Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1601
Views
0
Helpful
8
Replies

internal return traffic blocked by external int ACL

TRO Group
Level 1
Level 1

‎01-10-2014 09:34 AM - edited ‎03-04-2019 10:02 PM

   Hi guys

We are getting return traffic from our internal subnet blocked by our outside interface ACL (dialer 0).  If i remove the ACL (OUTSIDE_IN) from the outside interface internal hosts can access the internet etc fine.  As soon as the OUTSIDE_IN ACL is applied to the outside interface it blocks their traffic.

I entered the below commands and applied the inspect policy to the internal interface fa0/0.  This now allows ping to go through to external websites successfully but all other traffic is blocked.  This is even the case if i remove the internal interface ACL (TRUST_OUT)

ip inspect name traffic tcp

ip inspect name traffic udp

ip inspect name traffic icmp

I am at a loss here are you able to assist?

See below config.

#show run
Building configuration...

Current configuration : 5048 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname
!
boot-start-marker
boot system flash:c2800nm-adventerprisek9-mz.124-22.YB8.bin
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
!
dot11 syslog
ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.100.1 192.168.100.59
ip dhcp excluded-address 192.168.100.253 192.168.100.254
!
ip dhcp pool Internal_Network_DHCP_Pool
   network 192.168.100.0 255.255.252.0
   default-router 192.168.100.254
   dns-server 192.168.100.254
   lease 3
!

!
!
ip inspect name traffic udp
ip inspect name traffic tcp
ip inspect name traffic icmp

no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
!
!
!
!
username admin privilege 15 secret 5 $1$E.Pe$V1UAU5P0m1S8ObtPXGNFD.
archive
log config
  hidekeys
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.100.254 255.255.252.0
ip access-group TRUST_OUT in
ip inspect traffic in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
!
interface ATM0/0/0.1 point-to-point
mtu 1492
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 0/33
  encapsulation aal5snap
  pppoe-client dial-pool-number 1
!
!
interface BRI0/0/0
no ip address
encapsulation hdlc
shutdown
!
interface Serial0/1/0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
interface Dialer0
mtu 1492
ip access-group OUTSIDE_IN in
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1400
dialer pool 1
no cdp enable
ppp chap hostname
ppp chap password
ppp ipcp dns request accept
ppp ipcp mask request
ppp ipcp route default
ppp ipcp address accept
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source list ACL-NAT-Internal interface Dialer0 overload
!
ip access-list extended ACL-NAT-Internal
permit ip 192.168.100.0 0.0.3.255 any
ip access-list extended OUTSIDE_IN
permit tcp any host 192.168.100.30 eq 5150
permit tcp any host 192.168.100.30 eq 5160
permit tcp any host 192.168.100.30 eq 8080
ip access-list extended TRUST_OUT
permit tcp 192.168.100.0 0.0.3.255 any eq www
permit tcp 192.168.100.0 0.0.3.255 any eq 443
permit tcp 192.168.100.0 0.0.3.255 any eq domain
permit udp 192.168.100.0 0.0.3.255 any eq domain
permit icmp 192.168.100.0 0.0.3.255 any echo
permit tcp 192.168.100.0 0.0.3.255 host 192.168.100.254 eq telnet
!
access-list 1 permit 192.168.100.0 0.0.3.255
!
!
!
!
!
!
!
control-plane
!
!
!
ccm-manager fax protocol cisco
!
mgcp fax t38 ecm
!
!
!
!
!
!
line con 0
privilege level 15
login local
line aux 0
line vty 0 4
privilege level 15
login local
!
scheduler allocate 20000 1000
end

Labels:
0 Helpful
8 Replies 8

John Blakley
VIP Alumni
VIP Alumni

‎01-10-2014 10:02 AM

You should try moving your inspect to the outside interface instead of on the lan. On your Dialer, put "

ip inspect traffic out" and see if that resolves the issue.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
0 Helpful

TRO Group
Level 1
Level 1
In response to John Blakley

‎01-13-2014 04:22 AM

Hi John

I tried this but the same i am afraid.

