Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 344
  • Last Modified:

851w ACL Issue

I am a cisco newbie. Have a 851w that I'm trying to setup to learn on. Had issues with the wireless not showing up at first and no access to the SDM. I got most of it worked out but could use help in cleaning up the access-list that SDM mucked up I believe. I can access the 192.168.20.0 network (webserver and windows share by ip ) that its connected to but can't go out past that to the internet. Tried to locate other posts with configs to match and see where the disconnect is and I am at a loss. Once working it will connected to the internet so I want the NAT.
Also some of them had the wireless in a bridge config and some had the wireless on its own vlan and ip network. Is there an advantage of 1 over the other.

Thank you in advance for any help on this.
Building configuration...

Current configuration : 6049 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 851w
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1$4Zs7$H8HzZ8dwtKgPKel1LrMry.
enable password 7 10440600171E160E
!
username admin privilege 15 password 7 060C00385E470D1C44
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
ip subnet-zero
ip dhcp excluded-address 192.168.30.1 192.168.30.4
ip dhcp excluded-address 192.168.30.36 192.168.30.254
!
ip dhcp pool sdm-pool1
   network 192.168.30.0 255.255.255.0
   dns-server 4.2.2.2
   default-router 192.168.30.1
!
!
ip cef
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip domain name peziol.local
ip name-server 4.2.2.2
no ftp-server write-enable
!
!
!
!
!
bridge irb
!
!
interface FastEthernet0
 no ip address
 spanning-tree portfast
!
interface FastEthernet1
 no ip address
 spanning-tree portfast
!
interface FastEthernet2
 no ip address
 spanning-tree portfast
!
interface FastEthernet3
 no ip address
 spanning-tree portfast
!
interface FastEthernet4
 description $ETH-WAN$$FW_OUTSIDE$
 ip address 192.168.20.200 255.255.255.0
 ip access-group 104 in
 ip verify unicast reverse-path
 ip inspect SDM_LOW out
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Dot11Radio0
 no ip address
 !
 encryption vlan 1 mode ciphers tkip
 !
 ssid InternalWLAN
    vlan 1
    authentication open
    authentication key-management wpa
    guest-mode
    wpa-psk ascii 7 060B00345F4B0A18091B01081F
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 channel 2462
 station-role root
 no dot11 extension aironet
 no cdp enable
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description Internal Network
 no ip address
 ip nat inside
 ip virtual-reassembly
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface BVI1
 description Bridge to Internal Network$FW_INSIDE$
 ip address 192.168.30.1 255.255.255.0
 ip access-group 103 in
 ip nat inside
 ip virtual-reassembly
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet4
!
ip http server
ip http secure-server
ip nat inside source list 1 interface FastEthernet4 overload
!
ip access-list extended Internet-inbound-ACL
 remark SDM_ACL Category=16
 permit udp host 4.2.2.2 eq domain host 192.168.20.200
 deny   ip 192.168.30.0 0.0.0.255 any
 permit icmp any host 192.168.20.200 echo-reply
 permit icmp any host 192.168.20.200 time-exceeded
 permit icmp any host 192.168.20.200 unreachable
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip host 255.255.255.255 any
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any traceroute
 permit gre any any
 permit esp any any
 deny   tcp any any
 deny   ip any any log
!
access-list 1 permit 192.168.30.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit tcp any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 permit udp host 4.2.2.2 eq domain host 192.168.20.200
access-list 102 deny   ip 192.168.30.0 0.0.0.255 any
access-list 102 permit icmp any host 192.168.20.200 echo-reply
access-list 102 permit icmp any host 192.168.20.200 time-exceeded
access-list 102 permit icmp any host 192.168.20.200 unreachable
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip host 0.0.0.0 any
access-list 102 deny   ip any any log
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 deny   ip 192.168.20.0 0.0.0.255 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 permit udp host 4.2.2.2 eq domain host 192.168.20.200
access-list 104 deny   ip 192.168.30.0 0.0.0.255 any
access-list 104 permit icmp any host 192.168.20.200 echo-reply
access-list 104 permit icmp any host 192.168.20.200 time-exceeded
access-list 104 permit icmp any host 192.168.20.200 unreachable
access-list 104 deny   ip 10.0.0.0 0.255.255.255 any
access-list 104 deny   ip 172.16.0.0 0.15.255.255 any
access-list 104 deny   ip 192.168.0.0 0.0.255.255 any
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
access-list 104 deny   ip host 255.255.255.255 any
access-list 104 deny   ip host 0.0.0.0 any
access-list 104 deny   ip any any log
!
control-plane
!
bridge 1 route ip
!
line con 0
 password 7 060C00385E470D1C
 no modem enable
 transport preferred all
 transport output all
line aux 0
 transport preferred all
 transport output all
line vty 0 4
 password 7 130F180B1905002F
 transport preferred all
 transport input all
 transport output all
!
scheduler max-task-time 5000
end

