Cisco ACL Not Working on IOS Router

Hi Experts,

Hope you are all well. I'm having trouble getting a ACL to working and im going round in Circles.

I'm Trying to open the following Ports:- 8081, 444, 443, 2525, 8082 amongst a few others.

Can anybody see any reason from my config (Attached - Config.txt) why it just wont seem to open the ports up?

Cheers
TME
LVL 1
TrustGroup-UAEAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ffleismaSenior Network EngineerCommented:
Based on your ACL, it seem you are using the internal IP as the destination.
ip access-list extended IPFW-ACL
 permit tcp any host 10.1.1.91 eq 3311
 permit tcp any host 10.1.1.104 eq 9675

Open in new window

However the order of operation for IOS is ACL first before NAT, so ACL is applied before NAT operation.

Destination IP should be the IP address of the Dialer1 interface. Now since the Dialer1 interface is getting IP address via DHCP, it might be better to do filtering on the internal FastEthernet0/1.101, but on outgoing direction.

Another option, if you know the possible range of IP that the Dialer1 interface will be assigned, you can use to reference that range of IP on your ACL destination IP.
TrustGroup-UAEAuthor Commented:
Hi ffleisma,

Hope you are well and many thanks for your response. Sorry you really have confused me now:)

Any chance of a config example? Im guessing i need the NAT on the Interface say FA0/1.101?

Cheers
TME
ffleismaSenior Network EngineerCommented:
Based on your config, the ACL "IPFW-ACL" is applied to incoming traffic on Dialer1
interface Dialer1
 description ** DSL Dialer **
 ip address negotiated
 ip access-group IPFW-ACL in

Open in new window

The problem is regarding the destination IP referenced in the ACL.
ip access-list extended IPFW-ACL
 permit tcp any host 10.1.1.91 eq 3311

Open in new window

source = any
destination = 10.1.1.91
But the destination IP on the incoming traffic is not 10.1.1.91, it is whatever IP that the Dialer1 interface gets due to DHCP.

What you can try is
interface Dialer1
 description ** DSL Dialer **
 ip address negotiated
 ip access-group IPFW-ACL in
!
ip access-list extended IPFW-ACL
 permit tcp any any eq 3311

Open in new window

Some might be hesitant on this because it is any any, but it should work on filtering the traffic. Another option is applying the ACL outgoing. I've noticed in the ACL that you are pertaining mostly to 10.1.1.x, so I'm assuming that it is routed over FastEthernet0/1.101 which has an IP address of 10.1.1.1.
interface FastEthernet0/1.101
 description ** Network Management LAN **
 ip address 10.1.1.1 255.255.255.0
 ip access-group IPFW-ACL out
!
ip access-list extended IPFW-ACL
 permit tcp any host 10.1.1.91 eq 3311
 permit tcp any host 10.1.1.104 eq 9675
 permit tcp any host 10.1.1.104 eq 8081
 permit tcp any host 10.1.1.105 eq 444
 permit tcp any host 10.1.1.105 eq 2525
 permit tcp any host 10.1.1.104 eq 8082
 permit icmp any any administratively-prohibited
 permit icmp any any echo-reply
 permit icmp any any packet-too-big
 permit icmp any any time-exceeded
 permit icmp any any traceroute
 permit gre any any
 deny   ip any any log

Open in new window


Hope this makes sense, let me know if you have questions, I'll be glad to help out!
ffleismaSenior Network EngineerCommented:
Also, since you have a any-any deny at the end of the ACL, applying and outgoing ACL on the internal side won't work since it would have been filtered out already by the incoming ACL.
ip access-list extended IPFW-ACL
 permit tcp any host 10.1.1.91 eq 3311
 permit tcp any host 10.1.1.104 eq 9675
 permit tcp any host 10.1.1.104 eq 8081
 permit tcp any host 10.1.1.105 eq 444
 permit tcp any host 10.1.1.105 eq 2525
 permit tcp any host 10.1.1.104 eq 8082
 permit icmp any any administratively-prohibited
 permit icmp any any echo-reply
 permit icmp any any packet-too-big
 permit icmp any any time-exceeded
 permit icmp any any traceroute
 permit gre any any
 deny   ip any any log

Open in new window

Best case is to convert the ACL to
ip access-list extended IPFW-ACL
 permit tcp any any eq 3311
 permit tcp any any eq 9675
 permit tcp any any eq 8081
 permit tcp any any eq 444
 permit tcp any any eq 2525
 permit tcp any any eq 8082
 permit icmp any any administratively-prohibited
 permit icmp any any echo-reply
 permit icmp any any packet-too-big
 permit icmp any any time-exceeded
 permit icmp any any traceroute
 permit gre any any
 deny   ip any any log

Open in new window

Then if you like to limit further, you can apply a second ACL on the internal interface but this time you can reference the internal IP since NAT-operation has been done by the router.
interface FastEthernet0/1.101
 description ** Network Management LAN **
 ip address 10.1.1.1 255.255.255.0
 ip access-group IPFW-ACL2 out
!
ip access-list extended IPFW-ACL2
 permit tcp any host 10.1.1.91 eq 3311
 permit tcp any host 10.1.1.104 eq 9675
 permit tcp any host 10.1.1.104 eq 8081
 permit tcp any host 10.1.1.105 eq 444
 permit tcp any host 10.1.1.105 eq 2525
 permit tcp any host 10.1.1.104 eq 8082

Open in new window

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
TrustGroup-UAEAuthor Commented:
Hi,

Sorry forgot this was still open.

Top marks to ffleisma.

All now working.

Cheers
TME
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.