Cannot browse Internet behind ACL

[marslove]

I applied following ACL to the external interface inbound and still cannot browse Internet
Everything else seams to work. If I remove ACL internet works.

access-list 122 permit tcp any eq domain any
access-list 122 permit udp any eq domain any
access-list 122 permit tcp any any eq www
access-list 122 permit udp any any range 10000 20000
access-list 122 permit udp any any eq 5060
access-list 122 permit tcp any any eq 5060
access-list 122 permit tcp any host 192.168.X.X eq 3389
access-list 122 permit tcp any host 75.99.24.19 eq 2
access-list 122 deny ip any any

Any Ideas
Thanks

 

[Minue]

Hello
The problem with the access-list is that your return traffic is getting block because you don't have those high order ports open,that the browser is using.
To work around this you should use CBAC or something of the like.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml

Reagards

 

[imbadatthis]

... Minue ACLs work just fine ...

he is applying it INBOUND hence the problem

access-list 122 permit tcp any any eq [URL unfurl="true"]www establish[/URL]

should make it work ...

post a config for both interfaces (outbound/ inbound) if the establish doesn't work...




We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.

 

[Minue]

Hi Imbadatthis ,
That's old school stuff,totally forgotten about that one.Too much time away from the access network stuff Yes that should work!!
Regards

 

[marslove]

Did ii and still the same

access-list 122 permit tcp any eq 53 any
access-list 122 permit udp any eq 53 any
access-list 122 permit icmp any any
access-list 122 permit tcp any any eq

http://www establish

access-list 122 permit udp any any range 10000 20000
access-list 122 permit udp any any eq 5060
access-list 122 permit tcp any any eq 5060
access-list 122 permit tcp any host 192.168.1.5 eq 3389
access-list 122 permit tcp any host 75.99.24.19 eq 22
#access-list 122 permit icmp any any
access-list 122 deny ip any any

 

[imbadatthis]

try to create some "internet" activity:

ping your dns
ping google
try to brows a site.

then do a show access-lists 122

should show what matched and what was restricted...

and post it here.
also post your interface configs please.


We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.

 

[marslove]

Extended IP access list 122
10 permit tcp any eq domain any
20 permit udp any eq domain any (921 matches)
30 permit icmp any any (8 matches)
40 permit tcp any any eq

http://www established

50 permit udp any any range 10000 20000
60 permit udp any any eq 5060 (621 matches)
70 permit tcp any any eq 5060
80 permit tcp any host 192.168.1.5 eq 3389
90 permit tcp any host 75.99.24.19 eq 22
100 deny ip any any (1611 matches)

 

[dgrizzard]

You would need to change line 50 to:

permit tcp any any established

This will allow any established tcp connections as right now you are matching inbound traffic on port 80, which it will most likely not be coming inbound on port 80.

If you need to do non-tcp traffic (established is only for tcp) then you need to look at reflexive ACLs.

 

[dgrizzard]

Line 40, woops

 

[marslove]

Hi Guys

Ok
Now could browse web, but now FTP don't work.
I added other line to ACL in

acess-list 122 permit tcp any any eq 21

that did not help.

Please Help

Thanks

 

[chieftan]

Might need port 20 as well as 21.... Not sure though

 

[imbadatthis]

chief is right, FTP needs both 20 and 21 to establish connections.

http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

you aren't doing this as a job are you ?


We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.

 

[marslove]

No luck. FTP steel not working.
access-list 122 permit tcp any eq 53 any
access-list 122 permit udp any eq 53 any
access-list 122 permit icmp any any
access-list 122 permit tcp any any established
access-list 122 permit udp any any range 10000 20000
access-list 122 permit udp any any eq 5060
access-list 122 permit tcp any any eq 5060
access-list 122 permit tcp any any eq 3389
access-list 122 permit tcp any any eq 21
access-list 122 permit tcp any any eq 20
access-list 122 permit tcp any any eq 22
#access-list 122 permit icmp any any
access-list 122 deny ip any any


Thanks

 

[NetworksMD]

It would really help if you post your config. By the looks of your list it would look like something you put inbound on your internal interface (meaning traffic going into your external interface). If you apply this ACL on your external interface inbound it appears you want to be able to FTP through your router into your iternal network. You will still have a couple of issues with your ACL for DNS (if you are using DNS for a FTP connection and/or the return port for FTP. For simplicity sake, the return port for DNS is a UDP port greater then 1023 and FTP TCP return port is usually the source port (ephemeral) your client used from TCP source port 20. Keep in mind that the ACL is stateless when you configure this.

 

[imbadatthis]

marsellove,

-whats it the error message when you try to FTP. different errors have different causes. is it just saying connection refused? and if yes how are you running this test is it truly from an outside source?

-have you been trying the show access-list 122 command ?
the reason i gave you that command is because it shows you what is matching and what doesn't match in the access list so you can fix it as you move along. When you try to establish an incoming FTP connection and it fails, you should check the access list via the command and see if it matched any of the incoming traffic. if NOT then you should try to figure out why not.

-and i have to ask is your NAT statements correct? are you forwarding port 20/21 to some server?

that and post your config for your interface, your NAT statements, and your ACLs.

Thanks,

We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.