Cisco 877 with NAT – Unable to get inbound access list to work – it blocks outbound??

Home Forums Networking Cisco Routers & Switches How-to Cisco 877 with NAT – Unable to get inbound access list to work – it blocks outbound??

Viewing 1 post (of 1 total)
  • Author
    Posts
  • Avatar
    jimwillsher
    Member
    #143484

    Hello,

    Cisco 877, running latest 12.4(24)T1 (c870-advipservicesk9-mz.124-24.T1.bin).

    I’m hosting a number of services inside the LAN, which are open to the public via NAT. Everything works fine, I can browse the external web from inside, and external visitors can access my servers for http, smtp etc. I have a single external IP.

    It’s been recommended to me that I should define an Access List on the inbound traffic. I’m not sure it’s necessary, since I’m only publishing the required ports, but I like to follow “best practice”.

    I’m opening ports via

    Code:
    ip nat inside source static tcp 192.168.1.50 25 interface Dialer0 25
    ip nat inside source static tcp 192.168.1.50 80 interface Dialer0 80

    etc.

    All this works well.

    HOWEVER…as soon as I enable the access list on my Dialer0 interface, I am immediately blocked from any outboud traffic. I can’t surf the web, and I can’t remote-desktop to a remote site in order to verify that I can still browse my webserver sites from externally.

    My full config is below, and it’s ACL 101 that’s the one I’m trying to get to work. As soon as I add

    Code:
    ip access-group 101 in

    to Interface Dialer0, I can no longer access anything outside the LAN.

    I’m sure it’ll be something silly I’m doing/not doing, but I can’t spot it.

    Can anyone assist?

    My full config is below.

