[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1053
  • Last Modified:

My Cisco "ip access-group" halts internet activity, why?

Hi all,

We have a Cisco 877 (integrated ADSL) at one of our remote offices. I went to give myself telnet access from head office over the internet and noticed there was no "ip access-group in" command on the Dialer interface.

I assume that basically means there was no firewall running on that interface?

I copied an ACL from another router, changing IPs as necessary, but when I apply the ACL (using "ip access-group 101 in" under the Dialer0 interface), internet activity at the remote office stops. Users can't surf the web and can't RDP to a remote Server over the internet. VPN seems to be fine, though and the Dialer is still up.

I can't quite figure out why. Here is the config, below (with the ip access-group 101 in command not applied).

Can anyone let me know why this is happening?

One other thing - are those parameter-maps even being used? Or should I simply remove them?

Current configuration : 6945 bytes
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname MYROUTER
logging buffered 51200
logging console critical
enable secret 5 blahblah
no aaa new-model
clock timezone PCTime 12
clock summer-time PCTime date Mar 16 2003 3:00 Oct 5 2003 2:00
crypto pki trustpoint TP-self-signed-4145053229
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4145053229
 revocation-check none
 rsakeypair TP-self-signed-4145053229
crypto pki certificate chain TP-self-signed-4145053229
 certificate self-signed 01
  30820259 308201C2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 34313435 30353332 3239301E 170D3032 30333031 30303134
  33345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31343530
  35333232 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100AD05 1C1C1761 5EA0C258 2961B6A2 4E04416A AF828236 FD6F2DC7 ED857BEF
  32C4EFC0 6B20865A 60B6013D 73DD6EEE F3087B6A 42D0EB17 F576D8F3 0303B19D
  09D5F9CE 32F62F6B 3DA53B71 7469CE9C 204629D3 B2ABF89B A1333B81 01B96FA1
  FB9F6841 EC2C3B3A AB816BEF 38A97B9D 02C0E439 17811178 249E1C5D 15
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address
ip dhcp excluded-address
ip dhcp pool sdm-pool1
   import all
ip cef
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip bootp server
ip domain name mydomain.local
ip name-server DNS1
ip name-server DNS2
parameter-map type protocol-info msn-servers
 server name messenger.hotmail.com
 server name gateway.messenger.hotmail.com
 server name webmessenger.msn.com
parameter-map type protocol-info aol-servers
 server name login.oscar.aol.com
 server name toc.oscar.aol.com
 server name oam-d09a.blue.aol.com
parameter-map type protocol-info yahoo-servers
 server name scs.msg.yahoo.com
 server name scsa.msg.yahoo.com
 server name scsb.msg.yahoo.com
 server name scsc.msg.yahoo.com
 server name scsd.msg.yahoo.com
 server name cs16.msg.dcn.yahoo.com
 server name cs19.msg.dcn.yahoo.com
 server name cs42.msg.dcn.yahoo.com
 server name cs53.msg.dcn.yahoo.com
 server name cs54.msg.dcn.yahoo.com
 server name ads1.vip.scd.yahoo.com
 server name radio1.launch.vip.dal.yahoo.com
 server name in1.msg.vip.re2.yahoo.com
 server name data1.my.vip.sc5.yahoo.com
 server name address1.pim.vip.mud.yahoo.com
 server name edit.messenger.yahoo.com
 server name messenger.yahoo.com
 server name http.pager.yahoo.com
 server name privacy.yahoo.com
 server name csa.yahoo.com
 server name csb.yahoo.com
 server name csc.yahoo.com
parameter-map type regex sdm-regex-nonascii
 pattern [^\x00-\x80]
username blahblah privilege 15 secret 5 blahblah
 log config
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto
interface ATM0.1 point-to-point
 description $ES_WAN$$FW_OUTSIDE$
 pvc 0/100
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Vlan1
 ip address
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap callin
 ppp pap sent-username blahblah password 7 blahblah
ip forward-protocol nd
ip route Dialer0
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit
access-list 100 permit udp any any eq domain
access-list 100 permit udp any eq domain any
access-list 100 deny   ip host any
access-list 100 deny   ip any
access-list 100 permit ip any any
access-list 101 deny   ip any
access-list 101 permit tcp host <REMOTE_STATIC_IP> host <STATIC_IP> eq telnet
access-list 101 permit udp any host <STATIC_IP> eq isakmp
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny   ip any
access-list 101 deny   ip any
access-list 101 deny   ip any
access-list 101 deny   ip any
access-list 101 deny   ip host any
access-list 101 deny   ip host any
dialer-list 1 protocol ip permit
no cdp run
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500

Open in new window

  • 3
  • 2
1 Solution
It looks to me like the other router may have had CBAC configured.


! --------------------------------
! Create the CBAC inspection rule
! -------------------------------
! Create the CBAC inspection rule STOP to allow inspection of the protocol traffic
! specified by the rule.
ip inspect name STOP tcp
ip inspect name STOP ftp
ip inspect name STOP smtp
ip inspect name STOP h323
ip inspect name STOP rcmd

! Through the dialer profile, the ACL and CBAC inspection rules are
! applied to every pool member. In this example, the ACL is applied in, meaning that it
! applies to traffic inbound from the ISP. The CBAC inspection rule STOP is applied
! out, meaning that CBAC monitors the traffic through the interface and controls return
! traffic to the router for an existing connection.
interface Dialer0
ip access-group 101 in
ip inspect STOP out

slamitAuthor Commented:
Fantastic, thanks for that - I did wonder but didn't put an inspection rule in - I've slapped in a default inspection rule and she's away! Thanks very much! :)
slamitAuthor Commented:
Oh - should I remove those parameter maps? I'm no expert - but it looks to me like they're not being used??
I have never used parameter maps or seen them in use before.  I did some searching on cisco.com but couldn't come up with anything useful.

I'll keep looking.  :)
slamitAuthor Commented:
I think SDM just threw them in there, but it looks like it only did half a job!

I'll kill them and see if anyone freaks out... :)

Featured Post

Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now