jspaulding22
asked on
Help with Cisco Extended ACL on 2921 Router
I just received a Cisco 2921 router. It has 3 Gi ports. gi0/0 (inside), gi0/1 (outside) and gi02 (not used).
My problem is that when I apply the Extended ACL to my outside interface I lose all internet connectivity. I thought I was understanding how to create ACL lists but I must be fooling myself. In the config below I have removed the access-group from the interface gi0/1 so that I can browse for a solution. But when I put apply it to the gi0/1 interface, I lose connectivity from the inside network to the outside. I can still hit the internal web server from the outside. It is just going from in to out that fails. Any assistance would be great. I am still fairly new to routers so bear with me in my config and any suggestions. Thanks.
Current configuration : 4656 bytes
!
! Last configuration change at 12:41:10 UTC Tue Aug 27 2013
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname fiberrouter
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 5 $1$.NMR$WxvLCRq1quoTMX2lQD rX8.
enable password xxxx
!
no aaa new-model
!
ip cef
!
!
!
!
!
!
no ip domain lookup
ip domain name wwwwww.org
ip name-server 8.8.8.8
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-3650151263
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi cate-36501 51263
revocation-check none
rsakeypair TP-self-signed-3650151263
!
!
crypto pki certificate chain TP-self-signed-3650151263
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33363530 31353132 3633301E 170D3133 30383233 31343332
30395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 36353031
35313236 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AE01 0D4D8C38 9F2338B2 372050A8 D8A97C86 19BCE08C 9AF7B425 C26D686B
91327209 3D2D2399 B9EAE21A 2698CACD BC872A56 601CA244 CF73B660 47644CDB
FA673751 6A15D0A9 AB039DA7 597D7BAF 94309EF6 7D12D8BA 5816A194 0657C4A8
A8570450 52DF8DAB E155C1AB F5679468 43FAD3DC B9A380E5 5ED5D67C 295B76B6
4F830203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14A8FB2C 3304610C 6895D46F 3E75FCD2 C4D3CB8A 91301D06
03551D0E 04160414 A8FB2C33 04610C68 95D46F3E 75FCD2C4 D3CB8A91 300D0609
2A864886 F70D0101 05050003 8181008A EDDF7E71 66EB1CE3 457FFD28 E332271F
A7CAF630 46C6E691 B75F273A 57FFCB5B 277376BA 8B00790F 71DCA0F4 3447D3F7
6EF23F8B 5E1AB0D0 78B4D011 95E45DFD E71687C6 3F8661F5 8B02BAC3 144CDF0C
CFF80E7B C9AF6E68 55B31C99 9B7594F0 4D4CEA38 B370BF1B F61B9F06 9D450436
70DA4697 1BED800E 0208B9A3 24D1C4
quit
license udi pid CISCO2921/K9 sn FTX1726AMLU
!
!
redundancy
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/0.5
encapsulation dot1Q 5
ip address 192.168.5.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.10
encapsulation dot1Q 10 native
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.12
encapsulation dot1Q 12
ip address 192.168.12.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.30
encapsulation dot1Q 30
ip address 192.168.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.40
encapsulation dot1Q 40
ip address 192.168.40.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.50
encapsulation dot1Q 50
ip address 192.168.50.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.100
encapsulation dot1Q 100
ip address 192.168.100.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1
ip address 74.62.A.A 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list 199 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 192.168.20.100 80 74.62.A.C 80 extendable
ip route 0.0.0.0 0.0.0.0 74.62.A.B
!
ip access-list extended out_to_in
permit tcp any host 74.62.A.C eq www
permit tcp any 74.62.A.0 0.0.0.255 established
!
access-list 199 permit ip 192.168.0.0 0.0.255.255 any
dialer-list 1 protocol ip permit
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
password xxxxxxxx
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
My problem is that when I apply the Extended ACL to my outside interface I lose all internet connectivity. I thought I was understanding how to create ACL lists but I must be fooling myself. In the config below I have removed the access-group from the interface gi0/1 so that I can browse for a solution. But when I put apply it to the gi0/1 interface, I lose connectivity from the inside network to the outside. I can still hit the internal web server from the outside. It is just going from in to out that fails. Any assistance would be great. I am still fairly new to routers so bear with me in my config and any suggestions. Thanks.
Current configuration : 4656 bytes
!
! Last configuration change at 12:41:10 UTC Tue Aug 27 2013
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname fiberrouter
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 5 $1$.NMR$WxvLCRq1quoTMX2lQD
enable password xxxx
!
no aaa new-model
!
ip cef
!
!
!
!
!
!
no ip domain lookup
ip domain name wwwwww.org
ip name-server 8.8.8.8
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-3650151263
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-3650151263
!
!
crypto pki certificate chain TP-self-signed-3650151263
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33363530 31353132 3633301E 170D3133 30383233 31343332
30395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 36353031
35313236 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AE01 0D4D8C38 9F2338B2 372050A8 D8A97C86 19BCE08C 9AF7B425 C26D686B
91327209 3D2D2399 B9EAE21A 2698CACD BC872A56 601CA244 CF73B660 47644CDB
FA673751 6A15D0A9 AB039DA7 597D7BAF 94309EF6 7D12D8BA 5816A194 0657C4A8
A8570450 52DF8DAB E155C1AB F5679468 43FAD3DC B9A380E5 5ED5D67C 295B76B6
4F830203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14A8FB2C 3304610C 6895D46F 3E75FCD2 C4D3CB8A 91301D06
03551D0E 04160414 A8FB2C33 04610C68 95D46F3E 75FCD2C4 D3CB8A91 300D0609
2A864886 F70D0101 05050003 8181008A EDDF7E71 66EB1CE3 457FFD28 E332271F
A7CAF630 46C6E691 B75F273A 57FFCB5B 277376BA 8B00790F 71DCA0F4 3447D3F7
6EF23F8B 5E1AB0D0 78B4D011 95E45DFD E71687C6 3F8661F5 8B02BAC3 144CDF0C
CFF80E7B C9AF6E68 55B31C99 9B7594F0 4D4CEA38 B370BF1B F61B9F06 9D450436
70DA4697 1BED800E 0208B9A3 24D1C4
quit
license udi pid CISCO2921/K9 sn FTX1726AMLU
!
!
redundancy
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/0.5
encapsulation dot1Q 5
ip address 192.168.5.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.10
encapsulation dot1Q 10 native
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.12
encapsulation dot1Q 12
ip address 192.168.12.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.30
encapsulation dot1Q 30
ip address 192.168.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.40
encapsulation dot1Q 40
ip address 192.168.40.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.50
encapsulation dot1Q 50
ip address 192.168.50.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.100
encapsulation dot1Q 100
ip address 192.168.100.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1
ip address 74.62.A.A 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list 199 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 192.168.20.100 80 74.62.A.C 80 extendable
ip route 0.0.0.0 0.0.0.0 74.62.A.B
!
ip access-list extended out_to_in
permit tcp any host 74.62.A.C eq www
permit tcp any 74.62.A.0 0.0.0.255 established
!
access-list 199 permit ip 192.168.0.0 0.0.255.255 any
dialer-list 1 protocol ip permit
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
password xxxxxxxx
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
in which direction you have applied the access-group on the interface gi0/1.( IN or OUT)
it should work if its in IN direction
in my opinion dont use the established keyword ,, instead you can use the IOS firewall feature sets like CBAC / ZBF
it should work if its in IN direction
in my opinion dont use the established keyword ,, instead you can use the IOS firewall feature sets like CBAC / ZBF
Your ACL doesn't allow any of the internal hosts to pass traffic through that interface. It's only allowing established connections 'to' the router itself.
ASKER
I think I am not understanding how the ACL should be applied. Here is what I added from the information above. I also attached the full config. I am getting the same results. What am I missing here. Thanks and keep them coming.
interface GigabitEthernet0/1
ip address 74.62.A.A 255.255.255.0
ip access-group out_to_in in
ip access-group in_to_out out
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
ip access-list extended in_to_out
permit ip any any
ip access-list extended out_to_in
permit tcp any host 74.62.A.C eq www
permit tcp any 74.62.A.0 0.0.0.255 established
Config.txt
interface GigabitEthernet0/1
ip address 74.62.A.A 255.255.255.0
ip access-group out_to_in in
ip access-group in_to_out out
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
ip access-list extended in_to_out
permit ip any any
ip access-list extended out_to_in
permit tcp any host 74.62.A.C eq www
permit tcp any 74.62.A.0 0.0.0.255 established
Config.txt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You need to at least allow established connections coming back in...
ip access-list extended out_to_in
permit tcp any host 74.62.A.C eq www < Are you allowing HTTP 'to' your router?
permit tcp any any established < This allows established TCP to inside hosts
ip access-list extended out_to_in
permit tcp any host 74.62.A.C eq www < Are you allowing HTTP 'to' your router?
permit tcp any any established < This allows established TCP to inside hosts
ASKER
anoopkmr,
That worked. I entered the lines then applied it to the external interface. I can browse from internal and get to the website. So if I understand this right, I was being blocked from making domain requests?
That worked. I entered the lines then applied it to the external interface. I can browse from internal and get to the website. So if I understand this right, I was being blocked from making domain requests?
yes . domain reply packets were blocking ..
thanks for the update
thanks for the update
permit tcp any 74.62.A.0 0.0.0.255 established
You acl only permits traffic to 72.62......
Use your outside interface instead of the IP