    Many thanks in advance,

    Jim

    !
    ! Last configuration change at 19:39:17 GMT Thu Jul 30 2009 by xx
    ! NVRAM config last updated at 19:39:39 GMT Thu Jul 30 2009 by xx
    !
    version 12.4
    no service pad
    service timestamps debug datetime msec localtime
    service timestamps log datetime msec localtime
    service password-encryption
    !
    hostname Cisco877
    !
    boot-start-marker
    boot system flash c870-advipservicesk9-mz.124-24.T1.bin
    boot-end-marker
    !
    logging message-counter syslog
    logging buffered 52000
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authentication ppp default local
    !
    !
    aaa session-id common
    clock timezone GMT 0
    clock summer-time GMT recurring
    !
    !
    dot11 syslog
    ip source-route
    !
    !
    no ip dhcp use vrf connected
    ip dhcp excluded-address 192.168.1.1 192.168.1.150
    ip dhcp excluded-address 192.168.1.201 192.168.1.254
    !
    ip dhcp pool CLIENTS
    network 192.168.1.0 255.255.255.0
    dns-server 192.168.1.1
    default-router 192.168.1.1
    lease 0 12
    !
    ip dhcp pool JimDesktop
    host 192.168.1.201 255.255.255.0
    client-identifier 0100.18f3.3d51.62
    !
    ip dhcp pool JimLaptopWLAN
    host 192.168.1.203 255.255.255.0
    client-identifier 0100.1b77.a1df.d8
    !
    ip dhcp pool JimLaptopLAN
    host 192.168.1.202 255.255.255.0
    client-identifier 0100.1b38.39e4.44
    !
    ip dhcp pool ChrisLaptopWLAN
    host 192.168.0.106 255.255.255.0
    client-identifier 0100.1b77.cc02.d4
    dns-server 192.168.0.1
    default-router 192.168.0.1
    !
    ip dhcp pool ChrisLaptopLAN
    host 192.168.0.107 255.255.255.0
    client-identifier 0100.1a80.58e6.b5
    dns-server 192.168.0.1
    default-router 192.168.0.1
    !
    ip dhcp pool LynLaptopWLAN
    host 192.168.0.108 255.255.255.0
    client-identifier 0100.13e8.e830.1f
    dns-server 192.168.0.1
    default-router 192.168.0.1
    !
    !
    no ip cef
    ip domain name xxxx.co.uk
    ip host view OverriddenDNS [URL=”http://www.test.co.uk”%5Dwww.test.co.uk%5B/URL%5D 192.168.1.50
    ip name-server 195.74.113.58
    ip name-server 195.74.113.59
    ip name-server 195.74.102.146
    ip name-server 195.74.102.147
    login block-for 180 attempts 2 within 120
    login on-failure log
    login on-success log
    no ipv6 cef
    ntp server 195.74.96.12
    !
    multilink bundle-name authenticated
    !
    vpdn enable
    !
    vpdn-group 1
    ! Default PPTP VPDN group
    accept-dialin
    protocol pptp
    virtual-template 1
    !
    !
    !
    !
    !
    !
    archive
    log config
    hidekeys
    !
    !
    ip ssh version 2
    !
    class-map match-all Traffic-Class-HighPriority
    match access-group 161
    class-map match-all Traffic-Class-LowPriority
    match access-group 162
    !
    !
    policy-map Dialer0-Outbound
    class Traffic-Class-HighPriority
    priority percent 30
    class Traffic-Class-LowPriority
    priority percent 10
    class class-default
    fair-queue
    !
    !
    !
    !
    interface ATM0
    description ADSL Connection
    no ip address
    no atm ilmi-keepalive
    pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    hold-queue 200 in
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface Virtual-Template1
    ip unnumbered Vlan1
    peer default ip address pool VPNPOOL
    no keepalive
    ppp encrypt mppe auto required
    ppp authentication ms-chap ms-chap-v2
    !
