Access list help on router

Andy White · ‎10-28-2012

Hello,

From the remote VPN side (ASA 10.100.1.66) into the VLAN 10 network (10.104.10.x) on this routers LAN works inbound on ports in the 123 access list, however I need to allow VLAN 10 on this router to go outbound to the the remote ASA VPN (10.100.1.66). Where do I put the access-list. For example I need this routers subnet 10.10.4.10.x LAN to get to 10.100.1.66 on destination port TCP/601. When I try the router shows it's denied, but for some reason it is saying access list 123 is denying it, why as it is an outbound access list into VLAN 10's LAN?

router (10.104.10.x) --EasyVPN-- ASA (10.100.1.66)

denied error:

%SEC-6-IPACCESSLOGP: list 123 denied tcp 10.100.1.66(601) -> 10.104.10.2(6926), 1 packet

Config

interface Cellular0

ip address negotiated

ip access-group 122 in

ip nat outside

ip virtual-reassembly in

encapsulation slip

load-interval 60

dialer in-band

dialer string INTERNET

dialer-group 1

async mode interactive

crypto ipsec client ezvpn toASA

interface Vlan10

ip address 10.104.10.1 255.255.255.240

ip access-group 123 out

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

no autostate

crypto ipsec client ezvpn toASA inside

access-list 122 permit icmp host 4.2.2.2 any

access-list 122 permit udp host *.*.*.* any log

access-list 122 deny ip any any log

access-list 123 permit tcp host 10.100.1.66 any eq 3389 log

access-list 123 permit tcp host 10.100.1.66 any eq 5900 log

access-list 123 permit tcp host 10.100.1.66 any eq 5800 log

access-list 123 permit tcp host 10.100.1.66 any eq 601 log

access-list 123 permit icmp any any

access-list 123 deny ip any any log

I think I could be getting confused on where I put the outbound access list and why access list 123 should have anything to do with it and deny it.

Please advise as I guess I need to add this somewhere access-list ? permit tcp 10.104.10.0 0.0.0.15 host 10.100.1.66 eq 601

Thanks

ajay chauhan · ‎10-28-2012

%SEC-6-IPACCESSLOGP: list 123 denied tcp 10.100.1.66(601) -> 10.104.10.2(6926), 1 packet

This simply mean source 10.104.10.2 is hitting 10.100.1.66 on port 601 where prt 6926 is dynamic source port associated with 10.104.10.2.When return packet comes back in is being denied by ACL 123.

Access-list is applied to right direction but entry should looks somthing like this-

#permit tcp host 10.10.100.66 eq 601 host 10.104.10.2

Think like - Outbound traffic Source IP Source Port Destintion IP Destination Port (Controlled by ACL IN )

10.104.10.2 6929 10.100.1.66 601

Same reverse way .

Thanks

Ajay

Andy White · ‎10-28-2012

Hi,

It is still saying access denied:

%SEC-6-IPACCESSLOGP: list 123 denied tcp 10.100.1.66(601) -> 10.104.10.2(7144), 1 packet

I was on 10.104.10.2(LAN - VLAN 10) and tried to connect to 10.100.1.66 (remote) on tcp 601.

access-list 123 permit tcp host 10.100.1.66 any eq 3389 log

access-list 123 permit tcp host 10.100.1.66 any eq 5900 log

access-list 123 permit tcp host 10.100.1.66 any eq 5800 log

access-list 123 permit tcp host 10.100.1.66 any eq 601 log

access-list 123 permit tcp host 10.100.1.66 eq 601 10.104.0.0 0.0.0.255 log

access-list 123 permit icmp any any

access-list 123 deny ip any any log

What did I do wrong?

ajay chauhan · ‎10-28-2012

10.104.0.0 0.0.0.255 do you know what this is going to cover ?

255 means just the last 8 bits means 10.104.0.1 to 10.104.0.255 .does that cover 10.104.10.2 ?

hope you understand now what wrong you have done

Thanks

Ajay

Andy White · ‎10-28-2012

What a school boy error, I will never pass my cert with that!

That now works, I'm still a little confused on how it works. So is the below saying allow 10.100.1.66 on tcp 601 to 10.104.10.x

If so that is the opposite in my mind, as I needed 10.104.10.x to get to 10.100.1.66 on tcp 601.

access-list 123 permit tcp host 10.100.1.66 eq 601 10.104.10.0 0.0.0.255 log

ajay chauhan · ‎10-28-2012

access-list 123 permit tcp host 10.100.1.66 eq 601 10.104.10.0 0.0.0.255 log

simple it says if 10.100.1.66 is coming with source port should allow for 10.104.10.0 0.0.0.255 for any port.

you need to understand how session works on TCP/IP.

Andy White · ‎10-28-2012

You mentioned:

#permit tcp host 10.10.100.66 eq 601 host 10.104.10.2

Think like - Outbound traffic Source IP Source Port Destintion IP Destination Port (Controlled by ACL IN )

10.104.10.2 6929 10.100.1.66 601

This is what I applied to vlan 10 outbound

access-list 123 permit tcp host 10.100.1.66 eq 601 10.104.10.0 0.0.0.255 log

In the access list above isnt 10.100.1.66 and tcp 601 the source ip and port and the destination 10.104.10.x?

ajay chauhan · ‎10-28-2012

Dynamic ports are random you can not guess them.Only thing need to keep in mind direction and source/destination IP and destination port..

Session means initiator will target well known ports/specific ports for destination IP and will open dynamic port at source.

10.104.10.2 6929>>>>>>>>>>>>>>>>>>>>>>> 10.100.1.66 601 (1st packet)

10.104.10.2 6929<<<<<<<<<<<<<<<<<<<<<<< 10.100.1.66 601 (return packet)

For more information will look how ACL works on cisco.com.

Thanks

Ajay