Regards

Jon

0 Helpful

cadet alain
VIP Alumni
VIP Alumni

‎01-10-2014 10:54 AM

Hi,

Can you add ip inspect log drop-pkt in global config and deny ip any any log in  your  OUTSIDE_IN access-list

Then try to browse www.google.com from a client and post any log output as well as sh ip nat trans | x.x.x.x where x.x.x.x is the IP of the client and sh ip inspect session and sh access-list

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

TRO Group
Level 1
Level 1
In response to cadet alain

‎01-13-2014 04:23 AM

Hi Alain

I will give this a try and post the output.  I will not be able to try today but will come back here with the results asap.

Thank you for your response.

Jonny

0 Helpful

TRO Group
Level 1
Level 1
In response to TRO Group

‎01-29-2014 03:29 AM

Hi Alain

Sorry for taking so long to come back, workload has intervened.

here is a snippet of output of when i try and browse to google from an internal host

Jan 29 11:14:14.267: %SEC-6-IPACCESSLOGP: list OUTSIDE_IN denied udp 194.72.0.98(53) -> 86.147.189.53(63262), 1 packet

*Jan 29 11:14:15.271: %SEC-6-IPACCESSLOGP: list OUTSIDE_IN denied udp 194.72.0.98(53) -> 86.147.189.53(52520), 1 packet

*Jan 29 11:14:16.283: %SEC-6-IPACCESSLOGP: list OUTSIDE_IN denied udp 194.72.0.98(53) -> 86.147.189.53(55671), 1 packet

*Jan 29 11:14:17.319: %SEC-6-IPACCESSLOGP: list OUTSIDE_IN denied udp 62.6.40.178(53) -> 86.147.189.53(58992), 1 packet

*Jan 29 11:14:20.323: %SEC-6-IPACCESSLOGP: list OUTSIDE_IN denied udp 62.6.40.178(53) -> 86.147.189.53(61185), 1 packet

*Jan 29 11:14:22.307: %SEC-6-IPACCESSLOGP: list OUTSIDE_IN denied udp 194.72.0.98(53) -> 86.147.189.53(57653), 1 packet

*Jan 29 11:14:23.327: %SEC-6-IPACCESSLOGP: list OUTSIDE_IN denied udp 62.6.40.178(53) -> 86.147.189.53(63262), 1 packet

*Jan 29 11:14:24.959: %SEC-6-IPACCESSLOGP: list OUTSIDE_IN denied udp 194.72.0.98(53) -> 86.147.189.53(53654), 1 packet

CISCO-2811#sh access-lists

Standard IP access list 1

    10 permit 192.168.100.0, wildcard bits 0.0.3.255

Extended IP access list ACL-NAT-Internal

    10 permit ip 192.168.100.0 0.0.3.255 any (44 matches)

Extended IP access list OUTSIDE_IN

    10 permit tcp any host 192.168.100.30 eq 5150

    20 permit tcp any host 192.168.100.30 eq 5160

    30 permit tcp any host 192.168.100.30 eq 8080

    40 deny ip any any log (1892 matches)

Extended IP access list TRUST_OUT

    10 permit tcp 192.168.100.0 0.0.3.255 any eq www (15334 matches)

    20 permit tcp 192.168.100.0 0.0.3.255 any eq 443 (355 matches)

    30 permit tcp 192.168.100.0 0.0.3.255 any eq domain

    40 permit udp 192.168.100.0 0.0.3.255 any eq domain (323 matches)

    50 permit icmp 192.168.100.0 0.0.3.255 any echo

    60 permit tcp 192.168.100.0 0.0.3.255 host 192.168.100.254 eq telnet

    70 permit udp any any eq bootps (6 matches)

Jan 29 11:14:14.267: %SEC-6-IPACCESSLOGP: list OUTSIDE_IN denied udp 194.72.0.98(53) -> 86.147.189.53(63262), 1 packet

*Jan 29 11:14:15.271: %SEC-6-IPACCESSLOGP: list OUTSIDE_IN denied udp 194.72.0.98(53) -> 86.147.189.53(52520), 1 packet

*Jan 29 11:14:16.283: %SEC-6-IPACCESSLOGP: list OUTSIDE_IN denied udp 194.72.0.98(53) -> 86.147.189.53(55671), 1 packet

*Jan 29 11:14:17.319: %SEC-6-IPACCESSLOGP: list OUTSIDE_IN denied udp 62.6.40.178(53) -> 86.147.189.53(58992), 1 packet

*Jan 29 11:14:20.323: %SEC-6-IPACCESSLOGP: list OUTSIDE_IN denied udp 62.6.40.178(53) -> 86.147.189.53(61185), 1 packet

*Jan 29 11:14:22.307: %SEC-6-IPACCESSLOGP: list OUTSIDE_IN denied udp 194.72.0.98(53) -> 86.147.189.53(57653), 1 packet

*Jan 29 11:14:23.327: %SEC-6-IPACCESSLOGP: list OUTSIDE_IN denied udp 62.6.40.178(53) -> 86.147.189.53(63262), 1 packet

*Jan 29 11:14:24.959: %SEC-6-IPACCESSLOGP: list OUTSIDE_IN denied udp 194.72.0.98(53) -> 86.147.189.53(53654), 1 packet

This is the output of show Access-lists

CISCO-2811#sh access-lists
Standard IP access list 1
    10 permit 192.168.100.0, wildcard bits 0.0.3.255
Extended IP access list ACL-NAT-Internal
    10 permit ip 192.168.100.0 0.0.3.255 any (44 matches)
Extended IP access list OUTSIDE_IN
    10 permit tcp any host 192.168.100.30 eq 5150
    20 permit tcp any host 192.168.100.30 eq 5160
    30 permit tcp any host 192.168.100.30 eq 8080
    40 deny ip any any log (1892 matches)
Extended IP access list TRUST_OUT
    10 permit tcp 192.168.100.0 0.0.3.255 any eq www (15334 matches)
    20 permit tcp 192.168.100.0 0.0.3.255 any eq 443 (355 matches)
    30 permit tcp 192.168.100.0 0.0.3.255 any eq domain
    40 permit udp 192.168.100.0 0.0.3.255 any eq domain (323 matches)
    50 permit icmp 192.168.100.0 0.0.3.255 any echo
    60 permit tcp 192.168.100.0 0.0.3.255 host 192.168.100.254 eq telnet
    70 permit udp any any eq bootps (6 matches)

Show ip nat trans displays nothing im afraid.

Show ip inspect sessions displays nothing also

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to TRO Group

‎01-29-2014 04:06 AM

Can you repost your current config that you are using when you see denied messages in your last post.

Jon

0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to Jon Marshall

‎01-29-2014 04:32 AM

I don't think your inspects are working, or it would at least seem that way. You can leave the inspect inbound on the lan side interface, but can you try a couple of other things?

Try adding "ip inspect name traffic dns" (True, inspecting udp should fix it, but maybe it's an ios issue?)

Try removing "ip inspect traffic in" from the interface and then reapply it.

Then timeouts happen pretty quick for the inspect table. Maybe you should increase it temporarily to see if you are getting entries in your inspect table:

ip inspect name traffic dns timeout 30

Then try to browse from  a host again and do a "sh ip inspect session". Hopefully, you should see something. I labbed it up with a config like yours and I get sessions just fine:

R2#sh ip inspect sess

Established Sessions

Session 671484A0 (192.168.12.1:8)=>(192.168.23.3:0) icmp SIS_OPEN

Session 67148768 (192.168.12.1:59144)=>(192.168.23.3:53) dns SIS_OPEN

R2#

R2's config:

ip inspect name firewall udp

ip inspect name firewall icmp

interface FastEthernet0/0

ip address 192.168.12.2 255.255.255.0

ip access-group 101 in

ip nat inside

ip inspect firewall in

ip virtual-reassembly

speed 100

full-duplex

interface FastEthernet0/1

ip address 192.168.23.2 255.255.255.0

ip access-group 102 in

ip nat outside

ip virtual-reassembly

speed 100

full-duplex

end

Extended IP access list 101

    10 permit udp 192.168.12.0 0.0.0.255 any eq domain (12 matches)

    20 permit icmp any any (45 matches)

Extended IP access list 102

    5 permit tcp any host 192.168.23.2 eq www

    10 deny ip any any (9 matches)

My nat config is just allowing 192.168.12.0/24 out with fa0/0 being the inside interface.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
0 Helpful

TRO Group
Level 1
Level 1
In response to TRO Group

‎01-29-2014 05:25 AM

Hi Jon

Full config at top of thread

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card