Help with Cisco Extended ACL on 2921 Router

I just received a Cisco 2921 router. It has 3 Gi ports. gi0/0 (inside), gi0/1 (outside) and gi02 (not used).

My problem is that when I apply the Extended ACL to my outside interface I lose all internet connectivity. I thought I was understanding how to create ACL lists but I must be fooling myself. In the config below I have removed the access-group from the interface gi0/1 so that I can browse for a solution. But when I put apply it to the gi0/1 interface, I lose connectivity from the inside network to the outside. I can still hit the internal web server from the outside. It is just going from in to out that fails. Any assistance would be great. I am still fairly new to routers so bear with me in my config and any suggestions. Thanks.

Current configuration : 4656 bytes
!
! Last configuration change at 12:41:10 UTC Tue Aug 27 2013
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname fiberrouter
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 5 $1$.NMR$WxvLCRq1quoTMX2lQDrX8.
enable password xxxx
!
no aaa new-model
!
ip cef
!
!
!
!
!
!
no ip domain lookup
ip domain name wwwwww.org
ip name-server 8.8.8.8
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-3650151263
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3650151263
 revocation-check none
 rsakeypair TP-self-signed-3650151263
!
!
crypto pki certificate chain TP-self-signed-3650151263
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33363530 31353132 3633301E 170D3133 30383233 31343332
  30395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 36353031
  35313236 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100AE01 0D4D8C38 9F2338B2 372050A8 D8A97C86 19BCE08C 9AF7B425 C26D686B
  91327209 3D2D2399 B9EAE21A 2698CACD BC872A56 601CA244 CF73B660 47644CDB
  FA673751 6A15D0A9 AB039DA7 597D7BAF 94309EF6 7D12D8BA 5816A194 0657C4A8
  A8570450 52DF8DAB E155C1AB F5679468 43FAD3DC B9A380E5 5ED5D67C 295B76B6
  4F830203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 14A8FB2C 3304610C 6895D46F 3E75FCD2 C4D3CB8A 91301D06
  03551D0E 04160414 A8FB2C33 04610C68 95D46F3E 75FCD2C4 D3CB8A91 300D0609
  2A864886 F70D0101 05050003 8181008A EDDF7E71 66EB1CE3 457FFD28 E332271F
  A7CAF630 46C6E691 B75F273A 57FFCB5B 277376BA 8B00790F 71DCA0F4 3447D3F7
  6EF23F8B 5E1AB0D0 78B4D011 95E45DFD E71687C6 3F8661F5 8B02BAC3 144CDF0C
  CFF80E7B C9AF6E68 55B31C99 9B7594F0 4D4CEA38 B370BF1B F61B9F06 9D450436
  70DA4697 1BED800E 0208B9A3 24D1C4
        quit
license udi pid CISCO2921/K9 sn FTX1726AMLU
!
!
redundancy
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/0.5
 encapsulation dot1Q 5
 ip address 192.168.5.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/0.10
 encapsulation dot1Q 10 native
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/0.12
 encapsulation dot1Q 12
 ip address 192.168.12.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/0.20
 encapsulation dot1Q 20
 ip address 192.168.20.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/0.30
 encapsulation dot1Q 30
 ip address 192.168.30.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/0.40
 encapsulation dot1Q 40
 ip address 192.168.40.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/0.50
 encapsulation dot1Q 50
 ip address 192.168.50.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/0.100
 encapsulation dot1Q 100
 ip address 192.168.100.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/1
 ip address 74.62.A.A 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list 199 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 192.168.20.100 80 74.62.A.C 80 extendable
ip route 0.0.0.0 0.0.0.0 74.62.A.B
!
ip access-list extended out_to_in
 permit tcp any host 74.62.A.C eq www
 permit tcp any 74.62.A.0 0.0.0.255 established
!
access-list 199 permit ip 192.168.0.0 0.0.255.255 any
dialer-list 1 protocol ip permit
!
!
!
control-plane
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 privilege level 15
 password xxxxxxxx
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
jspaulding22Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AkinsdNetwork AdministratorCommented:
permit tcp any     host    74.62.A.C eq www
 permit tcp any 74.62.A.0 0.0.0.255 established

You acl only permits traffic to 72.62......
Use your outside interface instead of the IP
0
anoopkmrCommented:
in which direction you have applied the access-group on the interface gi0/1.( IN or  OUT)
it should work if its in IN  direction

in my opinion dont use the  established keyword ,, instead  you can use the  IOS  firewall feature sets  like  CBAC / ZBF
0
Craig BeckCommented:
Your ACL doesn't allow any of the internal hosts to pass traffic through that interface.  It's only allowing established connections 'to' the router itself.
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

jspaulding22Author Commented:
I think I am not understanding how the ACL should be applied. Here is what I added from the information above. I also attached the full config. I am getting the same results. What am I missing here. Thanks and keep them coming.

interface GigabitEthernet0/1
 ip address 74.62.A.A 255.255.255.0
 ip access-group out_to_in in
 ip access-group in_to_out out
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto



ip access-list extended in_to_out
 permit ip any any
ip access-list extended out_to_in
 permit tcp any host 74.62.A.C eq www
 permit tcp any 74.62.A.0 0.0.0.255 established
Config.txt
0
anoopkmrCommented:
add one more line to the belwo  acl and  try
ip access-list extended out_to_in
 1permit udp any  eq 53 any
 2 permit tcp any eq 53 any
100 deny tcp any any log
110 deny udp any any log


clear logg
show logg    ( out put at the time of testing )
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Craig BeckCommented:
You need to at least allow established connections coming back in...

ip access-list extended out_to_in
 permit tcp any host 74.62.A.C eq www   < Are you allowing HTTP 'to' your router?
 permit tcp any any established               < This allows established TCP to inside hosts
0
jspaulding22Author Commented:
anoopkmr,

That worked. I entered the lines then applied it to the external interface. I can browse from internal and get to the website. So if I understand this right, I was being blocked from making domain requests?
0
anoopkmrCommented:
yes .  domain reply packets were blocking ..

thanks for the update
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.