IPACCESSLOGP: list 101 denied udp 87.86.189.16(53) -> 80.92.129.253(53), 1 packet

Nov 13 19:04:08.240: %SEC-6-IPACCESSLOGP: list 101 denied udp 91.22.108.100(6348) -> 80.92.129.253(35191), 1 packet

Nov 13 19:04:28.244: %SEC-6-IPACCESSLOGP: list 101 denied udp 24.64.109.54(23048) -> 80.92.129.253(1026), 1 packet

Nov 13 19:04:52.183: %SEC-6-IPACCESSLOGP: list 101 denied tcp 199.106.212.28(80) -> 80.92.129.253(1087), 1 packet

Nov 13 19:10:20.183: %SEC-6-IPACCESSLOGP: list 101 denied tcp 90.192.113.155(1265) -> 80.92.129.253(445), 1 packet d

Nov 13 19:10:22.099: %SEC-6-IPACCESSLOGP: list 101 denied udp 172.201.128.131(8087) -> 80.92.129.253(35191), 1 packet

Andy

Thanks for posting the log output. I believe that it does confirm my theory of what is causing the problem: the client sends a DNS request to the router, the router sends a DNS request to the servers it leaned from the provider, and ACL 101 is denying the response coming to the router. And the reason that things work when you change ACL 101 to permit ip any any is that it then permits the router DNS, but as you comment it reduces the degree of security.

I believe that you can solve this immediate issue by putting a statement into ACL 101 to permit DNS responses to the router. Be aware that since the router is negotiating its address that the address might change over time.

I believe that you could also fix this immediate issue by changing your DHCP scope and putting some real DNS server into the scope rather than using the router address as the DNS server for the clients.

There may also be some issue that you need to look at concerning the other traffic to the router address that is being denied. Perhaps you can identify what this other traffic is and whether you needs permits in ACL 101 for other router traffic as well as DNS.

HTH

Rick

Hi, everything I have tried seems to work now I have amended the DHCP scope's DNS servers to 3 external ones.

I do get these pop up when I'm not doing anything, If I run an nslookup against them they seem to be from my ISP I think.

Nov 13 20:55:38.861: %SEC-6-IPACCESSLOGP: list 101 denied tcp 90.198.54.60(2529) -> 90.198.235.164(135), 1 packet

Nov 13 20:55:54.881: %SEC-6-IPACCESSLOGP: list 101 denied udp 24.64.94.244(4028) -> 90.198.235.164(1026), 1 packet

H0m3#

Nov 13 20:56:55.416: %SEC-6-IPACCESSLOGP: list 101 denied udp 90.207.238.97(53) -> 90.198.235.164(56311), 2 packets

Nov 13 20:57:55.423: %SEC-6-IPACCESSLOGP: list 101 denied udp 87.86.189.16(53) -> 90.198.235.164(50746), 2 packets

Nov 13 20:57:55.423: %SEC-6-IPACCESSLOGP: list 101 denied tcp 207.46.109.91(1863) -> 90.198.235.164(1676), 12 packets

The only part the concerns me is when I try and use my Cisco VPN client to my works concentrator on 1.2.3.4 it connects but I can't access anything or ping anything at work:

Nov 13 21:18:55.439: %SEC-6-IPACCESSLOGNP: list 101 denied 50 1.2.3.4 -> 90.198.235.164, 109 packets

Do I need some gre rule or something?

I will try this and let you know, and I will rate the post as its been so useful.

Hi, should telnet work from a remote Internet host on this config? I have added, but can't gain access from another location via telnet, I wouldn't mind the SDM too, I haven't got a static address, so will try to use DDNS at some point again as I tried and failed at that :):

access-list 50 permit 4.3.2.1

line vty 0 4

access-class 50 in

privilege level 15

login local

transport input telnet

transport output all

Andy

I would not expect telnet from an Internet host to work with the existing config. Putting an entry into access list 50 to permit remote access from the host is an important part of enabling access but is not enough. You also need an entry in access list 101 to permit the inbound telnet. And if you want to use SDM then you would need permit statements for that also.

If you are going to be doing remote access from an Internet host it might be good to think about using SSH rather than telnet. SSH provides similar functions as telnet and is much more secure.

HTH

Rick

Thanks, is SSH easy to configure?

Andy

Yes SSH is easy to configure. You do need to verify that the feature set of the code that you are running will support SSH (that it supports encryption). You will need to generate RSA keys (and generation of RSA keys needs to have a unique host name and a domain name - the config that you posted looks like it has the host name blanked out and I do not see a domain name). If you are running fairly recent code you probably want to configure to specify SSH version 2. I see that you already have the vty lines configured with transport input telnet ssh so they should be good to go with SSH.

HTH

Rick