    interface Vlan1
    description LAN
    ip address 192.168.0.254 255.255.255.0 secondary
    ip address 192.168.1.1 255.255.255.0
    ip dns view-group OverriddenDNSViewList
    ip nat inside
    ip nat enable
    ip virtual-reassembly
    ip tcp adjust-mss 1452
    hold-queue 100 in
    hold-queue 100 out
    !
    interface Dialer0
    ip address negotiated
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    ip tcp header-compression iphc-format
    ip tcp adjust-mss 1452
    dialer pool 1
    dialer-group 1
    no cdp enable
    ppp authentication pap chap callin
    ppp chap hostname [EMAIL=”[email protected]”][email protected][/EMAIL]
    ppp chap password 7 xxxxx
    ppp ipcp dns request
    service-policy output Dialer0-Outbound
    ip rtp header-compression iphc-format
    !
    ip local pool VPNPOOL 192.168.16.200 192.168.16.210
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 Dialer0
    no ip http server
    no ip http secure-server
    !
    !
    ip dns view OverriddenDNS
    dns forwarder 195.74.113.62
    dns forwarder 195.74.113.59
    dns forwarder 195.74.102.146
    dns forwarder 195.74.102.147
    ip dns view-list OverriddenDNSViewList
    view OverriddenDNS 10
    view default 20
    ip dns server
    no ip nat service sip udp port 5060
    ip nat inside source static tcp 192.168.1.50 25 interface Dialer0 25
    ip nat inside source static tcp 192.168.1.50 80 interface Dialer0 80
    ip nat inside source static tcp 192.168.1.50 443 interface Dialer0 443
    ip nat inside source static tcp 192.168.1.50 995 interface Dialer0 995
    ip nat inside source static tcp 192.168.1.50 12345 interface Dialer0 12345
    ip nat inside source static tcp 192.168.1.50 20 interface Dialer0 20
    ip nat inside source static tcp 192.168.1.50 21 interface Dialer0 21
    ip nat inside source list 102 interface Dialer0 overload
    !
    ip access-list standard SNMP-ALLOWED
    permit 192.168.1.70
    permit 192.168.1.50
    deny any
    !
    !
    logging 192.168.1.50
    access-list 40 permit 192.168.0.0 0.0.0.255
    access-list 40 permit 192.168.1.0 0.0.0.255
    access-list 40 remark Control who can access the router via SSH
    access-list 101 remark Control traffic allowed into the router
    access-list 101 permit tcp any any eq www
    access-list 101 permit tcp any any eq ftp-data
    access-list 101 permit tcp any any eq ftp
    access-list 101 permit tcp any any eq smtp
    access-list 101 permit tcp any any eq 443
    access-list 102 permit ip 192.168.1.0 0.0.0.255 any
    access-list 161 remark High Priority / Low Latency Traffic
    access-list 161 permit tcp any eq 3389 any
    access-list 161 permit tcp any any eq 3389
    access-list 161 permit udp any any
    access-list 161 permit icmp any any
    access-list 161 permit tcp any eq www any
    access-list 161 permit tcp any any eq www
    access-list 162 remark Low Priority Traffic
    access-list 162 permit tcp any any eq ftp-data
    dialer-list 1 protocol ip permit
    !
    !
    !
    !
    snmp-server community xxxxx RW SNMP-ALLOWED
    !
    control-plane
    !
    !
    line con 0
    exec-timeout 0 0
    password 7 XXXXX
    no modem enable
    transport output all
    line aux 0
    transport output all
    line vty 0 4
    access-class 40 in
    exec-timeout 0 0
    privilege level 15
    password 7 xxxx
    transport input ssh
    transport output all
    !
    scheduler max-task-time 5000
    scheduler allocate 20000 1000
    end

