08-09-2013 09:26 AM - edited 03-04-2019 08:43 PM
Greetings.
This should be a really easy one.
Im a cisco newbie. Well this is implied based on the simplicity of my question...
Im trying to use an inbound access list on my OUTSIDE interface (with NAT) to limit access to specific servers, protocols, ports.
When I do this, my router loses the ability to PING.
My understanding was that ACLs only control traffic going THROUGH the router, not originating from the router.
My inside network can perform ANY connection outbound.
Outbound to inbound is working great for the webservers.
If I remove access-list 101 IN from my outside interface, then I can ping.
If I put access-list 101 IN back on the outside interface, then I can't ping.
Clearly I lack a fundamental understanding of what is happening when the router PINGs out.
I want to block ping requests that originate outside my network.
Why does my access-list prevent my router to ping?
What do I need to add to the access list to allow my router to ping out?
Config below.
Any suggestions, comments are greatly appreciated!!
Thanks,
Ross
dtrouter01#sh run
Building configuration...
Current configuration : 5470 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname dtrouter01
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 $1$Hthu$F8UN7fFoNr5sQ5DDlZOzq0
!
aaa new-model
!
!
aaa session-id common
clock timezone PST8PDT -8
clock summer-time PST8PDT recurring
dot11 syslog
no ip source-route
!
!
ip dhcp bootp ignore
!
!
ip cef
no ip bootp server
no ip domain lookup
ip domain name dtrouter01.dunhamtech.com
!
multilink bundle-name authenticated
!
!
username dtadmin password 7 04710A0504244041191C43
archive
log config
hidekeys
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
interface FastEthernet0/0
ip address 69.43.173.37 255.255.255.240
ip access-group 101 in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
ntp disable
!
interface FastEthernet0/1
ip address 192.168.10.1 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ntp disable
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 69.43.173.33
no ip http server
no ip http secure-server
!
!
ip nat pool ovrld 69.43.173.40 69.43.173.40 prefix-length 28
ip nat inside source list 7 pool ovrld overload
ip nat inside source static tcp 192.168.10.79 80 69.43.173.45 80 extendable
ip nat inside source static tcp 192.168.10.79 443 69.43.173.45 443 extendable
ip nat inside source static tcp 192.168.10.80 80 69.43.173.46 80 extendable
ip nat inside source static tcp 192.168.10.80 443 69.43.173.46 443 extendable
!
logging trap debugging
logging facility local3
logging 192.168.10.71
access-list 7 permit 192.168.10.0 0.0.0.255
access-list 101 permit tcp any host 69.43.173.45 eq www
access-list 101 permit tcp any host 69.43.173.45 eq 443
access-list 101 permit tcp any host 69.43.173.46 eq www
access-list 101 permit tcp any host 69.43.173.46 eq 443
access-list 101 deny ip any any
access-list 102 permit tcp 192.168.10.0 0.0.0.255 any
access-list 102 permit udp 192.168.10.0 0.0.0.255 any
access-list 102 permit icmp 192.168.10.0 0.0.0.255 any
access-list 102 deny ip any any
no cdp run
!
!
control-plane
!
banner login ^C
***************
Dunham Tech | Go Away | No Access is Allowed
***************
^C
!
line con 0
password 7 080B4D4D021C0918020E4A
line aux 0
exec-timeout 0 1
no exec
transport output none
line vty 0 4
password 7 132F1611000908253B216E
transport input ssh
!
scheduler allocate 20000 1000
end
Solved! Go to Solution.
08-09-2013 09:37 AM
Hi Ross,
You are correct that traffic originating from the router would not be affected by an outbound ACL but in this case it is an inbound ACL and the ICMP echo reply going back to your router are not allowed by the inbound ACL, hence the ping not succeeding. You need to allow at a minimum the ICMP echo reply through your inbound ACL.
Regards
08-09-2013 09:37 AM
Hi Ross,
You are correct that traffic originating from the router would not be affected by an outbound ACL but in this case it is an inbound ACL and the ICMP echo reply going back to your router are not allowed by the inbound ACL, hence the ping not succeeding. You need to allow at a minimum the ICMP echo reply through your inbound ACL.
Regards
08-09-2013 01:57 PM
Hi Harold.
Thank you very much for your reply.
This makes perfect sense,
I hope I am not pushing my luck, but I also wanted to allow the router to do DNS (so I can ping a host instead of an IP), I also wanted to allow the router's NTP client out.
So I assume that I would also need to add permission for UDP 123, and UDP 53 so that the router can receive those back as well?
Thanks!!!
Ross
08-09-2013 11:35 AM
Hi,
with this ACL 101 applied inbound on the WAN you'll be blocking the return traffic destined to inside hosts that originated traffic destined for the Internet.
You'd be better off configuring CBAC or Zone based Firewall on the router.
For CBAC:
conf t
ip inspect MYINSPECTION udp router-traffic
ip inspect MYINSPECTION tcp router-traffic
ip inspect MYINSPECTION icmp router-traffic
int f0/0
ip inspect MYINSPECTION out
ip access-group 101 in
Regards
Alain
Don't forget to rate helpful posts.
08-09-2013 02:02 PM
Hi Alain,
Thank you so much for taking the time to read and reply to my post.
It's greatly appreciated.
I am implementing this feature now as well.
I googled some examples online and was little confused by the lack of consistency on how the examples apply this firewall to the interfaces.
I noticed that in some of the examples, they put the firewall on the LAN interface IN, and the WAN interface OUT.
In another example they ONLY had it on the INSIDE interface IN.
I noticed you only put it ONLY on the WAN out.
Do you happen to know the difference between these 3 different approaches?
#1
LAN IN, WAN OUT
#2
LAN IN
#3
WAN OUT
Thanks so much! No worries if this is asking to much.
Ross
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide