Solved: Outgoing Connections work but no Incoming

fbeye · ‎01-17-2018

My setup: 8 Static IP w/ 5 Usable. No NAT (In or Out). Using Zones. Each device on the Network has its own (Real) STATIC.

My dilemma: Any Interface and any IP has outgoing communication just fine. My Incoming (more specific) my Email Server allows no connection inbound. When I run a Portscan it does not even show any ports open. I scan my Router (Gateway) and it shows Open (Web) but no IP beyond has the same results.

My other thread has been successful getting to this point but being this is Security specific I brought the thread here and I again thank Georg Pauwen for his carrying me through this.

any suggestions?

hostname CiscoHOM
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
no logging console
!
aaa new-model
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
ip name-server 205.171.3.65
ip name-server 205.171.2.65
ip cef
no ipv6 cef
!
parameter-map type inspect global
log dropped-packets enable
max-incomplete low 18000
max-incomplete high 20000
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
!
license udi pid C891F-K9 sn FGL212791GJ
!
username <username> privilege 15 password 0 <password>
!
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
match access-group name INSIDE-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
match access-group name OUTSIDE-TO-INSIDE
!
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class class-default
drop
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
pass
class class-default
drop
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
description Home Wireless
no ip address
zone-member security INSIDE
!
interface GigabitEthernet1
description Email Server
no ip address
zone-member security INSIDE
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
description PPPoE xDSL WAN
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface Vlan1
ip address x.x.121.182 255.255.255.248
ip virtual-reassembly in
zone-member security INSIDE
!
interface Async3
no ip address
encapsulation slip
!
interface Dialer1
description PPPoE xDSL WAN Dialer
ip address negotiated
no ip unreachables
ip mtu 1460
zone-member security OUTSIDE
encapsulation ppp
ip tcp adjust-mss 1420
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname <hostname>
ppp chap password 0 <password>
ppp pap sent-username <username> password 0 <password>
ppp ipcp route default
no cdp enable
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended INSIDE-TO-OUTSIDE
permit ip host x.x.121.176 any
permit ip host x.x.121.177 any
permit ip host x.x.121.178 any
permit ip host x.x.121.179 any
permit ip host x.x.121.180 any
permit ip host x.x.121.181 any
permit ip host x.x.121.182 any
permit tcp host x.x.121.180 any
permit udp host x.x.121.177 any eq domain
permit udp host x.x.121.180 any eq domain
permit udp host x.x.121.182 any eq domain

permit tcp host x.x.121.180 any eq smtp
permit tcp host x.x.121.180 any eq 993
ip access-list extended OUTSIDE-TO-INSIDE
permit icmp any host x.x.121.176
permit icmp any host x.x.121.177
permit icmp any host x.x.121.178
permit icmp any host x.x.121.179
permit icmp any host x.x.121.180
permit icmp any host x.x.121.181
permit icmp any host x.x.121.182
permit udp any host x.x.121.180 eq domain
permit udp any host x.x.121.177 eq domain
permit udp any host x.x.121.182 eq domain
permit tcp any host x.x.121.180 eq 993
permit tcp any host x.x.121.180 eq smtp
!
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!

Rob Ingram · ‎01-17-2018

Hi,

Any reason why you are using "pass" instead of "inspect" here:-

policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
pass

View solution in original post

Rob Ingram · ‎01-17-2018

Hi,

Any reason why you are using "pass" instead of "inspect" here:-

policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
pass

fbeye · ‎01-17-2018

I have no legitimate answer for that... I have either had it that way since the beginning or I possibly changed it from Inspect to Allow during troubleshooting.

Is the difference between Allow and Inspect meaning it Allows indefinitely rather than Insoecting the rules applied?

Rob Ingram · ‎01-17-2018

Hi, In short the Pass action permits traffic in one direction only, you'd have to explicitly define rules for return traffic. Inspect, return traffic is automatically allowed for established connections.

HTH

fbeye · ‎01-17-2018

Makes sense..

Would definitely cause no activity if what I am trying to do requires both directions.

fbeye · ‎01-17-2018

That was it... Pass to Inspect is what I needed.

Thank you.