in bound Access-list blocks outgoing access 3

[SteveR1977]

HI.. I am new to Cisco routers. I have a problem with my access-list. When I settup an Incoming access-list my outgoing access is also blocked. I have an outgoing access-list setup that permit any trafic. As soon as I delete the inbound list my internet access works again.

 

[ChrisAC]

What are you blocking on your inbound ACL? Posting the ACL's might be helpful in finding the cause of your problem.

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[SteveR1977]

Here is the access-list. I am not sure , but I think that it may be somthing that I am doing wrong with my static routing.

!Static Routing
Ip nat inside source static <local IP> 80 <global IP> 80 extendable

!Access-list
acc 101 permit tcp any host <Global IP> 53 log
acc 101 permit tcp any host <Global IP> eq 53 log
acc 101 permit tcp any host <Global IP> eq

http://www log

acc 101 permit tcp any host <Global IP> eq

http://www log

acc 101 permit tcp any host <Global IP> eq

http://www log

acc 101 permit tcp any host <Global IP> eq

http://www log

acc 101 permit tcp any host <Global IP> eq

http://www log

acc 101 permit tcp any host <Global IP> eq

http://www log

acc 101 permit tcp any host <Global IP> eq

http://www log

acc 101 permit tcp any host <Global IP> eq

http://www log

acc 101 permit tcp any host <Global IP> eq

http://www log

acc 101 permit tcp any host <Global IP> eq 25 log
acc 101 permit tcp any host <Global IP> eq

http://www log

 

[ChrisAC]

Your outgoing connection from your inside hosts will have TCP ports greater than 1023. Your access list will block all incoming replies from DNS servers, web servers etc ..

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[ChrisAC]

Just as an after thought, your trafic will be blocked by the implicit &quot;deny ip any any&quot; statement at the end of the ACL. To see what is being blocked add the line ..

access-list 101 deny ip any any log

You will then be able to troubleshoot your ACL by looking at your logging!

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[SteveR1977]

Should the inbound list be block outbout trafic. The Access-list 101 is an inbound list. my outbound list allows all trafic. Also when I permit all tcp trafic on the Inbound access list and log-it it allows outbound access. However when I look at the log there are many diffent TCP ports comming back in going to port 0

 

[ChrisAC]

The access list you posted is for inbound traffic, from the internet to your network, right? And your problem is that when this ACL is applied to the outside interface it prevents outbound access, yes?

Remember that when you have outgoing traffic, ie. you open a web browser or an ftp session or mail etc, you connect to a remote server and then that server has to send traffic back to you! That return traffic is &quot;inbound&quot; to your network. So for example, if you have a host on IP address 212.50.x.y and it's going to a webserver at

http://www.server.com,

the outgoing traffic will have a source address of 212.50.x.y and a source port of 1179 (just an example). The destination address will be the IP address of

http://www.server.com

and the destination port if it's a web server will be 80 (for http). Your outbound ACL that permits all TCP traffic will allow this out.

Now, the server at

http://www.server.com

will have to send data back to your client machine on your network. So, the source address will be the IP address of

http://www.server.com

and the source port will be 80. The destination address will be your machine at 212.50.x.y and the destination port will be 1179. When the first packet arrives at your router it will be checked against the incoming ACL, list 101. The question is, is TCP port 1179 allowed in to your host?

Looking at your ACL (list 101) we can see that TCP traffic to the inside network is allowed on ports 53, 80 and 25. 1179 is not allowed and so will be dropped by the implicit &quot;deny ip any any&quot; statement at the end. Therefore, your connection to the web server will timeout. The outgoing traffic is allowed but the reply traffic is not! Remember that ACL's on a router are not like rules on a firewall. If you had a firewall with stateful inspection, the outgoing connection would be placed in a state table. The reply from the web server would then be matched against this entry in the state table and therefore allowed through. However, your router is not providing stateful connections and all incoming traffic will be matched against the inbound ACL.

Your access-list 101 is only allowing connections in on ports 53, 80 and 25. Do, you have a web server on your network? You are only allowing incoming connections for DNS domain transfers, incoming HTTP requests (if you have a web server) and incoming mail to an SMTP server.

What is it that you want to allow in and what do you want to block access to?

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[SteveR1977]

Thanks for all of your help!! I was able to get it working by allowing all TCP traffic using the established command.
is this secure?

 

[ChrisAC]

That's a good idea! Sorry, I forgot to mention that! Permit all established TCP traffic so that it acts kind of like a stateful packet filter! In other words any return traffic from a connection initiated from the inside.

As for it being secure .. well it's never gonna be as secure as a firewall but it's better than nothing.

Good luck.

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[MJNSBF]

I am having the exact same problem as well, however I tried the 'established' command, and am having no luck. Here is my acl, and what I have tried.

acc 100 permit tcp host <ip> any eq 23
acc 100 permit tcp host <ip> any
acc 100 permit tcp any any established log

Thanks in advance for any help

Michelle

 

[ChrisAC]

First, which way is the access list being applied, what are you trying to achieve and what doesn't work??

Second, add access-list 100 deny ip any any log to the bottom of the list and then do some logging to see what's being dropped and why.


collossus#conf t
Enter configuration commands, one per line. End with CNTL/Z.
collossus(config)#logging buffered 5000
collossus#sh logging
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns)
Console logging: level debugging, 475809 messages logged
Monitor logging: level debugging, 0 messages logged
Buffer logging: level debugging, 475809 messages logged
Logging Exception size (4096 bytes)
Count and timestamp logging messages: disabled
Trap logging: level informational, 64 message lines logged

Log Buffer (5000 bytes):
Vi1 PPP: Outbound cdp packet dropped, CDPCP state is Listen
Apr 2 18:07:51: Vi1 PPP: Outbound cdp packet dropped, CDPCP state is Listen


etc ....

Whatever is being dropped by the last statement will appear in your log file so you can see why.

Good luck.

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[MJNSBF]

sorry - almost exact same scenario as SteveR1977

the acl is being applied to inbound traffic. All outbound traffic is allowed. Only allowing certain ip's in to these machines. Everything works great except internet access. Once the acl is applied, internet activity stops. Once removed, access is granted again.

Will try logging and see what comes up.

thanks,

michelle

 

[MJNSBF]

GOT IT!

Just needed a little tweaking!

Thanks -

Michelle

 

[ChrisAC]

You could post your access list on here and we'll have a look.

Let me know how you get on.

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[ChrisAC]

My pleasure, always.



Chris. ************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[Jafon2k]

Please allow me to pose a question:

I have a terminating gateway that is interconnecting to a Cisco gateway.

My gateway is a MC3810. It has yet to terminate any traffic though it had placed successful test calls when it was loaded with 12.0 IOS.
It is presently loaded with 12.2.7b Enterprise VOIP/VOATM IPSec56.

The problem I am having is that calls made to the MC3810 will go through. The PSTN line will ring three times and then the call is dropped instantaneously with no answer. SIP signaling was uitlized with this setup (bypassing fast start). Fast start was not functioning properly in preliminary tests.

Do you know of any typical configurations used in originating Cisco gateways that causes this behavior?

This same problem occurred while I was using a Vive gateway. Prior to this I believed that the problem was with the Vive gateway hence the change out to a Cisco box.

I am connected via marine cable over leased line IP. The phone lies are analog lines. The channel bank is a Carrier Access I with FXO cards set to loop start.

The Vive used no channel bank and was connected directly to the PSTN analog lines. Fast start was used with the Vive gateway.

I hope you might be able to point me in the right direction to solve this problem.

Thanks! jafon2k@hotmail.com

 

[Guest_imported]

Hi There,

I am a software programmer with no experience with Cisco Routers. I am having some problems with my Cisco 1700 box.
We are using NAT in office.

I am trying to do the following, but to no avail.
1)Deny ALL connections to ALL ports on IP address <123.456.9.0> (imaginary ip, used by webserver), except for 80(IIS Web Server) and 8080(Apache Tomcat Servlet Engine).

