A change of gears I would think...

phantasm

Ok. So I'm doing some final prep for the 802 test and decided to config my 831 for Internet access. All works well as long as the ACL's aren't applied. Can someone help me understand where my mistake is? Thanks.

Current configuration : 3179 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxx
!
ip subnet-zero
ip dhcp excluded-address 192.168.x.x 192.168.x.x
!
ip dhcp pool Office
import all
network 192.168.x.x 255.255.255.0
default-router 192.168.x.x
!
ip audit notify log
ip audit po max-events 100
!
!
!
!
interface Ethernet0
description LAN_Interface
ip address 192.168.x.x 255.255.255.0
ip nat inside
shutdown
hold-queue 100 out
!
interface Ethernet1
description WAN_Interface
ip address dhcp
ip access-group 101 in
ip access-group 103 out
ip nat outside
shutdown
no cdp enable
!
ip nat inside source list 100 interface Ethernet1 overload
ip classless
ip http server
!
!
access-list 100 remark NAT ACL
access-list 100 permit ip 192.168.x.x 0.0.0.255 any
access-list 101 remark Inbound_WAN_Interface
access-list 101 deny ip 192.168.x.x 0.0.0.255 any log
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny ip 0.0.0.0 0.255.255.255 any log
access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny ip 169.254.0.0 0.0.255.255 any log
access-list 101 deny ip 192.0.2.0 0.0.0.255 any log
access-list 101 deny ip 224.0.0.0 15.255.255.255 any log
access-list 101 deny ip any host 192.168.1.255 log
access-list 101 deny ip any host 192.168.x.x log
access-list 101 deny ip host 255.255.255.255 any log
access-list 101 deny icmp any any echo log
access-list 101 deny icmp any any redirect log
access-list 101 deny icmp any any mask-request log
access-list 101 permit icmp any 192.168.x.x 0.0.0.255
access-list 101 deny tcp any any range 6000 6063 log
access-list 101 deny tcp any any eq 6667 log
access-list 101 deny tcp any any range 12345 12346 log
access-list 101 deny tcp any any eq 31337 log
access-list 101 deny udp any any eq 2049 log
access-list 101 deny udp any any eq 31337 log
access-list 101 permit tcp any gt 1023 192.168.x.x 0.0.0.255 eq ftp
access-list 101 permit tcp any gt 1023 192.168.x.x 0.0.0.255 range 1024 5000
access-list 101 deny udp any any range 33400 34400 log
access-list 101 permit udp host any eq bootps log
access-list 101 permit udp host any eq bootpc log
access-list 101 permit tcp any 192.168.x.x 0.0.0.255 established
access-list 101 deny ip any any log
access-list 103 remark Outbound_LAN_Interface
access-list 103 permit icmp 192.168.x.x 0.0.0.255 any echo-reply
access-list 103 permit icmp 192.168.x.x 0.0.0.255 any parameter-problem
access-list 103 permit icmp 192.168.x.x 0.0.0.255 any packet-too-big
access-list 103 permit icmp 192.168.x.x 0.0.0.255 any source-quench
access-list 103 permit tcp 192.168.x.x 0.0.0.255 gt 1023 any
access-list 103 deny ip any any log
!
line con 0
password 7 xxxxxxxxxxxxxxxxxx
logging synchronous
login
no modem enable
stopbits 1
line aux 0
password 7 xxxxxxxxxxxxxxxxxx
login
stopbits 1
line vty 0 4
password 7 xxxxxxxxxxxxxxxxxx
login
!
scheduler max-task-time 5000
end

Netwurk

Your access lists look pretty restrictive. Why not try setting them up to deny any undersirables and then adding a "permit ip any any" at the end?

cisco_trooper

Netwurk wrote:

Your access lists look pretty restrictive. Why not try setting them up to deny any undersirables and then adding a "permit ip any any" at the end?

I concur. Also, no big deal, but why did you XX out your internal IPs? No one can use those against you unless they are on your network. Just curious if your error is in an IP address assignment somewhere...

phantasm

I did the .x.x because another site I frequent requires it.

I'm trying to resitrict everything coming in. I only want specific traffic to flow back in, mainly established TCP connections and various other ports which I'll open later.

dtlokee

When you apply them on the outside interface as you did you need to reference the addresses after they have been put through the NAT process. Putting internal addresses won't work because the ACL is processed inbound before the addresses are translated. I woul move your interna -> external ACL onto the inside interface since it has no effect on the traffic sourced from the router, there really is no rason to put it on the outside interface. Also your inside LAN interface is shutdown (ethernet0).

phantasm

dtlokee wrote:

When you apply them on the outside interface as you did you need to reference the addresses after they have been put through the NAT process. Putting internal addresses won't work because the ACL is processed inbound before the addresses are translated. I woul move your interna -> external ACL onto the inside interface since it has no effect on the traffic sourced from the router, there really is no rason to put it on the outside interface. Also your inside LAN interface is shutdown (ethernet0).

I'll give this a shot again. Both interfaces are shutdown, I shut them down after realizing it wasn't working and before getting my config captured.

I initially applied acl 103 inbound on the LAN interface and 101 inbound on my WAN interface. Didn't work this way either.

networker050184

Thats because you are not permitting your translated ip addresses.

phantasm wrote:

access-list 101 permit tcp any 192.168.x.x 0.0.0.255 established

Your traffic will be established with your public ip nopt private.

phantasm

networker050184 wrote:

Thats because you are not permitting your translated ip addresses.

phantasm wrote:

access-list 101 permit tcp any 192.168.x.x 0.0.0.255 established

Your traffic will be established with your public ip nopt private.

Good point. lol. If my IP is assigned via DHCP from my ISP; how do you account for that?

networker050184

Show ip interface brief.

phantasm

What I meant was how do you account for it in the acl.

Since I'm using the established option, I can't reference the outside interface without an IP. Since it's assigned via DHCP how do you reference it in the ACL?

dtlokee

Really the best bet is going to be CBAC (IOS firewall) or reflexive access-lists if they are supported on your IOS since the IP address of the outside interface may change.

networker050184

Do a show ip int brief and get your outside ip address. Then use that ip address in the ACL.

If it stops working you know your address changed.

phantasm

networker050184 wrote:

Do a show ip int brief and get your outside ip address. Then use that ip address in the ACL.

If it stops working you know your address changed.

So everytime my IP changes from my ISP I would have to change this entry in the ACL. That seems very ineffecient. hm. Will have to think on this then.

phantasm

dtlokee wrote:

When you apply them on the outside interface as you did you need to reference the addresses after they have been put through the NAT process. Putting internal addresses won't work because the ACL is processed inbound before the addresses are translated. I woul move your interna -> external ACL onto the inside interface since it has no effect on the traffic sourced from the router, there really is no rason to put it on the outside interface. Also your inside LAN interface is shutdown (ethernet0).

Let me make sure I have this down. In order for the ACL to process on the inside local address then the acl 'access-list 101 permit tcp any 192.168.x.x 0.0.0.255 established' should be applied to the inbound LAN interface (in from WAN). If I want it to process on the outside global address then I need to change the IP to the one provided dynamically by the ISP and apply it inbound on the WAN interface. Is that correct?