• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1188
  • Last Modified:

Cisco 1811: Applying access-group in causing no outbound internet

Hi,

I'm working with an older-model Cisco router and having a number of issues:  I'm listing them together since they may be related. the basics of the config are below.  

Issue One: Whenever I add the ip access-group inbound in to the FasthEthernet0 interface, we lose all outbound internet.  

Issue Two: I need to open all ports from the LAN to the WAN (i.e., I need to be able to RDP out to another network, but the port is not open).

interface FastEthernet0
 description outside
 ip address 199.48.XX.XX6 255.255.255.248
 ip access-group inboundfun in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!

interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Async1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 199.48.XX.XX5
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet0 overload
ip nat inside source static 192.168.1.2 199.48.XX.XX7
ip nat inside source static 192.168.1.210 199.48.XX.XX8
ip nat inside source static 192.168.1.211 199.48.XX.XX9
!
ip access-list extended inboundfun
 permit udp any host 199.48.50.228
 permit tcp any host 199.48.50.228
 permit udp any host 199.48.50.229
 permit tcp any host 199.48.50.229
 permit tcp any host 199.48.50.227 eq 443
!
logging trap debugging
access-list 1 permit 192.168.1.0 0.0.0.255
no cdp run
0
kmt333
Asked:
kmt333
2 Solutions
 
djcanterCommented:
implicit deny .

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml


Allow a Select Host to Access the Network

This figure shows a select host being granted permission to access the network. All traffic sourced from Host B destined to NetA is permitted, and all other traffic sourced from NetB destined to NetA is denied.



The output on the R1 table shows how the network grants access to the host. This output shows that:
 •
The configuration allows only the host with the IP address 192.168.10.1 through the Ethernet 0 interface on R1.
 

This host has access to the IP services of NetA.
 

No other host in NetB has access to NetA.
 

No deny statement is configured in the ACL.
 

By default, there is an implicit deny all clause at the end of every ACL. Anything that is not explicitly permitted is denied.
0
 
greg wardCommented:
Not sure which ios you have if you have the security featues why not try.

ip inspect name myfw ftp timeout 3600
ip inspect name myfw https timeout 3600
ip inspect name myfw icmp router-traffic timeout 5
ip inspect name myfw udp timeout 600
ip inspect name myfw tcp timeout 360
ip inspect name myfw fragment maximum 1000 timeout 10
ip inspect name myfw http timeout 50
ip reflexive-list timeout 120

interface FastEthernet0
 ip inspect myfw out

this will watch the traffic going out matching the inspect rule myfw and let it back in.

Greg
0
 
fgasimzadeCommented:
ip access-list extended inboundfun
 permit udp any host 199.48.50.228
 permit tcp any host 199.48.50.228
 permit udp any host 199.48.50.229
 permit tcp any host 199.48.50.229
 permit tcp any host 199.48.50.227 eq 443
!

When applying your access-list you permit only those ip addresses you mentioned in your access-list. That is why you can not access Internet
0
 
kmt333Author Commented:
Thanks all!

I get a bit turned around in Cisco IOS.  Everything seems a bit backwards of other routers.

KMT
0

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now