Announcement

Collapse
No announcement yet.

Cisco 877 with NAT - Unable to get inbound access list to work - it blocks outbound??

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco 877 with NAT - Unable to get inbound access list to work - it blocks outbound??

    Hello,

    Cisco 877, running latest 12.4(24)T1 (c870-advipservicesk9-mz.124-24.T1.bin).

    I'm hosting a number of services inside the LAN, which are open to the public via NAT. Everything works fine, I can browse the external web from inside, and external visitors can access my servers for http, smtp etc. I have a single external IP.

    It's been recommended to me that I should define an Access List on the inbound traffic. I'm not sure it's necessary, since I'm only publishing the required ports, but I like to follow "best practice".

    I'm opening ports via

    Code:
    ip nat inside source static tcp 192.168.1.50 25 interface Dialer0 25
    ip nat inside source static tcp 192.168.1.50 80 interface Dialer0 80
    etc.

    All this works well.

    HOWEVER...as soon as I enable the access list on my Dialer0 interface, I am immediately blocked from any outboud traffic. I can't surf the web, and I can't remote-desktop to a remote site in order to verify that I can still browse my webserver sites from externally.

    My full config is below, and it's ACL 101 that's the one I'm trying to get to work. As soon as I add

    Code:
    ip access-group 101 in
    to Interface Dialer0, I can no longer access anything outside the LAN.

    I'm sure it'll be something silly I'm doing/not doing, but I can't spot it.

    Can anyone assist?

    My full config is below.

    Many thanks in advance,



    Jim

    [code]

    !
    ! Last configuration change at 19:39:17 GMT Thu Jul 30 2009 by xx
    ! NVRAM config last updated at 19:39:39 GMT Thu Jul 30 2009 by xx
    !
    version 12.4
    no service pad
    service timestamps debug datetime msec localtime
    service timestamps log datetime msec localtime
    service password-encryption
    !
    hostname Cisco877
    !
    boot-start-marker
    boot system flash c870-advipservicesk9-mz.124-24.T1.bin
    boot-end-marker
    !
    logging message-counter syslog
    logging buffered 52000
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authentication ppp default local
    !
    !
    aaa session-id common
    clock timezone GMT 0
    clock summer-time GMT recurring
    !
    !
    dot11 syslog
    ip source-route
    !
    !
    no ip dhcp use vrf connected
    ip dhcp excluded-address 192.168.1.1 192.168.1.150
    ip dhcp excluded-address 192.168.1.201 192.168.1.254
    !
    ip dhcp pool CLIENTS
    network 192.168.1.0 255.255.255.0
    dns-server 192.168.1.1
    default-router 192.168.1.1
    lease 0 12
    !
    ip dhcp pool JimDesktop
    host 192.168.1.201 255.255.255.0
    client-identifier 0100.18f3.3d51.62
    !
    ip dhcp pool JimLaptopWLAN
    host 192.168.1.203 255.255.255.0
    client-identifier 0100.1b77.a1df.d8
    !
    ip dhcp pool JimLaptopLAN
    host 192.168.1.202 255.255.255.0
    client-identifier 0100.1b38.39e4.44
    !
    ip dhcp pool ChrisLaptopWLAN
    host 192.168.0.106 255.255.255.0
    client-identifier 0100.1b77.cc02.d4
    dns-server 192.168.0.1
    default-router 192.168.0.1
    !
    ip dhcp pool ChrisLaptopLAN
    host 192.168.0.107 255.255.255.0
    client-identifier 0100.1a80.58e6.b5
    dns-server 192.168.0.1
    default-router 192.168.0.1
    !
    ip dhcp pool LynLaptopWLAN
    host 192.168.0.108 255.255.255.0
    client-identifier 0100.13e8.e830.1f
    dns-server 192.168.0.1
    default-router 192.168.0.1
    !
    !
    no ip cef
    ip domain name xxxx.co.uk
    ip host view OverriddenDNS www.test.co.uk 192.168.1.50
    ip name-server 195.74.113.58
    ip name-server 195.74.113.59
    ip name-server 195.74.102.146
    ip name-server 195.74.102.147
    login block-for 180 attempts 2 within 120
    login on-failure log
    login on-success log
    no ipv6 cef
    ntp server 195.74.96.12
    !
    multilink bundle-name authenticated
    !
    vpdn enable
    !
    vpdn-group 1
    ! Default PPTP VPDN group
    accept-dialin
    protocol pptp
    virtual-template 1
    !
    !
    !
    !
    !
    !
    archive
    log config
    hidekeys
    !
    !
    ip ssh version 2
    !
    class-map match-all Traffic-Class-HighPriority
    match access-group 161
    class-map match-all Traffic-Class-LowPriority
    match access-group 162
    !
    !
    policy-map Dialer0-Outbound
    class Traffic-Class-HighPriority
    priority percent 30
    class Traffic-Class-LowPriority
    priority percent 10
    class class-default
    fair-queue
    !
    !
    !
    !
    interface ATM0
    description ADSL Connection
    no ip address
    no atm ilmi-keepalive
    pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    hold-queue 200 in
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface Virtual-Template1
    ip unnumbered Vlan1
    peer default ip address pool VPNPOOL
    no keepalive
    ppp encrypt mppe auto required
    ppp authentication ms-chap ms-chap-v2
    !
    interface Vlan1
    description LAN
    ip address 192.168.0.254 255.255.255.0 secondary
    ip address 192.168.1.1 255.255.255.0
    ip dns view-group OverriddenDNSViewList
    ip nat inside
    ip nat enable
    ip virtual-reassembly
    ip tcp adjust-mss 1452
    hold-queue 100 in
    hold-queue 100 out
    !
    interface Dialer0
    ip address negotiated
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    ip tcp header-compression iphc-format
    ip tcp adjust-mss 1452
    dialer pool 1
    dialer-group 1
    no cdp enable
    ppp authentication pap chap callin
    ppp chap hostname [email protected]
    ppp chap password 7 xxxxx
    ppp ipcp dns request
    service-policy output Dialer0-Outbound
    ip rtp header-compression iphc-format
    !
    ip local pool VPNPOOL 192.168.16.200 192.168.16.210
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 Dialer0
    no ip http server
    no ip http secure-server
    !
    !
    ip dns view OverriddenDNS
    dns forwarder 195.74.113.62
    dns forwarder 195.74.113.59
    dns forwarder 195.74.102.146
    dns forwarder 195.74.102.147
    ip dns view-list OverriddenDNSViewList
    view OverriddenDNS 10
    view default 20
    ip dns server
    no ip nat service sip udp port 5060
    ip nat inside source static tcp 192.168.1.50 25 interface Dialer0 25
    ip nat inside source static tcp 192.168.1.50 80 interface Dialer0 80
    ip nat inside source static tcp 192.168.1.50 443 interface Dialer0 443
    ip nat inside source static tcp 192.168.1.50 995 interface Dialer0 995
    ip nat inside source static tcp 192.168.1.50 12345 interface Dialer0 12345
    ip nat inside source static tcp 192.168.1.50 20 interface Dialer0 20
    ip nat inside source static tcp 192.168.1.50 21 interface Dialer0 21
    ip nat inside source list 102 interface Dialer0 overload
    !
    ip access-list standard SNMP-ALLOWED
    permit 192.168.1.70
    permit 192.168.1.50
    deny any
    !
    !
    logging 192.168.1.50
    access-list 40 permit 192.168.0.0 0.0.0.255
    access-list 40 permit 192.168.1.0 0.0.0.255
    access-list 40 remark Control who can access the router via SSH
    access-list 101 remark Control traffic allowed into the router
    access-list 101 permit tcp any any eq www
    access-list 101 permit tcp any any eq ftp-data
    access-list 101 permit tcp any any eq ftp
    access-list 101 permit tcp any any eq smtp
    access-list 101 permit tcp any any eq 443
    access-list 102 permit ip 192.168.1.0 0.0.0.255 any
    access-list 161 remark High Priority / Low Latency Traffic
    access-list 161 permit tcp any eq 3389 any
    access-list 161 permit tcp any any eq 3389
    access-list 161 permit udp any any
    access-list 161 permit icmp any any
    access-list 161 permit tcp any eq www any
    access-list 161 permit tcp any any eq www
    access-list 162 remark Low Priority Traffic
    access-list 162 permit tcp any any eq ftp-data
    dialer-list 1 protocol ip permit
    !
    !
    !
    !
    snmp-server community xxxxx RW SNMP-ALLOWED
    !
    control-plane
    !
    !
    line con 0
    exec-timeout 0 0
    password 7 XXXXX
    no modem enable
    transport output all
    line aux 0
    transport output all
    line vty 0 4
    access-class 40 in
    exec-timeout 0 0
    privilege level 15
    password 7 xxxx
    transport input ssh
    transport output all
    !
    scheduler max-task-time 5000
    scheduler allocate 20000 1000
    end

    [/code[
    Last edited by jimwillsher; 30th July 2009, 19:52. Reason: Correct typos

  • #2
    Re: Cisco 877 with NAT - Unable to get inbound access list to work - it blocks outbou

    ip access-group 101 out

    try this

    Comment


    • #3
      Re: Cisco 877 with NAT - Unable to get inbound access list to work - it blocks outbou

      Many thanks for the reply, but stll no luck.

      If I add

      ip access-group 101 out

      to Interface Dialer0 then I can successfully surf the web, which is an improvement. But I can't do anything else, like remote desktop.

      I've also tried

      ip access-group 101 in
      ip access-group 102 out

      but that's the same.



      Jim

      Comment


      • #4
        Re: Cisco 877 with NAT - Unable to get inbound access list to work - it blocks outbou

        Add this string aswell

        access-list 101 permit tcp any any eq 3389

        Comment


        • #5
          Re: Cisco 877 with NAT - Unable to get inbound access list to work - it blocks outbou

          Yes, but surely this is now entering the world of "specify every service you want to access"?

          I want all outbound ports open, and all inbound replies (e.g. stateful). And this works well.

          But I want the ACL to apply to inbound traffic initiated from outside the network.



          Jim

          Comment


          • #6
            Re: Cisco 877 with NAT - Unable to get inbound access list to work - it blocks outbou

            Jim,

            Let me clear you some points


            When you apply ip access-group 101 in it means traffic is entering to your network from outside world.

            When you apply ip access-group 101 out ,it means traffic is going outside world from your network.

            Now design you traffic as you want .

            Let me know if you require my help for the same

            Cheers
            DT

            Comment


            • #7
              Re: Cisco 877 with NAT - Unable to get inbound access list to work - it blocks outbou

              Hi DT,

              I really appreciate you help, but I still think there's something missing.

              I do not want any ACL for outbound traffic, as I want to allow all outbound traffic on any port. The only thing I want to control with an ACL list is internet-initiated traffic coming in.


              Jim

              Comment


              • #8
                Re: Cisco 877 with NAT - Unable to get inbound access list to work - it blocks outbou

                Let me know what all you want to allow from outside.

                Like 80,3389 etc accordingly we will create ACL

                Comment


                • #9
                  Re: Cisco 877 with NAT - Unable to get inbound access list to work - it blocks outbou

                  Ok, if you look at my config, these are the ports I want to allow from the outside to the inside. I want to allow ALL ports from inside to outside.

                  Code:
                  ip nat inside source static tcp 192.168.1.50 25 interface Dialer0 25
                  ip nat inside source static tcp 192.168.1.50 80 interface Dialer0 80
                  ip nat inside source static tcp 192.168.1.50 443 interface Dialer0 443
                  ip nat inside source static tcp 192.168.1.50 995 interface Dialer0 995
                  ip nat inside source static tcp 192.168.1.50 12345 interface Dialer0 12345
                  ip nat inside source static tcp 192.168.1.50 20 interface Dialer0 20
                  ip nat inside source static tcp 192.168.1.50 21 interface Dialer0 21

                  Jim

                  Comment


                  • #10
                    Re: Cisco 877 with NAT - Unable to get inbound access list to work - it blocks outbou

                    Remove all ACL from interface dialer0

                    and apply mentioned below config

                    access-list 103 permit tcp any 192.168.1.0 0.0.0.255 eq 25
                    access-list 103 permit tcp any 192.168.1.0 0.0.0.255 eq 80
                    access-list 103 permit tcp any 192.168.1.0 0.0.0.255 eq 443
                    access-list 103 permit tcp any 192.168.1.0 0.0.0.255 eq 995
                    access-list 103 permit tcp any 192.168.1.0 0.0.0.255 eq 12345
                    access-list 103 permit tcp any 192.168.1.0 0.0.0.255 eq 20
                    access-list 103 permit tcp any 192.168.1.0 0.0.0.255 eq 21
                    access-list 103 permit tcp any 192.168.1.0 0.0.0.255 established
                    access-list 103 deny ip any any

                    access-list 102 permit ip 192.168.1.0 0.0.0.255 any

                    ip access-group 102 out
                    ip access-group 103 in



                    103-it is for incoming traffic from outside

                    102-It is for outgoing traffic from your network


                    apply it and let me know the result

                    Cheers
                    DT

                    Comment


                    • #11
                      Re: Cisco 877 with NAT - Unable to get inbound access list to work - it blocks outbou

                      Hi,

                      It made no difference. As soon as I added the ACLs I couldn't access anything outside the LAN.

                      This was the config I used:

                      Code:
                      !
                      ! Last configuration change at 10:01:09 GMT Fri Jul 31 2009 by XXXX
                      ! NVRAM config last updated at 09:13:49 GMT Fri Jul 31 2009 by XXXX
                      !
                      version 12.4
                      no service pad
                      service timestamps debug datetime msec localtime
                      service timestamps log datetime msec localtime
                      service password-encryption
                      !
                      hostname Cisco877
                      !
                      boot-start-marker
                      boot system flash c870-advipservicesk9-mz.124-24.T1.bin
                      boot-end-marker
                      !
                      logging message-counter syslog
                      logging buffered 52000
                      !
                      aaa new-model
                      !
                      !
                      aaa authentication login default local
                      aaa authentication ppp default local
                      !
                      !
                      aaa session-id common
                      clock timezone GMT 0
                      clock summer-time GMT recurring
                      !
                      !
                      dot11 syslog
                      ip source-route
                      !
                      !
                      no ip dhcp use vrf connected
                      ip dhcp excluded-address 192.168.1.1 192.168.1.150
                      ip dhcp excluded-address 192.168.1.201 192.168.1.254
                      !
                      ip dhcp pool CLIENTS
                         network 192.168.1.0 255.255.255.0
                         dns-server 192.168.1.1 
                         default-router 192.168.1.1 
                         lease 0 12
                      !
                      ip dhcp pool JimDesktop
                         host 192.168.1.201 255.255.255.0
                         client-identifier 0100.18f3.3d51.62
                      !
                      no ip cef
                      ip domain name XXXXX.co.uk
                      ip host view OverriddenDNS www.XXX.co.uk 192.168.1.50
                      ip name-server 195.74.113.58
                      ip name-server 195.74.113.59
                      ip name-server 195.74.102.146
                      ip name-server 195.74.102.147
                      login block-for 180 attempts 2 within 120
                      login on-failure log
                      login on-success log
                      no ipv6 cef
                      ntp server 195.74.96.12
                      !
                      multilink bundle-name authenticated
                      !
                      vpdn enable
                      !
                      vpdn-group 1
                      ! Default PPTP VPDN group
                       accept-dialin
                        protocol pptp
                        virtual-template 1
                      !
                      !
                      !
                      username XXXX privilege 15 password 7 XXXXX
                      username XXXX password 7 XXXX
                      ! 
                      !
                      !
                      archive
                       log config
                        hidekeys
                      !
                      !
                      ip ssh version 2
                      !
                      class-map match-all Traffic-Class-HighPriority
                       match access-group 161
                      class-map match-all Traffic-Class-LowPriority
                       match access-group 162
                      !
                      !
                      policy-map Dialer0-Outbound
                       class Traffic-Class-HighPriority
                          priority percent 30
                       class Traffic-Class-LowPriority
                          priority percent 10
                       class class-default
                          fair-queue
                      !
                      !
                      !
                      !
                      interface ATM0
                       description ADSL Connection
                       no ip address
                       no atm ilmi-keepalive
                       pvc 0/38 
                        encapsulation aal5mux ppp dialer
                        dialer pool-member 1
                       !
                       hold-queue 200 in
                      !
                      interface FastEthernet0
                      !
                      interface FastEthernet1
                      !
                      interface FastEthernet2
                      !
                      interface FastEthernet3
                      !
                      interface Virtual-Template1
                       ip unnumbered Vlan1
                       peer default ip address pool VPNPOOL
                       no keepalive
                       ppp encrypt mppe auto required
                       ppp authentication ms-chap ms-chap-v2
                      !
                      interface Vlan1
                       description LAN
                       ip address 192.168.0.254 255.255.255.0 secondary
                       ip address 192.168.1.1 255.255.255.0
                       ip dns view-group OverriddenDNSViewList
                       ip nat inside
                       ip nat enable
                       ip virtual-reassembly
                       ip tcp adjust-mss 1452
                       hold-queue 100 in
                       hold-queue 100 out
                      !
                      interface Dialer0
                       ip address negotiated
                       ip access-group 103 in
                       ip access-group 102 out
                       ip nat outside
                       ip virtual-reassembly
                       encapsulation ppp
                       ip tcp header-compression iphc-format
                       ip tcp adjust-mss 1452
                       dialer pool 1
                       dialer-group 1
                       no cdp enable
                       ppp authentication pap chap callin
                       ppp chap hostname [email protected]
                       ppp chap password 7 XXXX4XXXX
                       ppp ipcp dns request
                       service-policy output Dialer0-Outbound
                       ip rtp header-compression iphc-format
                      !
                      ip local pool VPNPOOL 192.168.16.200 192.168.16.210
                      ip forward-protocol nd
                      ip route 0.0.0.0 0.0.0.0 Dialer0
                      no ip http server
                      no ip http secure-server
                      !
                      !
                      ip dns view OverriddenDNS
                       dns forwarder 195.74.113.62
                       dns forwarder 195.74.113.59
                       dns forwarder 195.74.102.146
                       dns forwarder 195.74.102.147
                      ip dns view-list OverriddenDNSViewList
                       view OverriddenDNS 10
                       view default 20
                      ip dns server
                      no ip nat service sip udp port 5060
                      ip nat inside source static tcp 192.168.1.50 25 interface Dialer0 25
                      ip nat inside source static tcp 192.168.1.50 80 interface Dialer0 80
                      ip nat inside source static tcp 192.168.1.50 443 interface Dialer0 443
                      ip nat inside source static tcp 192.168.1.50 995 interface Dialer0 995
                      ip nat inside source static tcp 192.168.1.50 32025 interface Dialer0 32025
                      ip nat inside source static tcp 192.168.1.50 20 interface Dialer0 20
                      ip nat inside source static tcp 192.168.1.50 21 interface Dialer0 21
                      ip nat inside source list 102 interface Dialer0 overload
                      !
                      ip access-list standard SNMP-ALLOWED
                       permit 192.168.1.50
                       deny   any
                      !
                      !
                      logging 192.168.1.50
                      access-list 40 permit 192.168.0.0 0.0.0.255
                      access-list 40 permit 192.168.1.0 0.0.0.255
                      access-list 40 remark Control who can access the router via SSH
                      access-list 101 remark Control traffic allowed into the router
                      access-list 101 permit tcp any any eq www
                      access-list 101 permit tcp any any eq ftp-data
                      access-list 101 permit tcp any any eq ftp
                      access-list 101 permit tcp any any eq smtp
                      access-list 101 permit tcp any any eq 443
                      access-list 102 permit ip 192.168.1.0 0.0.0.255 any
                      access-list 103 permit tcp any 192.168.1.0 0.0.0.255 eq smtp
                      access-list 103 permit tcp any 192.168.1.0 0.0.0.255 eq www
                      access-list 103 permit tcp any 192.168.1.0 0.0.0.255 eq 443
                      access-list 103 permit tcp any 192.168.1.0 0.0.0.255 eq 995
                      access-list 103 permit tcp any 192.168.1.0 0.0.0.255 eq 32025
                      access-list 103 permit tcp any 192.168.1.0 0.0.0.255 eq ftp-data
                      access-list 103 permit tcp any 192.168.1.0 0.0.0.255 eq ftp
                      access-list 103 permit tcp any 192.168.1.0 0.0.0.255 established
                      access-list 103 deny   ip any any
                      access-list 161 remark High Priority / Low Latency Traffic
                      access-list 161 permit tcp any eq 3389 any
                      access-list 161 permit tcp any any eq 3389
                      access-list 161 permit udp any any
                      access-list 161 permit icmp any any
                      access-list 161 permit tcp any eq www any
                      access-list 161 permit tcp any any eq www
                      access-list 162 remark Low Priority Traffic
                      access-list 162 permit tcp any any eq ftp-data
                      dialer-list 1 protocol ip permit
                      !
                      !
                      !
                      !
                      snmp-server community XXXX RW SNMP-ALLOWED
                      !
                      control-plane
                      !
                      !
                      line con 0
                       exec-timeout 0 0
                       password 7 111918160405041E00
                       no modem enable
                       transport output all
                      line aux 0
                       transport output all
                      line vty 0 4
                       access-class 40 in
                       exec-timeout 0 0
                       privilege level 15
                       password 7 XXXX
                       transport input ssh
                       transport output all
                      !
                      scheduler max-task-time 5000
                      scheduler allocate 20000 1000
                      end

                      Comment


                      • #12
                        Re: Cisco 877 with NAT - Unable to get inbound access list to work - it blocks outbou

                        apply only 103 and remove 102


                        also any firewall is coming in between

                        try and let me know the result

                        Comment


                        • #13
                          Re: Cisco 877 with NAT - Unable to get inbound access list to work - it blocks outbou

                          also remove deny ip any any

                          Comment


                          • #14
                            Re: Cisco 877 with NAT - Unable to get inbound access list to work - it blocks outbou

                            Hi,

                            Many thanks for your help, but I've given up. I'm out of my depth. What I have at the moment works well; there's no ACL but it seems to work.

                            So, thanks anyway, but I'll leave it as it is.


                            Jim

                            Comment

                            Working...
                            X