07-15-2017 12:22 PM - edited 03-03-2019 08:36 AM
I'm setting up a Cisco 891 that I want to be a home router.
The short story is: I'm trying to do config archiving to an SCP server connected on the WAN interface, and it doesn't work with an inbound ACL on the WAN interface despite it being an outbound operation. I hope I'm not missing something simple.
This is a demonstration of the problem:
cisco-891#conf t
Enter configuration commands, one per line. End with CNTL/Z.
cisco-891(config)#int f8
cisco-891(config-if)#ip access-group INBOUND in
cisco-891(config-if)#end
cisco-891#wr
Building configuration...
.Jul 15 19:08:40.587: %SYS-5-CONFIG_I: Configured from console by console[OK]
Writing configs/cisco-891--Jul-15-19-08-43.211-2 % Connection timed out; remote host not responding
cisco-891#conf t
Enter configuration commands, one per line. End with CNTL/Z.
cisco-891(config)#int f8
cisco-891(config-if)#no ip access-group INBOUND in
cisco-891(config-if)#end
cisco-891#wr
Building configuration...
.Jul 15 19:09:53.742: %SYS-5-CONFIG_I: Configured from console by console[OK]
Writing configs/cisco-891--Jul-15-19-09-56.346-2 Sink: C0644 4211 cisco-891--Jul-15-19-09-56.346-2
! <--- This means successful
So why is an inbound ACL preventing an outbound operation?
Here is more info:
cisco-891#show access-lists INBOUND
Extended IP access list INBOUND
10 permit udp 192.168.xxx.0 0.0.0.255 any eq bootpc
20 permit tcp 192.168.xxx.0 0.0.0.255 any eq 22
30 permit udp 192.168.xxx.0 0.0.0.255 any eq snmp (8 matches)
40 permit ospf 192.168.xxx.0 0.0.0.255 any (175 matches)
60 permit gre 192.168.xxx.0 0.0.0.255 any (28 matches)
70 deny ip any any (271 matches)
archive
path scp://user:password@192.168.xxx.xxx/configs/$h-$t
write-memory
time-period 10080
In this case 192.168.xxx.0 0.0.0.255 is the "WAN" while I test this inside my home network.The WAN interface has an address in this range and so does the SCP server (both are on the same /24).
I hope I haven't missed something simple...
Thanks.
07-15-2017 01:35 PM
Ok, seems that ntp isn't working either with the same access list, so there's definitely something I'm missing.
I'm setting up the router according to this:
https://learningnetwork.cisco.com/docs/DOC-7832
Clients under this router can connect to the web and "do stuff", it seems like it's just this access list blocking return traffic for requests that originated at the router.
07-15-2017 09:05 PM
I had someone I know straighten me out on this one. This is probably a stateful vs. stateless problem.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide