Cisco 877 with NAT – Unable to get inbound access list to work – it blocks outbound??
- This topic has 13 replies, 2 voices, and was last updated 11 years, 5 months ago by
.
-
Posts
-
Hello,
Cisco 877, running latest 12.4(24)T1 (c870-advipservicesk9-mz.124-24.T1.bin).
I’m hosting a number of services inside the LAN, which are open to the public via NAT. Everything works fine, I can browse the external web from inside, and external visitors can access my servers for http, smtp etc. I have a single external IP.
It’s been recommended to me that I should define an Access List on the inbound traffic. I’m not sure it’s necessary, since I’m only publishing the required ports, but I like to follow “best practice”.
I’m opening ports via
Code:ip nat inside source static tcp 192.168.1.50 25 interface Dialer0 25
ip nat inside source static tcp 192.168.1.50 80 interface Dialer0 80etc.
All this works well.
HOWEVER…as soon as I enable the access list on my Dialer0 interface, I am immediately blocked from any outboud traffic. I can’t surf the web, and I can’t remote-desktop to a remote site in order to verify that I can still browse my webserver sites from externally.
My full config is below, and it’s ACL 101 that’s the one I’m trying to get to work. As soon as I add
Code:ip access-group 101 into Interface Dialer0, I can no longer access anything outside the LAN.
I’m sure it’ll be something silly I’m doing/not doing, but I can’t spot it.
Can anyone assist?
My full config is below.
Many thanks in advance,
Jim
!
! Last configuration change at 19:39:17 GMT Thu Jul 30 2009 by xx
! NVRAM config last updated at 19:39:39 GMT Thu Jul 30 2009 by xx
!
version 12.4
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname Cisco877
!
boot-start-marker
boot system flash c870-advipservicesk9-mz.124-24.T1.bin
boot-end-marker
!
logging message-counter syslog
logging buffered 52000
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
!
!
aaa session-id common
clock timezone GMT 0
clock summer-time GMT recurring
!
!
dot11 syslog
ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.150
ip dhcp excluded-address 192.168.1.201 192.168.1.254
!
ip dhcp pool CLIENTS
network 192.168.1.0 255.255.255.0
dns-server 192.168.1.1
default-router 192.168.1.1
lease 0 12
!
ip dhcp pool JimDesktop
host 192.168.1.201 255.255.255.0
client-identifier 0100.18f3.3d51.62
!
ip dhcp pool JimLaptopWLAN
host 192.168.1.203 255.255.255.0
client-identifier 0100.1b77.a1df.d8
!
ip dhcp pool JimLaptopLAN
host 192.168.1.202 255.255.255.0
client-identifier 0100.1b38.39e4.44
!
ip dhcp pool ChrisLaptopWLAN
host 192.168.0.106 255.255.255.0
client-identifier 0100.1b77.cc02.d4
dns-server 192.168.0.1
default-router 192.168.0.1
!
ip dhcp pool ChrisLaptopLAN
host 192.168.0.107 255.255.255.0
client-identifier 0100.1a80.58e6.b5
dns-server 192.168.0.1
default-router 192.168.0.1
!
ip dhcp pool LynLaptopWLAN
host 192.168.0.108 255.255.255.0
client-identifier 0100.13e8.e830.1f
dns-server 192.168.0.1
default-router 192.168.0.1
!
!
no ip cef
ip domain name xxxx.co.uk
ip host view OverriddenDNS [URL=”http://www.test.co.uk”%5Dwww.test.co.uk%5B/URL%5D 192.168.1.50
ip name-server 195.74.113.58
ip name-server 195.74.113.59
ip name-server 195.74.102.146
ip name-server 195.74.102.147
login block-for 180 attempts 2 within 120
login on-failure log
login on-success log
no ipv6 cef
ntp server 195.74.96.12
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
!
!
!
!
archive
log config
hidekeys
!
!
ip ssh version 2
!
class-map match-all Traffic-Class-HighPriority
match access-group 161
class-map match-all Traffic-Class-LowPriority
match access-group 162
!
!
policy-map Dialer0-Outbound
class Traffic-Class-HighPriority
priority percent 30
class Traffic-Class-LowPriority
priority percent 10
class class-default
fair-queue
!
!
!
!
interface ATM0
description ADSL Connection
no ip address
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
hold-queue 200 in
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1
ip unnumbered Vlan1
peer default ip address pool VPNPOOL
no keepalive
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2
!
interface Vlan1
description LAN
ip address 192.168.0.254 255.255.255.0 secondary
ip address 192.168.1.1 255.255.255.0
ip dns view-group OverriddenDNSViewList
ip nat inside
ip nat enable
ip virtual-reassembly
ip tcp adjust-mss 1452
hold-queue 100 in
hold-queue 100 out
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp header-compression iphc-format
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap chap callin
ppp chap hostname [EMAIL=”[email protected]”][email protected][/EMAIL]
ppp chap password 7 xxxxx
ppp ipcp dns request
service-policy output Dialer0-Outbound
ip rtp header-compression iphc-format
!
ip local pool VPNPOOL 192.168.16.200 192.168.16.210
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
!
!
ip dns view OverriddenDNS
dns forwarder 195.74.113.62
dns forwarder 195.74.113.59
dns forwarder 195.74.102.146
dns forwarder 195.74.102.147
ip dns view-list OverriddenDNSViewList
view OverriddenDNS 10
view default 20
ip dns server
no ip nat service sip udp port 5060
ip nat inside source static tcp 192.168.1.50 25 interface Dialer0 25
ip nat inside source static tcp 192.168.1.50 80 interface Dialer0 80
ip nat inside source static tcp 192.168.1.50 443 interface Dialer0 443
ip nat inside source static tcp 192.168.1.50 995 interface Dialer0 995
ip nat inside source static tcp 192.168.1.50 12345 interface Dialer0 12345
ip nat inside source static tcp 192.168.1.50 20 interface Dialer0 20
ip nat inside source static tcp 192.168.1.50 21 interface Dialer0 21
ip nat inside source list 102 interface Dialer0 overload
!
ip access-list standard SNMP-ALLOWED
permit 192.168.1.70
permit 192.168.1.50
deny any
!
!
logging 192.168.1.50
access-list 40 permit 192.168.0.0 0.0.0.255
access-list 40 permit 192.168.1.0 0.0.0.255
access-list 40 remark Control who can access the router via SSH
access-list 101 remark Control traffic allowed into the router
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq ftp-data
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq 443
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 161 remark High Priority / Low Latency Traffic
access-list 161 permit tcp any eq 3389 any
access-list 161 permit tcp any any eq 3389
access-list 161 permit udp any any
access-list 161 permit icmp any any
access-list 161 permit tcp any eq www any
access-list 161 permit tcp any any eq www
access-list 162 remark Low Priority Traffic
access-list 162 permit tcp any any eq ftp-data
dialer-list 1 protocol ip permit
!
!
!
!
snmp-server community xxxxx RW SNMP-ALLOWED
!
control-plane
!
!
line con 0
exec-timeout 0 0
password 7 XXXXX
no modem enable
transport output all
line aux 0
transport output all
line vty 0 4
access-class 40 in
exec-timeout 0 0
privilege level 15
password 7 xxxx
transport input ssh
transport output all
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
end[/code[[code]
!
! Last configuration change at 19:39:17 GMT Thu Jul 30 2009 by xx
! NVRAM config last updated at 19:39:39 GMT Thu Jul 30 2009 by xx
!
version 12.4
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname Cisco877
!
boot-start-marker
boot system flash c870-advipservicesk9-mz.124-24.T1.bin
boot-end-marker
!
logging message-counter syslog
logging buffered 52000
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
!
!
aaa session-id common
clock timezone GMT 0
clock summer-time GMT recurring
!
!
dot11 syslog
ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.150
ip dhcp excluded-address 192.168.1.201 192.168.1.254
!
ip dhcp pool CLIENTS
network 192.168.1.0 255.255.255.0
dns-server 192.168.1.1
default-router 192.168.1.1
lease 0 12
!
ip dhcp pool JimDesktop
host 192.168.1.201 255.255.255.0
client-identifier 0100.18f3.3d51.62
!
ip dhcp pool JimLaptopWLAN
host 192.168.1.203 255.255.255.0
client-identifier 0100.1b77.a1df.d8
!
ip dhcp pool JimLaptopLAN
host 192.168.1.202 255.255.255.0
client-identifier 0100.1b38.39e4.44
!
ip dhcp pool ChrisLaptopWLAN
host 192.168.0.106 255.255.255.0
client-identifier 0100.1b77.cc02.d4
dns-server 192.168.0.1
default-router 192.168.0.1
!
ip dhcp pool ChrisLaptopLAN
host 192.168.0.107 255.255.255.0
client-identifier 0100.1a80.58e6.b5
dns-server 192.168.0.1
default-router 192.168.0.1
!
ip dhcp pool LynLaptopWLAN
host 192.168.0.108 255.255.255.0
client-identifier 0100.13e8.e830.1f
dns-server 192.168.0.1
default-router 192.168.0.1
!
