Cisco 877w SDM and CLI ACL change

carolomoc · ‎12-21-2011

Hello all,

I have a working easyvpn setup. We need to change the HQ ip address (current it is i.e 85.146.110.101).

This is ACL is applied to Fastethenet conecting to ISP:

interface FastEthernet4

description $FW_OUTSIDE$$ETH-WAN$

ip address dhcp

ip access-group 101 in

ip inspect SDM_LOW out

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto ipsec client ezvpn Acom

access-list 101 remark auto generated by SDM firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 remark Auto generated by SDM for EzVPN (udp-10000) Acom

access-list 101 permit udp host 85.146.110.101 any eq 10000

access-list 101 remark Auto generated by SDM for EzVPN (non500-isakmp) Acom

access-list 101 permit udp host 85.146.110.101 any eq non500-isakmp

access-list 101 remark Auto generated by SDM for EzVPN (isakmp) Acom

access-list 101 permit udp host 85.146.110.101 any eq isakmp

access-list 101 remark Auto generated by SDM for EzVPN (ahp) Acom

access-list 101 permit esp host 85.146.110.101 any

access-list 101 remark Auto generated by SDM for EzVPN (esp) Acom

access-list 101 permit ahp host 85.146.110.101 any

access-list 101 deny ip 192.168.1.0 0.0.0.255 any

access-list 101 permit udp any eq bootps any eq bootpc

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any unreachable

access-list 101 permit tcp host 85.146.110.101 any eq 22

access-list 101 permit tcp host 85.146.110.101 any eq www

access-list 101 permit tcp host 85.146.110.101 any eq 443

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 deny ip any any log

I do the following via CLI:

Remove access-group 101 in under FastEthernet 4

Remove ACL 101

Re-add ACL 101 with new ip address ( 85.146.110.101 become let say 212.31.31.2114)

(So I have exaclty the same ACL only ip address change)

As soon as I apply again the ACL to interface Fastethernet 4, access to internet is lost.

If I put original ACL 101 (with ip address 85.146.110.101) it works fine.

So I am wodering what wrong with may ACL? Should I make the change via SDM not CLI (to be honest I did not know/use SDM before today)?

Any one can help?

Thanks.

Julio Carvajal · ‎12-21-2011

Hello Carlo,

Making the ACL via SDM is not the solution.

1-After making the changes to the ACL do you still apply it to the interface right (Access-group)?

2-Are you able to ping the HQ ip address from the router after the change, Are you able to ping 4.2.2.2?

At this moment as it is the same configuration you will need to confirm if you are getting replies from the HQ ip address 212.31.31.211.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

carolomoc · ‎12-22-2011

Hi Carlo,

Thanks for your reply.

Yes, I tried applying the ACL to the interface. But as soon as I loose the connection to the router (I am connected via the WAN).

We can connect over the IPsec but we loose internet access. we can not ping 8.8.8.8 (google).

I created an acl 102 with permit ip any any and again when I apply it to the interface. I loose the connection.

But when I put back the existing ACL the WAN connection is back.

Regards,

Carlo

cadet alain · ‎12-22-2011

Hi,

can you post full config.

Regards.

Alain

Don't forget to rate helpful posts.