    [/code[[code]

    !
    ! Last configuration change at 19:39:17 GMT Thu Jul 30 2009 by xx
    ! NVRAM config last updated at 19:39:39 GMT Thu Jul 30 2009 by xx
    !
    version 12.4
    no service pad
    service timestamps debug datetime msec localtime
    service timestamps log datetime msec localtime
    service password-encryption
    !
    hostname Cisco877
    !
    boot-start-marker
    boot system flash c870-advipservicesk9-mz.124-24.T1.bin
    boot-end-marker
    !
    logging message-counter syslog
    logging buffered 52000
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authentication ppp default local
    !
    !
    aaa session-id common
    clock timezone GMT 0
    clock summer-time GMT recurring
    !
    !
    dot11 syslog
    ip source-route
    !
    !
    no ip dhcp use vrf connected
    ip dhcp excluded-address 192.168.1.1 192.168.1.150
    ip dhcp excluded-address 192.168.1.201 192.168.1.254
    !
    ip dhcp pool CLIENTS
    network 192.168.1.0 255.255.255.0
    dns-server 192.168.1.1
    default-router 192.168.1.1
    lease 0 12
    !
    ip dhcp pool JimDesktop
    host 192.168.1.201 255.255.255.0
    client-identifier 0100.18f3.3d51.62
    !
    ip dhcp pool JimLaptopWLAN
    host 192.168.1.203 255.255.255.0
    client-identifier 0100.1b77.a1df.d8
    !
    ip dhcp pool JimLaptopLAN
    host 192.168.1.202 255.255.255.0
    client-identifier 0100.1b38.39e4.44
    !
    ip dhcp pool ChrisLaptopWLAN
    host 192.168.0.106 255.255.255.0
    client-identifier 0100.1b77.cc02.d4
    dns-server 192.168.0.1
    default-router 192.168.0.1
    !
    ip dhcp pool ChrisLaptopLAN
    host 192.168.0.107 255.255.255.0
    client-identifier 0100.1a80.58e6.b5
    dns-server 192.168.0.1
    default-router 192.168.0.1
    !
    ip dhcp pool LynLaptopWLAN
    host 192.168.0.108 255.255.255.0
    client-identifier 0100.13e8.e830.1f
    dns-server 192.168.0.1
    default-router 192.168.0.1
    !
    !
    no ip cef
    ip domain name xxxx.co.uk
    ip host view OverriddenDNS http://www.test.co.uk 192.168.1.50
    ip name-server 195.74.113.58
    ip name-server 195.74.113.59
    ip name-server 195.74.102.146
    ip name-server 195.74.102.147
    login block-for 180 attempts 2 within 120
    login on-failure log
    login on-success log
    no ipv6 cef
    ntp server 195.74.96.12
    !
    multilink bundle-name authenticated
    !
    vpdn enable
    !
    vpdn-group 1
    ! Default PPTP VPDN group
    accept-dialin
    protocol pptp
    virtual-template 1
    !
    !
    !
    !
    !
    !
    archive
    log config
    hidekeys
    !
    !
    ip ssh version 2
    !
    class-map match-all Traffic-Class-HighPriority
    match access-group 161
    class-map match-all Traffic-Class-LowPriority
    match access-group 162
    !
    !
    policy-map Dialer0-Outbound
    class Traffic-Class-HighPriority
    priority percent 30
    class Traffic-Class-LowPriority
    priority percent 10
    class class-default
    fair-queue
    !
    !
    !
    !
    interface ATM0
    description ADSL Connection
    no ip address
    no atm ilmi-keepalive
    pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    hold-queue 200 in
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface Virtual-Template1
    ip unnumbered Vlan1
    peer default ip address pool VPNPOOL
    no keepalive
    ppp encrypt mppe auto required
    ppp authentication ms-chap ms-chap-v2
    !
    interface Vlan1
    description LAN
    ip address 192.168.0.254 255.255.255.0 secondary
    ip address 192.168.1.1 255.255.255.0
    ip dns view-group OverriddenDNSViewList
    ip nat inside
    ip nat enable
    ip virtual-reassembly
    ip tcp adjust-mss 1452
    hold-queue 100 in
    hold-queue 100 out
    !
    interface Dialer0
    ip address negotiated
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    ip tcp header-compression iphc-format
    ip tcp adjust-mss 1452
    dialer pool 1
    dialer-group 1
    no cdp enable
    ppp authentication pap chap callin
    ppp chap hostname [email protected]
    ppp chap password 7 xxxxx
    ppp ipcp dns request
    service-policy output Dialer0-Outbound
    ip rtp header-compression iphc-format
    !
    ip local pool VPNPOOL 192.168.16.200 192.168.16.210
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 Dialer0
    no ip http server
    no ip http secure-server
    !
    !
    ip dns view OverriddenDNS
    dns forwarder 195.74.113.62
    dns forwarder 195.74.113.59
    dns forwarder 195.74.102.146
    dns forwarder 195.74.102.147
    ip dns view-list OverriddenDNSViewList
    view OverriddenDNS 10
    view default 20
    ip dns server
    no ip nat service sip udp port 5060
    ip nat inside source static tcp 192.168.1.50 25 interface Dialer0 25
    ip nat inside source static tcp 192.168.1.50 80 interface Dialer0 80
    ip nat inside source static tcp 192.168.1.50 443 interface Dialer0 443
    ip nat inside source static tcp 192.168.1.50 995 interface Dialer0 995
    ip nat inside source static tcp 192.168.1.50 12345 interface Dialer0 12345
    ip nat inside source static tcp 192.168.1.50 20 interface Dialer0 20
    ip nat inside source static tcp 192.168.1.50 21 interface Dialer0 21
    ip nat inside source list 102 interface Dialer0 overload
    !
    ip access-list standard SNMP-ALLOWED
    permit 192.168.1.70
    permit 192.168.1.50
    deny any
    !
    !
    logging 192.168.1.50
    access-list 40 permit 192.168.0.0 0.0.0.255
    access-list 40 permit 192.168.1.0 0.0.0.255
    access-list 40 remark Control who can access the router via SSH
    access-list 101 remark Control traffic allowed into the router
    access-list 101 permit tcp any any eq www
    access-list 101 permit tcp any any eq ftp-data
    access-list 101 permit tcp any any eq ftp
    access-list 101 permit tcp any any eq smtp
    access-list 101 permit tcp any any eq 443
    access-list 102 permit ip 192.168.1.0 0.0.0.255 any
    access-list 161 remark High Priority / Low Latency Traffic
    access-list 161 permit tcp any eq 3389 any
    access-list 161 permit tcp any any eq 3389
    access-list 161 permit udp any any
    access-list 161 permit icmp any any
    access-list 161 permit tcp any eq www any
    access-list 161 permit tcp any any eq www
    access-list 162 remark Low Priority Traffic
    access-list 162 permit tcp any any eq ftp-data
    dialer-list 1 protocol ip permit
    !
    !
    !
    !
    snmp-server community xxxxx RW SNMP-ALLOWED
    !
    control-plane
    !
    !
    line con 0
    exec-timeout 0 0
    password 7 XXXXX
    no modem enable
    transport output all
    line aux 0
    transport output all
    line vty 0 4
    access-class 40 in
    exec-timeout 0 0
    privilege level 15
    password 7 xxxx
    transport input ssh
    transport output all
    !
    scheduler max-task-time 5000
    scheduler allocate 20000 1000
    end

    [/code[

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.