Open in new window

0
mousemen
Asked:
mousemen
  • 4
  • 3
  • 2
1 Solution
 
memo_tntCommented:
Hi
remove the following ACL and F.W and try


interface FastEthernet4
no ip access-group 104 in
no ip inspect SDM_LOW out

interface BVI1
no ip access-group 103 in



0
 
mousemenAuthor Commented:
That didnt work. I got  another sample config that worked. tried to compare the 2 and see what was in the original one that made it not work vs the working one and couldnt find the difference. I attached the new config thats working. I would love to know where the disconnect was.
I tried to match the access rules from both still didnt work,

THanks
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 851w
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$XBHT$gB0tnc1kCgwZCu8WUfA/e1
enable password 7 000E1C1F16520F03
!
username admin privilege 15 password 7 141D1D121E0D2E2E65
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
ip subnet-zero
ip dhcp excluded-address 192.168.10.1 192.168.10.99
ip dhcp excluded-address 192.168.30.1 192.168.30.99
!
ip dhcp pool Internal-net
   import all
   network 192.168.10.0 255.255.255.0
   default-router 192.168.10.1
   domain-name peziol.local
   lease 4
!
ip dhcp pool VLAN20
   import all
   network 192.168.30.0 255.255.255.0
   default-router 192.168.30.1
   domain-name peziol.local
   lease 4
!
!
ip cef
ip inspect name MYFW tcp
ip inspect name MYFW udp
no ip domain lookup
ip domain name peziol.local
no ftp-server write-enable
!
!
!
!
!
bridge irb
!
!
interface FastEthernet0
 no ip address
 spanning-tree portfast
!
interface FastEthernet1
 no ip address
 spanning-tree portfast
!
interface FastEthernet2
 no ip address
 spanning-tree portfast
!
interface FastEthernet3
 no ip address
 spanning-tree portfast
!
interface FastEthernet4
 ip address dhcp
 ip access-group Internet-inbound-ACL in
 ip inspect MYFW out
 ip nat outside
 ip virtual-reassembly
 ip tcp adjust-mss 1460
 duplex auto
 speed auto
 no cdp enable
!
interface Dot11Radio0
 no ip address
 !
 encryption vlan 1 mode ciphers tkip
 !
 encryption vlan 20 mode ciphers tkip
 !
 ssid GuestWLAN
    vlan 20
    authentication open
    authentication key-management wpa
    wpa-psk ascii 7 0309541E150A224D42050A0604
 !
 ssid InternalWLAN
    vlan 1
    authentication open
    authentication key-management wpa
    guest-mode
    wpa-psk ascii 7 110416100417080D082638273B
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 channel 2412
 station-role root
 no dot11 extension aironet
 no cdp enable
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.20
 description Guest wireless LAN - routed WLAN
 encapsulation dot1Q 20
 ip address 192.168.30.1 255.255.255.0
 ip access-group Guest-ACL in
 ip inspect MYFW out
 ip nat inside
 ip virtual-reassembly
!
interface Vlan1
 description Internal Network
 no ip address
 ip nat inside
 ip virtual-reassembly
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface BVI1
 description Bridge to Internal Network
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip classless
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip http server
ip http secure-server
ip nat inside source list 1 interface FastEthernet4 overload
!
ip access-list extended Guest-ACL
 deny   ip any 192.168.10.0 0.0.0.255
 permit ip any any
ip access-list extended Internet-inbound-ACL
 permit udp any eq bootps any eq bootpc
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any traceroute
 permit gre any any
 permit esp any any
!
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 192.168.30.0 0.0.0.255
!
control-plane
!
bridge 1 route ip
!
line con 0
 password 7 07052E555C001D00
 no modem enable
 transport preferred all
 transport output all
line aux 0
 transport preferred all
 transport output all
line vty 0 4
 password 7 0501091633454A0C
 transport preferred all
 transport input all
 transport output all
!
scheduler max-task-time 5000
end

