I'm struggling with a router config where I can see in the log that the response to an outbound request is being block by the ACL on the outside interface. The router is an ISR4321 running IOS XE 16.
The implementation is common enough:
Internal Network --> VLAN1/GigEthernet1 <-- R1 --> Dialer0/GigEthernet0 --> ADSL Modem --> Provider
I have NAT enabled and access-list 100 on the outside of VLAN1 and access-list 101 on the outside of the Dialer0 interface.
If I drop access-list 101 I can browser the web, if I add it back in only ping and DNS lookups seem to work and I can seen the response packets from a website I'm accessing being drop by the access list rule so it looks like the established sessions are not be respected.
I'm sure I'm missing a single command from my config but can't find it for looking!
Thanks in advance Gary
Hi, I'm seeing packet drops such as this:
*Jul 4 21:49:42.780: %FMANFP-6-IPACCESSLOGP: SIP0: fman_fp_image: list 101 denied tcp 126.96.36.199(80) -> 188.8.131.52(4099), 4 packets
in response to a request to a website www.peartreecleaning.co.uk.
the access list looks like this:
access-list 101 remark Auto generated by SDM for NTP (123)
access-list 101 permit udp any eq ntp any eq ntp
access-list 101 remark PPTP VPN
access-list 101 permit gre any any
access-list 101 permit tcp any any eq 1723
access-list 101 permit udp host 184.108.40.206 eq domain any
access-list 101 permit udp host 220.127.116.11 eq domain any
access-list 101 deny ip 192.168.30.0 0.0.0.255 any
access-list 101 permit icmp any any
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
You are using an access-list on the outside interface and you are not allowing this traffic.
You need to configure and ACL on 101 to allow this traffic. Please add a term like this.
#access-list 101 line 1 extended permit ip <source-address> <source-subnet> <destination-address> <destination-subnet>
For destination you will have to use any since you want to allow web browsing.
For source use the subnet you want to allow traffic from.(use the original source subnet)
Let me know if this helps.
Thanks for your help but I'm not sure I follow you.
This is a general internet access FW which aplies PAT/NAT to the system originating the request to an unknown destinaton I cannot define inbound rules for every connection initiated.
We do not has such rules on any of the other IOS based routers we have so I'm thinking there is a different on the IOS XE config that I'm missing.
The access-list 101 is applied in which direction on the interface(out or in)?
It seems that the access-list is applied in 'in' direction on interface Dialer0. There is no access-list to allow this traffic.
To confirm the same, please configure an access-list to allow ip traffic.
##access-list 101 line 1 extended permit ip any any
Try this on test basis to confirm the issue.
See below the Interface definition:
ip address negotiated
ip mtu 1452
ip nat outside
ip access-group 101 in
dialer pool 1
ppp authentication chap callin
ppp chap hostname email@example.com
ppp chap password 0 xxxxxxx
no cdp enable
So the access-list is applied to the inbound route.
I will try the rule you suggest, I expect it will work as it is allowing anything in and as such removes the FW in the same way issue no access-list 101 gets things working but having no firewall blocking random requests isn't going to work.
We have other sites that do not require a global permit rule, indeed they have a a global deny, these sites work so the firwall must be keeping track of the conenctions fromt he inside and allowing a response on the the same.
I understand you need to allow only web browsing traffic initiated from internal network to outside.
Please use the below command to allow this traffic.
#access-list 101 permit tcp any any gt 1023 established
This will allow only packets for which the session has already been established and destination ports greater then 1023.
Please refer to section 'Allow Only Internal Networks to Initiate a TCP Session' for more details.
This will help you to block traffic which is initiated from outside.