Almost complete

[jafo18301]

I am able to route from my 2620 to my 1720 to the internet just fine. I also have my webserver accessible from the outside world. My problem is that when I permit certain ports like eq 80, I cannot reach the internet from my network nor can anyone hit my webserver from the outside. Below is a simple description that I have for each router.

1720
-----
Dialer1:
access-group 100 in
access-group 101 out

FastEthernet0:
access-group 105 in
access-group 106 out

2620
-----
Ethernet0/0 (same network as 1720 FastEthernet0):
access-group 100 in
access-group 101 out

Ethernet0/1:
access-group 105 in
access-group 106 out

1720
-----
access-list 100 permit tcp any any eq 80
access-list 101 permit tcp any any eq 80

What am I doing wrong?
Thanks in advance for any help.

JAFO

 

[lgarner]

You're only permitting port 80 inbound. You at least need something like

access-list 101 permit tcp any any ge 1024
access-list 101 permit udp any any ge 1024

Cisco ACLs have an implicit "deny ip any any" at the end.

 

[jafo18301]

I have tried what you have stated but still to no avail. Here is my access-list as you have stated:

access-list 100 permit tcp any any eq 80
access-list 101 permit tcp any any eq 80
access-list 101 permit tcp any any eq 1024
access-list 101 permit udp any any eq 1024
dialer-list 2 protocol ip permit

With the above ACL, I cannot reach the internet nor can anyone hit my webserver.

Everything works fine when I don't use any ACLs but I want to restrict incoming traffic to

http://www although

I would like to keep several other ports open (ex. ftp, telnet) open for outbound traffic. I'm using NAT so I'm thinking that may have something to do with the issue. Any other thoughts? Thanks for your response. Any help brings me one step closer.

thanks again,

JAFO

 

[rudeboy]

It appears that on every router interface you have 2 access-lists that permit port 80(www) and deny everything else. When someone accesses your web server, your server listens on port 80. However, they are not coming from port 80. When your server responds, it is sending back to the random port that the client originated from. You should post full configs for more help. That way, the people on this board will know whether or not you have the correct inspect statements(cbac), complete access lists, and so on and so on.

 

[jafo18301]

Sorry about that. Below is my config. I have tried everything that I could think of to close the unnecessary ports and only allow certain traffic in. What am I doing wrong. Thanks for the learning experience. Thanks again for any help.

JAFO

!
version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname XXXXXX
!
boot-start-marker
boot-end-marker
!
enable password 7 XXXXXXXXXXXXXXXX
!
memory-size iomem 25
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
no ip domain lookup
!
ip cef
ip audit po max-events 100
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0
description connected to Internet
no ip address
half-duplex
pppoe enable
pppoe-client dial-pool-number 1
no keepalive
!
interface FastEthernet0
ip address 50.1.1.1 255.255.255.0
ip access-group 105 in
ip access-group 106 out
ip nat inside
ip tcp adjust-mss 1452
speed auto
!
interface Dialer1
description connected to Internet
ip address negotiated
ip access-group 100 in
ip access-group 101 out
ip mtu 1492
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 2
ppp authentication chap pap callin
ppp chap hostname XXXXXXX
ppp chap password 7 XXXXXXXXXXXXXXXXXX
ppp pap sent-username XXXXXXX password 7 XXXXXXXXXXXXXXXXXX
!
router rip
version 2
passive-interface Dialer1
network 50.0.0.0
no auto-summary
!
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 50.1.1.100 80 interface Dialer1 80
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 90.1.1.0 255.255.255.0 50.1.1.5 permanent
no ip http server
no ip http secure-server
!
!
access-list 1 permit 50.1.1.0 0.0.0.255
access-list 1 permit 90.1.1.0 0.0.0.255
dialer-list 2 protocol ip permit
!
snmp-server community public RO
snmp-server enable traps tty
!
line con 0
exec-timeout 0 0
password 7 XXXXXXXXXXXXXXXX
login
line aux 0
line vty 0 4
password 7 XXXXXXXXXXXXXXXX
login
!
!
end

 

[dtabera]

Hi:

Have you used 'gt' instead of 'ge'?:

access-list 100 permit tcp any any eq 80
access-list 101 permit tcp any any eq 80
access-list 101 permit tcp any any gt 1024
access-list 101 permit udp any any gt 1024

or

access-list 101 permit tcp any any eq stablished (something like that)

 

[jafo18301]

I have tried the above stated. The only thing that allows my internet connection to go out and come in is:

access-list 100 permit ip any any

I know this opens up all the ports but nothing else is working.

Thanks for the reply.

JAFO

 

[dtabera]

Have you done some debugging to see what´s going wrong?

show ip access-lists
deb ip pack <acl no.> detailed

Diego.

 

[ChrisAC]

For your outbound access you need to allow DNS (UDP/TCP 53) as well as just port 80.

Chris.

**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[jafo18301]

Ok...
I have opened up port 53 as well. Still the same thing. I cannot hit the internet unless I permit ip any any on my outbound access-list. Can't seem to understand why this is happening. I don't believe the router is bad b/c everything else seems to be working fine. I'm at a loss on this issue. Someone mentioned something about the ip inspect command. Do I need to use this command? Thanks for all of the replies. Still searching for a good explanation of why this is happening. Thanks again to everyone for their help.

JAFO

 

[ChrisAC]

On the end of your access list put "access-list 100 deny ip any any log". Then put logging on your router and you will see what traffic is being dropped so you can change your ACL accordingly.

Looking back at your config, something looks wrong. You have ..

interface FastEthernet0
ip address 50.1.1.1 255.255.255.0
ip access-group 105 in
ip access-group 106 out

interface Dialer1
description connected to Internet
ip address negotiated
ip access-group 100 in
ip access-group 101 out

.. but I don't see ACLs 100, 101, 105 and 106! To get traffic out from your network it has to go through 105 and then 101. Inbound traffic needs to go through 100 and then 106. Could you show us these four ACLs as they are now?

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[jafo18301]

Here are my current ACL's. I have opened up 105 and 106 but have limited 100 and 101 and still nothing. Thanks for the reply. To gain access to the internet, I have to put in access-list 100 permit ip any any. I left that out just to show the config that will not work. I'm still learning so please be patient with me. Thanks again.

JAFO

access-list 100 permit tcp any any eq www
access-list 100 permit tcp any any eq domain
access-list 100 permit udp any any eq domain
access-list 101 permit tcp any any eq domain
access-list 101 permit tcp any any eq www
access-list 101 permit udp any any eq domain
access-list 101 permit tcp any any gt 1024
access-list 101 permit udp any any gt 1024
access-list 105 permit ip any any
access-list 106 permit ip any any

 

[ChrisAC]

Ah, here is your problem.

interface Dialer1
description connected to Internet
ip address negotiated
ip access-group 100 in
!
access-list 100 permit tcp any any eq www
access-list 100 permit tcp any any eq domain
access-list 100 permit udp any any eq domain

So, any traffic coming in from the internet to your dialer interface is inspected by access-list 100 (ie inbound to your external facing interface).

So, when you try to connect to a web site on port 80 your client will be using a high port number as the source, lets say 1154 as an example. So, when the web server connects back to you its source port is 80 but its destination port is 1154, ie. you! Access list 100 only allows TCP 80, and TCP/UDP 53 and so the traffic is dropped.

So, you could add to the end of your acl ..

access-list 100 permit tcp any any established
access-list 100 permit udp any any gt 1024

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[jafo18301]

That did the trick. I now understand why it wasn't allowing anything to pass through. Thanks so much for your help everyone. I now feel better protected. This is the second router in a string of three. I have very proprietary information that cannot become public. Thanks again.

JAFO