Hi,
I have a Cisco 1921 and need to open ports 22 (SSH) and 873 (rsync) to run an rsync server on my network and the rest of the network needs standard "internet" access. I am fairly new to Cisco ACLs and so I expect I'm doing something stupid but not sure what.
When I add the ip access-group XXX in / out to the gig0/0 interface, I lose all at that point.
Here is my current (working) config with the ACLs listed (101 and 102) but not enabled on the gig0/0 interface.
I have tried the "established" statement at the start and end of the 101 list, no difference.
Thanks for any help!
Router#show run
Building configuration...
Current configuration : 2675 bytes
!
! Last configuration change at 15:03:45 UTC Sun Dec 18 2011 by
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$Sx2k$wiHT8Af585IB/HsSZkwC61
enable password 7 073E325F19190C1D47
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.1.0.1 10.1.0.149
ip dhcp excluded-address 10.1.0.200 10.1.0.254
!
ip dhcp pool net_dhcp
import all
network 10.1.0.0 255.255.255.0
default-router 10.1.0.1
lease 0 0 5
!
!
no ip domain lookup
ip domain name treeskier.ca
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1921/K9 sn FGL15092836
!
!
username blah password blahblah
!
!
ip ssh version 2
!
!
!
!
interface GigabitEthernet0/0
description Internet
ip dhcp client update dns
ip address dhcp
ip nat outside
! ip access-group 101 in
! ip access-group 102 out
! once I turn these on, it all dies.
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface GigabitEthernet0/1
description internal
ip address 10.1.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
!
ip http server
ip http authentication local
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.1.0.102 873 interface GigabitEthernet0/0 873
ip nat inside source static tcp 10.1.0.102 22 interface GigabitEthernet0/0 22
!
access-list 1 permit 10.1.0.0 0.0.0.255
access-list 1 remark INSIDE_IF=gig0/1
access-list 101 permit tcp any 10.1.0.0 0.0.0.255 established
access-list 101 permit tcp any host 10.1.0.102 eq 22
access-list 101 permit udp any host 10.1.0.102 eq 22
access-list 101 permit tcp any host 10.1.0.102 eq 873
access-list 101 permit udp any host 10.1.0.102 eq 873
access-list 102 permit tcp 10.1.0.0 0.0.0.255 any
access-list 102 permit udp 10.1.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
!
!
control-plane
!
banner login ^C**************************^C
!
CON and VTY setup
!
scheduler allocate 20000 1000
end
A bit of really basic troubleshooting:
Router#sh access-lists
Standard IP access list 1
10 permit 10.1.0.0, wildcard bits 0.0.0.255 (9854736 matches)
Extended IP access list 101
10 permit tcp any 10.1.0.0 0.0.0.255 established
20 permit tcp any host 10.1.0.102 eq 22
30 permit udp any host 10.1.0.102 eq 22
40 permit tcp any host 10.1.0.102 eq 873
50 permit udp any host 10.1.0.102 eq 873
Extended IP access list 102
10 permit tcp 10.1.0.0 0.0.0.255 any
20 permit udp 10.1.0.0 0.0.0.255 any
Router#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 192.168.0.10:22 10.1.0.102:22 --- ---
tcp 192.168.0.10:873 10.1.0.102:873 --- ---
tcp 192.168.0.10:54693 10.1.0.150:54693 208.88.180.96:80 208.88.180.96:80
tcp 192.168.0.10:54695 10.1.0.150:54695 208.88.180.96:80 208.88.180.96:80
tcp 192.168.0.10:54696 10.1.0.150:54696 208.88.180.106:5222 208.88.180.106:5222
tcp 192.168.0.10:54699 10.1.0.150:54699 208.88.181.46:1935 208.88.181.46:1935
tcp 192.168.0.10:54700 10.1.0.150:54700 208.88.180.96:80 208.88.180.96:80
... (more dynamic NAT at work)
I have a Cisco 1921 and need to open ports 22 (SSH) and 873 (rsync) to run an rsync server on my network and the rest of the network needs standard "internet" access. I am fairly new to Cisco ACLs and so I expect I'm doing something stupid but not sure what.