2)Disable ALL access to ALL other IPs on port 3306
(I.e Access to other ports on other IPs still allowed)

3)All other incoming/outgoing Internet activity should not be affected. (I.e Internet surfing should not be disrupted, DNS resolving should also not be disrupted and All internet connection activity to the mail server should also be untouched)

Everything is messed up. I am using the following configuration (snippet)

-----------------------------
interface Serial0
ip address <router ip> 255.255.255.252
ip access-group 100 in
no ip directed-broadcast
ip nat outside
encapsulation ppp
!
interface FastEthernet0
ip address 192.168.0.1 255.255.255.0
no ip directed-broadcast
ip nat inside
half-duplex
!
ip nat inside source list 1 interface Serial0 overload
ip nat inside source static 192.168.0.4 <mail-server-ip>
ip nat inside source static 192.168.0.3 <web-server-ip>
ip classless
ip route 0.0.0.0 0.0.0.0 203.92.90.89
no ip http server
!
access-list 1 permit any
access-list 10 permit 192.168.0.0 0.0.0.255

!--- All 7 lines below added by me ---!
access-list 100 permit tcp any any established
access-list 100 permit tcp any any eq domain
access-list 100 permit udp any any eq domain
access-list 100 permit ip any any
access-list 100 deny tcp any host <web-server-ip>
access-list 100 permit tcp any host <web-server-ip> eq www
access-list 100 permit tcp any host <web-server-ip> eq 8080
!--- All 7 lines above added by me ---!

access-list 101 permit ip any any
!
-----------------------------

Please tell me what is wrong above.
I thank you in anticipation.

Regards,
Sunil

 

[CCIEWANNABE]

Access-list 100 REM Allows packets connected to Destination port 80
access-list 100 permit tcp any host <web-server-ip> 80
Access-list 100 REM Allows packets connected to Destination port 8080
access-list 100 permit tcp any host <web-server-ip> eq 8080
Access-list 100 REM Allows packets connected to Destination port 53
access-list 100 permit tcp any any 53
access-list 100 permit udp any any 53
Access-list 100 REM Allows packets connected to Destination port of web-server-ip
Access-list 100 deny tcp any host <web-server-ip>
Access-list 100 REM The established qualifier for TCP matches all TCP packets that are part of a TCP connection that is already set up, regardless of the source or destination port.
Access-list 100 permit tcp any any established Remaining packets must be established thru TCP connections
access-list 100 permit icmp any any host echo
access-list 100 REM permits everything not denied thru above filters.
access-list 100 permit ip any any


Additional notes:

ip access-group 100 in is applied against incoming packets on the serial interface to the Internet
Route once; switch many

 

[Guest_imported]

Hi There,

THank you very much for your help.
I tried running your commands.....but there was some compilation errors. I made some modification with the best of my miserable knowledge.

I haven't really tested it yet from the outside..
Will test it when i go home..

This are the modified lines i have added....
Please tell me if they fir my requirements above....

Once again, i am really grateful for your help.
I wasted 5 hours yesterday, while trying to tackle this problem !!


!------MODFIEID FROM ORIGINAL------!
access-list 100 REM Allows packets connected to Destination port 80
access-list 100 permit tcp any host <web-server-ip> eq 80

access-list 100 REM Allows packets connected to Destination port 8080
access-list 100 permit tcp any host <web-server-ip> eq 8080

access-list 100 REM Allows packets connected to Destination port 53
access-list 100 permit tcp any any eq 53
access-list 100 permit udp any any eq 53

access-list 100 REM Deny packets connected to Destination port of <web-server-ip>
access-list 100 deny tcp any host <web-server-ip>

access-list 100 REM The established qualifier for TCP matches all TCP packets that are part of a TCP connection that is already set up, regardless of the source or destination port.
access-list 100 REM Remaining packets must be established thru TCP connections
access-list 100 permit tcp any any established
access-list 100 permit icmp any any echo

access-list 100 REM permits everything not denied thru above filters.
access-list 100 permit ip any any

!------MODFIEID FROM ORIGINAL------!

Best Regards,
Sunil