!
no ip cef
ip domain name xxxx.co.uk
ip host view OverriddenDNS http://www.test.co.uk 192.168.1.50
ip name-server 195.74.113.58
ip name-server 195.74.113.59
ip name-server 195.74.102.146
ip name-server 195.74.102.147
login block-for 180 attempts 2 within 120
login on-failure log
login on-success log
no ipv6 cef
ntp server 195.74.96.12
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
!
!
!
!
archive
log config
hidekeys
!
!
ip ssh version 2
!
class-map match-all Traffic-Class-HighPriority
match access-group 161
class-map match-all Traffic-Class-LowPriority
match access-group 162
!
!
policy-map Dialer0-Outbound
class Traffic-Class-HighPriority
priority percent 30
class Traffic-Class-LowPriority
priority percent 10
class class-default
fair-queue
!
!
!
!
interface ATM0
description ADSL Connection
no ip address
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
hold-queue 200 in
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1
ip unnumbered Vlan1
peer default ip address pool VPNPOOL
no keepalive
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2
!
interface Vlan1
description LAN
ip address 192.168.0.254 255.255.255.0 secondary
ip address 192.168.1.1 255.255.255.0
ip dns view-group OverriddenDNSViewList
ip nat inside
ip nat enable
ip virtual-reassembly
ip tcp adjust-mss 1452
hold-queue 100 in
hold-queue 100 out
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp header-compression iphc-format
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap chap callin
ppp chap hostname [email protected]
ppp chap password 7 xxxxx
ppp ipcp dns request
service-policy output Dialer0-Outbound
ip rtp header-compression iphc-format
!
ip local pool VPNPOOL 192.168.16.200 192.168.16.210
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
!
!
ip dns view OverriddenDNS
dns forwarder 195.74.113.62
dns forwarder 195.74.113.59
dns forwarder 195.74.102.146
dns forwarder 195.74.102.147
ip dns view-list OverriddenDNSViewList
view OverriddenDNS 10
view default 20
ip dns server
no ip nat service sip udp port 5060
ip nat inside source static tcp 192.168.1.50 25 interface Dialer0 25
ip nat inside source static tcp 192.168.1.50 80 interface Dialer0 80
ip nat inside source static tcp 192.168.1.50 443 interface Dialer0 443
ip nat inside source static tcp 192.168.1.50 995 interface Dialer0 995
ip nat inside source static tcp 192.168.1.50 12345 interface Dialer0 12345
ip nat inside source static tcp 192.168.1.50 20 interface Dialer0 20
ip nat inside source static tcp 192.168.1.50 21 interface Dialer0 21
ip nat inside source list 102 interface Dialer0 overload
!
ip access-list standard SNMP-ALLOWED
permit 192.168.1.70
permit 192.168.1.50
deny any
!
!
logging 192.168.1.50
access-list 40 permit 192.168.0.0 0.0.0.255
access-list 40 permit 192.168.1.0 0.0.0.255
access-list 40 remark Control who can access the router via SSH
access-list 101 remark Control traffic allowed into the router
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq ftp-data
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq 443
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 161 remark High Priority / Low Latency Traffic
access-list 161 permit tcp any eq 3389 any
access-list 161 permit tcp any any eq 3389
access-list 161 permit udp any any
access-list 161 permit icmp any any
access-list 161 permit tcp any eq www any
access-list 161 permit tcp any any eq www
access-list 162 remark Low Priority Traffic
access-list 162 permit tcp any any eq ftp-data
dialer-list 1 protocol ip permit
!
!
!
!
snmp-server community xxxxx RW SNMP-ALLOWED
!
control-plane
!
!
line con 0
exec-timeout 0 0
password 7 XXXXX
no modem enable
transport output all
line aux 0
transport output all
line vty 0 4
access-class 40 in
exec-timeout 0 0
privilege level 15
password 7 xxxx
transport input ssh
transport output all
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
end[/code[
You must be logged in to reply to this topic.