When I add the ip access-group XXX in / out to the gig0/0 interface, I lose all at that point.
Here is my current (working) config with the ACLs listed (101 and 102) but not enabled on the gig0/0 interface.
I have tried the "established" statement at the start and end of the 101 list, no difference.
Thanks for any help!
Router#show run
Building configuration...
Current configuration : 2675 bytes
!
! Last configuration change at 15:03:45 UTC Sun Dec 18 2011 by
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$Sx2k$wiHT8Af585IB/HsSZkwC61
enable password 7 073E325F19190C1D47
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.1.0.1 10.1.0.149
ip dhcp excluded-address 10.1.0.200 10.1.0.254
!
ip dhcp pool net_dhcp
import all
network 10.1.0.0 255.255.255.0
default-router 10.1.0.1
lease 0 0 5
!
!
no ip domain lookup
ip domain name treeskier.ca
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1921/K9 sn FGL15092836
!
!
username blah password blahblah
!
!
ip ssh version 2
!
!
!
!
interface GigabitEthernet0/0
description Internet
ip dhcp client update dns
ip address dhcp
ip nat outside
! ip access-group 101 in
! ip access-group 102 out
! once I turn these on, it all dies.
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface GigabitEthernet0/1
description internal
ip address 10.1.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
!
ip http server
ip http authentication local
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.1.0.102 873 interface GigabitEthernet0/0 873
ip nat inside source static tcp 10.1.0.102 22 interface GigabitEthernet0/0 22
!
access-list 1 permit 10.1.0.0 0.0.0.255
access-list 1 remark INSIDE_IF=gig0/1
access-list 101 permit tcp any 10.1.0.0 0.0.0.255 established
access-list 101 permit tcp any host 10.1.0.102 eq 22
access-list 101 permit udp any host 10.1.0.102 eq 22
access-list 101 permit tcp any host 10.1.0.102 eq 873
access-list 101 permit udp any host 10.1.0.102 eq 873
access-list 102 permit tcp 10.1.0.0 0.0.0.255 any
access-list 102 permit udp 10.1.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
!
!
control-plane
!
banner login ^C**************************^C
!
CON and VTY setup
!
scheduler allocate 20000 1000
end
A bit of really basic troubleshooting:
Router#sh access-lists
Standard IP access list 1
10 permit 10.1.0.0, wildcard bits 0.0.0.255 (9854736 matches)
Extended IP access list 101
10 permit tcp any 10.1.0.0 0.0.0.255 established
20 permit tcp any host 10.1.0.102 eq 22
30 permit udp any host 10.1.0.102 eq 22
40 permit tcp any host 10.1.0.102 eq 873
50 permit udp any host 10.1.0.102 eq 873
Extended IP access list 102
10 permit tcp 10.1.0.0 0.0.0.255 any
20 permit udp 10.1.0.0 0.0.0.255 any
Router#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 192.168.0.10:22 10.1.0.102:22 --- ---
tcp 192.168.0.10:873 10.1.0.102:873 --- ---
tcp 192.168.0.10:54693 10.1.0.150:54693 208.88.180.96:80 208.88.180.96:80
tcp 192.168.0.10:54695 10.1.0.150:54695 208.88.180.96:80 208.88.180.96:80
tcp 192.168.0.10:54696 10.1.0.150:54696 208.88.180.106:5222 208.88.180.106:5222
tcp 192.168.0.10:54699 10.1.0.150:54699 208.88.181.46:1935 208.88.181.46:1935
tcp 192.168.0.10:54700 10.1.0.150:54700 208.88.180.96:80 208.88.180.96:80
... (more dynamic NAT at work)