[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 313
  • Last Modified:

internet access stops working for internal hosts when access list is applied on dialer0 on Cisco 857 ADSL router.

Hi
I have a 857 router with an ADSL interface.
The config is below.
Everything works ok except when I apply access list 101 to the dialer0 interface with the command

ip access-group 101 in

and then it's all havoc: internal clients cannot connect to the internet.

What do you think I'm doing wrong? Thanks!

----
Current configuration : 10037 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service sequence-numbers
!
hostname xxx
!
boot-start-marker
boot system flash:c850-advsecurityk9-mz.124-15.T.bin
boot-end-marker
!
logging buffered 10240
logging console critical
enable secret 5 $1$GK4x$.6VhjM33SY8LB8oevhg1n1
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userlist local
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!
aaa session-id common

!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group vgroup
 key cisco
 domain vn.com
 pool vpnclients
 acl 106
!
!
crypto ipsec transform-set tr-null-sha esp-null esp-sha-hmac
crypto ipsec transform-set tr-des-md5 esp-des esp-md5-hmac
crypto ipsec transform-set tr-3des-md5 esp-3des esp-md5-hmac
crypto ipsec transform-set tr-3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set tr-aes-sha esp-aes esp-sha-hmac
!
crypto dynamic-map vpnusers 1
 description Client to Site VPN Users
 set transform-set tr-3des-sha
!
!
crypto map cm-cryptomap client authentication list userauthen
crypto map cm-cryptomap isakmp authorization list groupauthor
crypto map cm-cryptomap client configuration address respond
crypto map cm-cryptomap 65000 ipsec-isakmp dynamic vpnusers
!
!
crypto pki trustpoint TP-self-signed-3128061961
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3128061961
 revocation-check none
 rsakeypair TP-self-signed-3128061961
!
!
crypto pki certificate chain TP-self-signed-3128061961
 certificate self-signed 01
  30820255 308201BE A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33313238 30363139 3631301E 170D3032 30333031 30303239
  33335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 31323830
  36313936 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100C87B 447F0123 2DCE21A5 7F8238C0 011765E1 C0438B70 499D1887 67A914B6
  5D079278 00585C4B 1AECE14B 4F35046A ABFF1781 E713F479 6B54DD04 FD4C0BF2
  C66A866E 06659910 E6F7683D E9F355C3 7D01DC0E 2F653195 43ADC197 A34EF53F
  87E14CE3 28C80507 1F0B9B53 4FC30931 F8CF257F E8D357D6 E940C8B3 82BF07C7
  1DA90203 010001A3 7D307B30 0F060355 1D130101 FF040530 030101FF 30280603
  551D1104 21301F82 1D766772 6F75702D 7230312E 76697369 6F6E6465 7369676E
  2E636F2E 756B301F 0603551D 23041830 168014D2 1322DE82 E5E90AC9 5D6761AA
  4F953E54 AC323830 1D060355 1D0E0416 0414D213 22DE82E5 E90AC95D 6761AA4F
  953E54AC 3238300D 06092A86 4886F70D 01010405 00038181 009D0EFD B8682A46
  59612A60 40E65ECC E2ACA17D 6E42CCEF DB04FECB 8A7DD0B7 8404D50B 31843913
  0142FE25 3D22D2D2 F5EDEAA4 44FA4DE4 2F362FE3 2019BF72 DB32D809 64CD7591
  147EC36D B3B9E249 DB4E1AFB 0F30E9C2 787E059D 72C52EAB D8C13FAB 3D46F093
  CC8905C7 401AFE17 8BE568BB 09E95468 1DF051DD C2CABB2C E1
        quit
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.254.254
ip dhcp excluded-address 192.168.254.207
ip dhcp excluded-address 192.168.254.200 192.168.254.254
!
ip dhcp pool dhcppool
   import all
   network 192.168.254.0 255.255.255.0
   default-router 192.168.254.254
   dns-server 208.x.x.x 208.x.x.x
   update arp
!
!
ip cef
no ip bootp server
ip domain name vn.com
ip name-server 212.x.x.x
ip name-server 212.x.x.x
!
!
!
username elp secret 5 $1$Ir9Z$ym5Y1/Dwencc8fuq0Co0i0

archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
!        
!
!
interface Null0
 no ip unreachables
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 description ADSL Interface
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no snmp trap link-status
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
 description Connection to Switch
 duplex full
 speed 100
!
interface FastEthernet1
 shutdown
!
interface FastEthernet2
 shutdown
!
interface FastEthernet3
 shutdown
!
interface Vlan1
 description Inside$FW_INSIDE$
 ip address 192.168.254.254 255.255.255.0
 ip access-group 121 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
!
interface Dialer0
 description Outside$FW_OUTSIDE$
 ip address 86.x.x.x 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 no ip route-cache cef
 no ip route-cache
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname ad3367@link.adsl.mmm.com
 ppp chap password 7 070520425B0C1E03
 crypto map cm-cryptomap
!
ip local pool vpnclients 10.1.0.1 10.1.0.254
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 4
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.254.100 22 interface Dialer0 22
ip nat inside source static tcp 192.168.254.100 5003 interface Dialer0 5003
ip nat inside source route-map nat-map interface Dialer0 overload
!
access-list 1 remark The local LAN.
access-list 1 permit 192.168.254.0 0.0.0.255
access-list 2 permit 85.x.x.x
access-list 2 permit 87.x.x.x7
access-list 2 permit 192.168.254.5
access-list 2 remark Where management can be done from.
access-list 2 permit 192.168.254.0 0.0.0.255
access-list 2 permit 10.0.0.0 0.255.255.255
access-list 3 remark Traffic not to check for intrustion detection.
access-list 3 deny   10.1.0.0 0.0.0.255
access-list 3 permit any
access-list 4 remark HTTP Access-class list
access-list 4 remark SDM_ACL Category=1
access-list 4 permit 192.168.254.0 0.0.0.255
access-list 4 deny   any
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 permit ip 10.1.0.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit udp any any eq isakmp
access-list 101 permit esp any any
access-list 101 permit tcp any any eq 1723
access-list 101 permit gre any any
access-list 101 permit tcp any any eq 22
access-list 101 permit tcp any any eq telnet
access-list 101 permit tcp host 193.192.76.113 any eq 5003
access-list 101 deny   icmp any any echo
access-list 102 remark Traffic allowed to enter the router from the Ethernet
access-list 102 permit ip any host 192.168.254.254
access-list 102 deny   ip any host 192.168.254.255
access-list 102 deny   udp any any eq tftp log
access-list 102 permit ip 192.168.254.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 102 deny   ip any 0.0.0.0 0.255.255.255 log
access-list 102 deny   ip any 10.0.0.0 0.255.255.255 log
access-list 102 deny   ip any 127.0.0.0 0.255.255.255 log
access-list 102 deny   ip any 169.254.0.0 0.0.255.255 log
access-list 102 deny   ip any 172.16.0.0 0.15.255.255 log
access-list 102 deny   ip any 192.0.2.0 0.0.0.255 log
access-list 102 deny   ip any 192.168.0.0 0.0.255.255 log
access-list 102 deny   ip any 198.18.0.0 0.1.255.255 log
access-list 102 deny   udp any any eq 135 log
access-list 102 deny   tcp any any eq 135 log
access-list 102 deny   udp any any eq netbios-ns log
access-list 102 deny   udp any any eq netbios-dgm log
access-list 102 deny   tcp any any eq 445 log
access-list 102 permit ip 192.168.254.0 0.0.0.255 any
access-list 102 permit ip any host 255.255.255.255
access-list 102 deny   ip any any log
access-list 105 remark Traffic to NAT
access-list 105 deny   ip 192.168.254.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 105 permit ip 192.168.254.0 0.0.0.255 any
access-list 106 permit ip 192.168.254.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 121 remark inside access list
access-list 121 permit ip any any
access-list 122 permit udp any any eq non500-isakmp
access-list 122 permit udp any any eq isakmp
access-list 122 permit esp any any
access-list 122 permit tcp any any eq 1723
access-list 122 permit gre any any
access-list 122 permit tcp any any eq 22
access-list 122 permit tcp any any eq telnet
access-list 122 permit tcp host 193.192.76.113 any eq 5003
dialer-list 1 protocol ip permit
no cdp run
route-map nat-map permit 1
 match ip address 105
!
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
This system is to be used by authorised users only for the purpose of
conducting official company work.

Any activities conducted on this system will be monitored and/or
recorded and there is no expectation of privacy while using this system.

All possible abuse and criminal activity will be handed over to the
proper law enforcement officials for investigation and procecution.

Use of this system implies consent to all of the conditions stated
within this warning notification.
-----------------------------------------------------------------------
^C
!
line con 0
 no modem enable
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 access-class 2 in
 privilege level 15
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
0
eggster34
Asked:
eggster34
  • 2
1 Solution
 
RPPreacherCommented:
access lists on pix always end with an implied deny any any.

If you need the ACL to allow certain traffic you must specifically allow it.
0
 
Jan SpringerCommented:
Any Cisco (to my knowledge) access-list behaves this way.

When creating an ACL, it can be done in one of two ways -- whichever is shorter.

1) Specify what is permitted and deny the rest at the end
2) Specify what you want to deny and permit the rest at the end

The exception would be for hosts within a subnet where you might specify permits from/to that host and a deny any to the host followed by explicit permits and denies for other hosts or the subnet in general.
0
 
rsivanandanCommented:
>>access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 permit ip 10.1.0.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit udp any any eq isakmp
access-list 101 permit esp any any
access-list 101 permit tcp any any eq 1723
access-list 101 permit gre any any
access-list 101 permit tcp any any eq 22
access-list 101 permit tcp any any eq telnet
access-list 101 permit tcp host 193.192.76.113 any eq 5003
access-list 101 deny   icmp any any echo

The above is the one which you're allowing to come back from internet, on the other hand the below is the one which is allowed to go out;

>>access-list 121 remark inside access list
access-list 121 permit ip any any

You're allowing to go out everything. Now lets take an example, say host A goes out to www.google.com since acl 121 permits it. Now while coming back, it would be blocked since your acl 101 doesn't have an entry for *http* itself.

So a simple solution would be to have this; add one more line to acl 101 as below;

>>access-list 101 permit tcp any any established

The above key mentions that, if a connection is coming back which originally was initiated by your inside client allow it.

So put it in there and see if it works [ It may not work since incoming UDP packets from external DNS server as well needs to be allowed, but just try this and if it doesn't work then you need to allow DNS query to come back as well ]

Cheers,
Rajesh
0
 
rsivanandanCommented:
Just as a side note, the acl 121 is not doing any good since it is allowing everything, it is as good as it was not there.

Second, the acl's can be controlled a little more effectively on the inside itself using 121.

Cheers,
Rajesh
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now