Access list in is blocking internal traffic out 2811

[gmitch79]

Hi All,



I have a problem when attach a extended access-group in on a dialer interface it blocks all internal traffic going out any idea's

Thanks


Gazza

 

[CiscoRC]

Perhaps if you can show a preview of your configs because many times people see it better when seeing what's there and what needs to be added to allow traffic for inbound, or outbound.

Have you allowed access-list inbound?



***************
R. Corrigan Jr.
Network+, (working on CCENT+CCNA)

 

[plshlpme]

yes please post config, because if you have an "inbound" access-list on your wan interface it will not be blocking outbound traffic.

 

[gmitch79]

Here is a copy of the config, all internal traffic is coming through the fa0/0 and the external modem is connected to the fa0/1.

if i put ext FW_IN on the dialer1 in bound it blocks all internal traffic going out to the internet.

Cheers

interface FastEthernet0/0
ip address 10.0.0.8 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
!
interface Serial0/0/0:15
no ip address
isdn switch-type primary-net5
isdn incoming-voice voice
isdn bind-l3 ccm-manager
no cdp enable
!
interface Service-Engine1/0
ip unnumbered FastEthernet0/0
service-module ip address 10.0.0.7 255.255.255.0
service-module ip default-gateway 10.0.0.1
!
interface Virtual-Template1
ip unnumbered Dialer1
ip mroute-cache
loopback
peer default ip address pool dialin
no keepalive
ppp authentication pap chap ms-chap
!
interface Dialer1
ip address negotiated
no ip redirects
no ip unreachables
ip mtu 1460
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1420
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp chap refuse
ppp pap sent-username xxxxxxxx@xxxxxx.xxx password 0 xxxxxx
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.0.0.7 255.255.255.255 Service-Engine1/0
!
no ip http server
ip nat inside source list 1 interface Dialer1 overload
!
ip access-list extended FW_IN
permit icmp any any
permit ip host xx.xx.xxx.xx host xxx.xxx.xxx.xxx
permit tcp host xx.xx.xxx.xx host xxx.xxx.xxx.xxx eq 1723
permit ahp any any
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit gre any any
permit tcp host xx.xx.xxx.xx host xxx.xxx.xxx.xxx eq 1723
permit tcp xx.xx.xxx.xx 0.0.255.255 host xxx.xxx.xxx.xxx eq 1723
permit tcp host xx.xx.xxx.xx host xxx.xxx.xxx.xxx eq telnet
permit tcp xx.xx.xxx.xx 0.0.255.255 host xxx.xxx.xxx.xxx eq telnet
permit tcp host xx.xx.xxx.xx host xxx.xxx.xxx.xxx eq 3393
permit tcp host xx.xx.xxx.xx host xxx.xxx.xxx.xxx eq 3393
permit tcp any host xxx.xxx.xxx.xxx eq 443
permit tcp any host xxx.xxx.xxx.xxx eq pop3
permit tcp any host xxx.xxx.xxx.xxx eq 143
permit tcp any host xxx.xxx.xxx.xxx eq www
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any
deny ip any any log

!
logging source-interface FastEthernet0/0
logging xxx.x.xxx.xx
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 70 permit xxx.xxx.xxx.xxx
access-list 70 permit xxx.xx.xxx.xxx
access-list 70 permit 10.0.0.0 0.0.0.255
access-list 70 permit xxx.x.xxx.0 0.0.0.255
access-list 70 permit xxx.xx.xx.x 0.0.0.255
access-list 70 permit xx.xxx.x.x 0.0.255.255
access-list 70 permit xxx.xx.xxx.x 0.0.0.255
dialer-list 1 protocol ip permit

 

[ADB100]

It will do....

That ACL allows some VPN stuff, some SSL, HTTP & email and then pretty much denies anything else. I assume you had this attached to the ingress of the Dialer1 interface? All your internal traffic is going out, it is the return traffic that is being denied - I am sure if you check the logs on the router you will see this?

What you really need are the Firewall Features in the IOS. With this the router effectively changes the inbound ACL dynamically to allow the return traffic. Without this and a static ACL it will just block stuff that isn't specifically allowed.

HTH

Andy