Open in new window

0
 
memo_tntCommented:
are trying this over wireless or wired ?
 because the fisrt configuration under interface Dot11Radio0.1
was not have an IP address assigned
while assigned below


0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

 
rochey2009Commented:
Hi,

In your original configuration you had a private IP address on your wan interface which you where natting into. This will never route on the Internet.

interface FastEthernet4
 description $ETH-WAN$$FW_OUTSIDE$
 ip address 192.168.20.200 255.255.255.0
 ip access-group 104 in
 ip verify unicast reverse-path
 ip inspect SDM_LOW out
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto

On your new configuration,

interface FastEthernet4
 ip address dhcp
 ip access-group Internet-inbound-ACL in
 ip inspect MYFW out
 ip nat outside
 ip virtual-reassembly
 ip tcp adjust-mss 1460
 duplex auto
 speed auto
 no cdp enable

you changed to dhcp, and your service provider gives you a wan address which is routable on the Internet.
0
 
mousemenAuthor Commented:
In both configurations its connected to my 192.168.20.0 network before it hits the cable modem. I assigned one manually on the first and let it get it via dhcp  on the 2nd one it has a guest wireless vlan that has a different ip assigned that denies it access the the internal lan/wireless while the internal wireless is still bridged to vlan1 and the wired network. It would get to the next hop or home network under both wireless and wired but not past that onto the internet. I thought if its an acl issue it would not do that. I suspected a NAT / routing issue but couldnt figure where the disconnect was. Maybe the way I assigned the manual ip and set that up vs it setting what it needs via dhcp
Atleast thats what I was assuming. Thats why I am here and appreciate all the help I am getting.

Internet > {192.168.20.0 home network and router with dd-wrt} > 851w  is the layout that I am working on incase it helps

I bumped up the point value as it looks more difficult to decipher then I thought to help me try to understand / figure it out in this process of learning on the way to the ccna cert. I hate just studying to pass an exam without a deep understanding of whats happening or not happening as is the case here.

0
 
rochey2009Commented:
Under the original configuration did you have a problem accessing the internet from both the wired and wireless.

Did you have a problem communicating between wireless and wired devices?
0
 
mousemenAuthor Commented:
No problem communicating with a windows share, Server RDP session, and a linux ssh session on the 192.168.20.0 network. I can access them all while connected to the 851w both wired and wireless. I could ping resources on that network. I couldnt go past that onto the internet and thats what stumped me. This included pings to ip addresses incase it was a domain resolution problem. (4.2.2.2 and a static gateway ip at the office)

I had to add the below lines before I could do that. Once added I was able to connect to the .20 network but still not the internet.
ip nat inside source list 1 interface FastEthernet4 overload
access-list 1 permit 192.168.30.0 0.0.0.255

The other access-lists got created and mucked in thru SDM trying to get it resolved.
It may just be a mystery  but I was hoping to learn from it, even tho I found a config that worked.
0
 
rochey2009Commented:
Is the dd-wrt configured to perform NAT?
0
 
mousemenAuthor Commented:
Well I figured it out

Original config has static ip. The route is set as  ip route 0.0.0.0 0.0.0.0 FastEthernet4
I changed Int F4 from static to dhcp. Still same issue. Attempt to change ip route 0.0.0.0 0.0.0.0 192.168.30.1 and got message that it couldnt be done. Changed ip route 0.0.0.0 0.0.0.0 192.168.20.1
As that is the next hop it wants. and it works.
0

Featured Post

Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

  • 4
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now