You should enable stateful

kkonuru123 · ‎06-07-2015

Hi Techies,

I have a router and it has 2 interfaces. Inside interface and outside interface. Gi0/0 is outside, Gi0/1 is inside. From outside I would like to give access to all only on port 445. but after giving 101 ACL, I am loosing access from inside lan to outside.Could anyone can help.

interface GigabitEthernet0/0
description WAN IP
ip address 10.X.X.X 255.255.255.252
ip access-group 101 in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description LAN IP
ip address 20.X.X.X 255.255.255.240
duplex auto
speed auto

access-list 101 permit tcp any host 20.X.X.136 eq 445 log

InayathUlla Sharieff · ‎06-07-2015

May be bcz of implicit deny.

Correct that then you should be fine.

Regards

Inayath

paul driver · ‎06-09-2015

Hello

Try this:

ip inspect name CBAC tcp
ip inspect name CBAC icmp
ip inspect name CBAC udp

access-list 101 permit tcp any host 20.X.X.136 eq 445 log
access-list 102 permit ip 20.X.X.X 0.0.0.7 any

interface GigabitEthernet0/0
ip access-group 101 in

nterface GigabitEthernet0/1
ip access-group 102 in
ip inspect CBAC in

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Rejohn Cuares · ‎06-10-2015

You should enable stateful inspection (either using ZBF or CBAC) on your router.

For more information have a look to these guides:

http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/5143-cbac4.html

http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/13814-32.html

Please rate replies and mark question as "answered" if applicable.

Access-list issue