Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Inbound Access List 101

Greetings.

This should be a really easy one.

Im a cisco newbie.  Well this is implied based on the simplicity of my question...

Im trying to use an inbound access list on my OUTSIDE interface (with NAT) to limit access to specific servers, protocols, ports.

When I do this, my router loses the ability to PING.

My understanding was that ACLs only control traffic going THROUGH the router, not originating from the router.

My inside network can perform ANY connection outbound.

Outbound to inbound is working great for the webservers.

If I remove access-list 101 IN from my outside interface, then I can ping.

If I put access-list 101 IN back on the outside interface, then I can't ping.

Clearly I lack a fundamental understanding of what is happening when the router PINGs out.

I want to block ping requests that originate outside my network.

Why does my access-list prevent my router to ping?

What do I need to add to the access list to allow my router to ping out?

Config below.

Any suggestions, comments are greatly appreciated!!

Thanks,

Ross

dtrouter01#sh run

Building configuration...

Current configuration : 5470 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

!

hostname dtrouter01

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

enable secret 5 $1$Hthu$F8UN7fFoNr5sQ5DDlZOzq0

!

aaa new-model

!

!

aaa session-id common

clock timezone PST8PDT -8

clock summer-time PST8PDT recurring

dot11 syslog

no ip source-route

!

!

ip dhcp bootp ignore

!

!

ip cef

no ip bootp server

no ip domain lookup

ip domain name dtrouter01.dunhamtech.com

!

multilink bundle-name authenticated

!

!

username dtadmin password 7 04710A0504244041191C43

archive

log config

  hidekeys

!

!

ip ssh time-out 60

ip ssh authentication-retries 2

!

!

interface FastEthernet0/0

ip address 69.43.173.37 255.255.255.240

ip access-group 101 in

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

ntp disable

!

interface FastEthernet0/1

ip address 192.168.10.1 255.255.255.0

ip access-group 102 in

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

ntp disable

!

no ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 69.43.173.33

no ip http server

no ip http secure-server

!

!

ip nat pool ovrld 69.43.173.40 69.43.173.40 prefix-length 28

ip nat inside source list 7 pool ovrld overload

ip nat inside source static tcp 192.168.10.79 80 69.43.173.45 80 extendable

ip nat inside source static tcp 192.168.10.79 443 69.43.173.45 443 extendable

ip nat inside source static tcp 192.168.10.80 80 69.43.173.46 80 extendable

ip nat inside source static tcp 192.168.10.80 443 69.43.173.46 443 extendable

!

logging trap debugging

logging facility local3

logging 192.168.10.71

access-list 7 permit 192.168.10.0 0.0.0.255

access-list 101 permit tcp any host 69.43.173.45 eq www

access-list 101 permit tcp any host 69.43.173.45 eq 443

access-list 101 permit tcp any host 69.43.173.46 eq www

access-list 101 permit tcp any host 69.43.173.46 eq 443

access-list 101 deny   ip any any

access-list 102 permit tcp 192.168.10.0 0.0.0.255 any

access-list 102 permit udp 192.168.10.0 0.0.0.255 any

access-list 102 permit icmp 192.168.10.0 0.0.0.255 any

access-list 102 deny   ip any any

no cdp run

!

!

control-plane

!

banner login ^C

***************

Dunham Tech | Go Away | No Access is Allowed

***************

^C

!

line con 0

password 7 080B4D4D021C0918020E4A

line aux 0

exec-timeout 0 1

no exec

transport output none

line vty 0 4

password 7 132F1611000908253B216E

transport input ssh

!

scheduler allocate 20000 1000

end

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Inbound Access List 101

Hi Ross,

You are correct that traffic originating from the router would not be affected by an outbound ACL but in this case it is an inbound ACL and the ICMP echo reply going back to your router are not allowed by the inbound ACL, hence the ping not succeeding. You need to allow at a minimum the ICMP echo reply through your inbound ACL.

Regards

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
4 REPLIES
Cisco Employee

Inbound Access List 101

Hi Ross,

You are correct that traffic originating from the router would not be affected by an outbound ACL but in this case it is an inbound ACL and the ICMP echo reply going back to your router are not allowed by the inbound ACL, hence the ping not succeeding. You need to allow at a minimum the ICMP echo reply through your inbound ACL.

Regards

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
New Member

Inbound Access List 101

Hi Harold. 

Thank you very much for your reply.

This makes perfect sense,

I hope I am not pushing my luck, but I also wanted to allow the router to do DNS (so I can ping a host instead of an IP), I also wanted to allow the router's NTP client out.

So I assume that I would also need to add permission for UDP 123, and UDP 53 so that the router can receive those back as well?


Thanks!!!

Ross

Purple

Inbound Access List 101

Hi,

with this ACL 101 applied inbound on the WAN you'll be blocking the return traffic destined to inside hosts that originated traffic destined for the Internet.

You'd be better off configuring CBAC or Zone based Firewall on the router.

For CBAC:

conf t

ip inspect MYINSPECTION udp router-traffic

ip inspect MYINSPECTION tcp router-traffic

ip inspect MYINSPECTION icmp router-traffic

int f0/0

ip inspect MYINSPECTION out

ip access-group 101 in

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
New Member

Inbound Access List 101

Hi Alain,

Thank you so much for taking the time to read and reply to my post.

It's greatly appreciated.

I am implementing this feature now as well.

I googled some examples online and was little confused by the lack of consistency on how the examples apply this firewall to the interfaces.

I noticed that in some of the examples, they put the firewall on the LAN interface IN, and the WAN interface OUT.

In another example they ONLY had it on the INSIDE interface IN.

I noticed you only put it ONLY on the WAN out.

Do you happen to know the difference between these 3 different approaches?

#1

LAN IN, WAN OUT

#2

LAN IN

#3

WAN OUT

Thanks so much!  No worries if this is asking to much.

Ross

1516
Views
5
Helpful
4
Replies
CreatePlease to create content