10-28-2012 01:50 AM - edited 03-04-2019 05:59 PM
Hello,
From the remote VPN side (ASA 10.100.1.66) into the VLAN 10 network (10.104.10.x) on this routers LAN works inbound on ports in the 123 access list, however I need to allow VLAN 10 on this router to go outbound to the the remote ASA VPN (10.100.1.66). Where do I put the access-list. For example I need this routers subnet 10.10.4.10.x LAN to get to 10.100.1.66 on destination port TCP/601. When I try the router shows it's denied, but for some reason it is saying access list 123 is denying it, why as it is an outbound access list into VLAN 10's LAN?
router (10.104.10.x) --EasyVPN-- ASA (10.100.1.66)
denied error:
%SEC-6-IPACCESSLOGP: list 123 denied tcp 10.100.1.66(601) -> 10.104.10.2(6926), 1 packet
Config
interface Cellular0
ip address negotiated
ip access-group 122 in
ip nat outside
ip virtual-reassembly in
encapsulation slip
load-interval 60
dialer in-band
dialer string INTERNET
dialer-group 1
async mode interactive
crypto ipsec client ezvpn toASA
interface Vlan10
ip address 10.104.10.1 255.255.255.240
ip access-group 123 out
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
no autostate
crypto ipsec client ezvpn toASA inside
access-list 122 permit icmp host 4.2.2.2 any
access-list 122 permit udp host *.*.*.* any log
access-list 122 deny ip any any log
access-list 123 permit tcp host 10.100.1.66 any eq 3389 log
access-list 123 permit tcp host 10.100.1.66 any eq 5900 log
access-list 123 permit tcp host 10.100.1.66 any eq 5800 log
access-list 123 permit tcp host 10.100.1.66 any eq 601 log
access-list 123 permit icmp any any
access-list 123 deny ip any any log
I think I could be getting confused on where I put the outbound access list and why access list 123 should have anything to do with it and deny it.
Please advise as I guess I need to add this somewhere access-list ? permit tcp 10.104.10.0 0.0.0.15 host 10.100.1.66 eq 601
Thanks
10-28-2012 02:30 AM
%SEC-6-IPACCESSLOGP: list 123 denied tcp 10.100.1.66(601) -> 10.104.10.2(6926), 1 packet
This simply mean source 10.104.10.2 is hitting 10.100.1.66 on port 601 where prt 6926 is dynamic source port associated with 10.104.10.2.When return packet comes back in is being denied by ACL 123.
Access-list is applied to right direction but entry should looks somthing like this-
#permit tcp host 10.10.100.66 eq 601 host 10.104.10.2
Think like - Outbound traffic Source IP Source Port Destintion IP Destination Port (Controlled by ACL IN )
10.104.10.2 6929 10.100.1.66 601
Same reverse way .
Thanks
Ajay
10-28-2012 04:00 AM
Hi,
It is still saying access denied:
%SEC-6-IPACCESSLOGP: list 123 denied tcp 10.100.1.66(601) -> 10.104.10.2(7144), 1 packet
I was on 10.104.10.2(LAN - VLAN 10) and tried to connect to 10.100.1.66 (remote) on tcp 601.
access-list 123 permit tcp host 10.100.1.66 any eq 3389 log
access-list 123 permit tcp host 10.100.1.66 any eq 5900 log
access-list 123 permit tcp host 10.100.1.66 any eq 5800 log
access-list 123 permit tcp host 10.100.1.66 any eq 601 log
access-list 123 permit tcp host 10.100.1.66 eq 601 10.104.0.0 0.0.0.255 log
access-list 123 permit icmp any any
access-list 123 deny ip any any log
What did I do wrong?
10-28-2012 04:06 AM
10.104.0.0 0.0.0.255 do you know what this is going to cover ?
255 means just the last 8 bits means 10.104.0.1 to 10.104.0.255 .does that cover 10.104.10.2 ?
hope you understand now what wrong you have done
Thanks
Ajay
10-28-2012 04:27 AM
What a school boy error, I will never pass my cert with that!
That now works, I'm still a little confused on how it works. So is the below saying allow 10.100.1.66 on tcp 601 to 10.104.10.x
If so that is the opposite in my mind, as I needed 10.104.10.x to get to 10.100.1.66 on tcp 601.
access-list 123 permit tcp host 10.100.1.66 eq 601 10.104.10.0 0.0.0.255 log
10-28-2012 05:39 AM
access-list 123 permit tcp host 10.100.1.66 eq 601 10.104.10.0 0.0.0.255 log
simple it says if 10.100.1.66 is coming with source port should allow for 10.104.10.0 0.0.0.255 for any port.
you need to understand how session works on TCP/IP.
10-28-2012 05:45 AM
You mentioned:
#permit tcp host 10.10.100.66 eq 601 host 10.104.10.2
Think like - Outbound traffic Source IP Source Port Destintion IP Destination Port (Controlled by ACL IN )
10.104.10.2 6929 10.100.1.66 601
This is what I applied to vlan 10 outbound
access-list 123 permit tcp host 10.100.1.66 eq 601 10.104.10.0 0.0.0.255 log
In the access list above isnt 10.100.1.66 and tcp 601 the source ip and port and the destination 10.104.10.x?
10-28-2012 05:58 AM
Dynamic ports are random you can not guess them.Only thing need to keep in mind direction and source/destination IP and destination port..
Session means initiator will target well known ports/specific ports for destination IP and will open dynamic port at source.
10.104.10.2 6929>>>>>>>>>>>>>>>>>>>>>>> 10.100.1.66 601 (1st packet)
10.104.10.2 6929<<<<<<<<<<<<<<<<<<<<<<< 10.100.1.66 601 (return packet)
For more information will look how ACL works on cisco.com.
Thanks
Ajay
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide