Re: Need ACL help

jmartina · ‎07-14-2004

Here is my config , what is wrong with it, when i apply access list 100 in, none of my clients can connect to the web any one please!!!!

ip dhcp pool dhcppool

import all

network 10.10.10.0 255.255.255.0

default-router 10.10.10.1

lease 7

!

no ip bootp server

ip inspect name ftp ftp timeout 30

ip audit attack action alarm reset

ip audit notify log

ip audit po max-events 100

ip cef

!

interface Ethernet0

ip address dhcp

(ip access-group 100 in) None of my clients can connect to web when applied!!!!

ip access-group 101 out

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect ftp in

half-duplex

ntp disable

no cdp enable

!

interface FastEthernet0

ip address 10.10.10.1 255.255.255.0

ip access-group 101 in

ip access-group 101 out

ip nat inside

speed auto

no cdp enable

!

ip nat inside source list 1 interface Ethernet0 overload

ip nat inside source static tcp 10.10.10.60 13010 interface Ethernet0 13010

ip nat inside source static tcp 10.10.10.60 13011 interface Ethernet0 13011

ip nat inside source static tcp 10.10.10.60 13012 interface Ethernet0 13012

ip nat inside source static tcp 10.10.10.60 13013 interface Ethernet0 13013

ip nat inside source static tcp 10.10.10.60 13014 interface Ethernet0 13014

ip nat inside source static tcp 10.10.10.60 13015 interface Ethernet0 13015

ip classless

no ip http server

ip pim bidir-enable

!

ip access-list extended internet-in

!

logging 10.10.10.66

access-list 1 permit 10.0.0.0 0.255.255.255 log

access-list 100 permit tcp any any established

access-list 100 permit tcp any any log

access-list 100 permit tcp any host 10.10.10.60 range 13010 13015

access-list 100 permit tcp any gt 1023 any eq ftp

access-list 100 permit tcp any gt 1023 any eq ftp-data

access-list 100 permit icmp any any net-unreachable

access-list 100 permit icmp any any host-unreachable

access-list 100 permit icmp any any port-unreachable

access-list 100 permit icmp any any parameter-problem

access-list 100 permit icmp any any packet-too-big

access-list 100 permit icmp any any administratively-prohibited

access-list 100 permit icmp any any source-quench

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any ttl-exceeded

access-list 101 permit ip any any log

access-list 101 permit tcp any any log

access-list 101 permit udp any any log

access-list 101 permit tcp any any eq www

no cdp run

!

line con 0

line aux 0

line vty 0 3

access-class 1 in

password 7

login

telnet refuse-negotiations

line vty 4

access-class 1 in

password 7

login

telnet refuse-negotiations

!

konigl · ‎07-14-2004

Jason,

Try adding an "access-list 100 permit udp any any log" to your config and see what happens.

It looks to me like you're permitting anything to go out Ethernet0 ("access-list 101 permit ip any any" permits all tcp, udp, and icmp). But you're only allowing tcp and some icmp back in, no udp.

Remember, there's an implicit "deny ip any any" at the end of each ACL. If something's not explicitly permitted by the time you get to the end of an ACL, the implicit "deny all" will prevent it from getting through.

Probably what you've been experiencing is that replies from your ISP's DNS servers aren't making it back to the machines inside your network which initiated the requests. DNS typically uses udp port 53.

An easy way to confirm this: with ACL 100 off find a website and get its IP address. Then apply ACL 100. See if you can web browse the website's URL. Then see if you can web browse the website by putting in the actual IP address. If it doesn't work with the URL but it does work with the IP address, your DNS name resolution traffic is being blocked.

You might also see hints of this in the logs, or when you run "show access-list 100" after you add the udp line and apply the ACL to the interface and surf the web for a bit.

Hope this helps.

dnewell24 · ‎07-14-2004

I think DNS is your problem. Access list 100 does not allow any DNS queries (UDP traffic) to enter the network. DNS queries use UDP port 53.

Hope this helps. Good Luck!

jmartina · ‎07-14-2004

ok..i added udp 53 and still cannot get out, here is what i get when i do sh access-list 100

permit tcp any any established (1 match)

permit tcp any any log

permit tcp any host 10.10.10.60 range 13010 13015

permit tcp any gt 1023 any eq ftp

permit tcp any gt 1023 any eq ftp-data

permit icmp any any net-unreachable

permit icmp any any host-unreachable

permit icmp any any port-unreachable

permit icmp any any parameter-problem

permit icmp any any packet-too-big

permit icmp any any administratively-prohibited

permit icmp any any source-quench

permit icmp any any echo-reply

permit icmp any any ttl-exceeded

permit udp any any eq domain log

konigl · ‎07-14-2004

To figure out exactly what's getting blocked in your ACL 100, first take the "log" parameter off each command line that's permitting something. This cuts down on the clutter in the log.

Next, put the following explicit "deny all" commands at the end of the ACL, with the "log" parameter:

access-list 100 deny tcp any range 0 65535 any range 0 65535 log

access-list 100 deny udp any range 0 65535 any range 0 65535 log

access-list 100 deny icmp any any log

Note that these three commands have the same effect as the implicit

access-list 100 deny ip any any

except that by breaking out the protocols covered by "ip" to individual ACL command lines, you can get more detailed information in the logs. The command lines with port number ranges will cause the logs to show the actual port numbers being denied, vs. just logging the IP addresses involved.

Finally, apply this updated ACL 100, let it run for a bit, then look at the logs. You should see source and destination IP addresses, along with tcp or udp port numbers in parentheses ().

What do you see that's being blocked?

konigl · ‎07-14-2004

By the way, you may have the "eq domain" in the wrong place. If ACL 100 is for inbound traffic on Ethernet0 and DNS servers are on that side of the router, then your last line should read

permit udp any eq domain any log

beause the DNS servers using port 53 will be the source IP address of the replying traffic. Destination IP addresses would be covered the second "any" and would represent your DNS clients on your inside network.

Port numbers are randomly selected on the client side, so you can't pin them down to a specific one. (You could put "range 0 65535" after the second "any" and before the "log" in your command line, if you really wanted to see which ports the clients were using.)

The way your command line reads now, it would only allow DNS clients on the Internet to request name resolution from DNS servers located at your site (on the FastEthernet0 side of the router). Or, it would let DNS servers on the Internet reply to clients at your location who happened to be using UDP port 53, which is a port number extremely unlikely to be used by DNS clients.

Hope this helps.