cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
765
Views
0
Helpful
8
Replies

Access List on 877VA router IOS15.7(3)

eugeneg
Beginner
Beginner

Hi guys

I recently replaced an 877M-K9 VO1 router with an 877VA-K9 router in order to take advantage of a faster VDSL connection.

I massaged the working configuration of the 877M and applied it without the ACLs to the 877VA running IOS 15.7(3) and immediately connected to the upstream service - all good so far.

The problem happened when I applied the ACLs, there is no communication from the DMZ network to the WAN at all unless I add a permit ip any any to the end of the ACL.  Is there something new that I am missing?

Here is my config:

hostname MINOTAUR

clock timezone AWST 8

no ip source-route
ip cef

multilink bundle-name authenticated

username admin privilege 15 secret SECRET
!
enable secret SECRET
enable password PASSWORD

archive
log config
hidekeys
exit
exit

interface ATM0
shut
exit

interface Dialer0
shut
exit

interface Ethernet0
description TELSTRA CONNECTION
ip address negotiated
ip access-group 121 in
ip access-group 122 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
no cdp enable

interface Vlan1
description DMZ
ip address 203.30.44.62 255.255.255.128
ip access-group 101 in
ip access-group 102 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly in
ip tcp adjust-mss 1452
hold-queue 100 out

interface FastEthernet0
no shut
exit
interface FastEthernet1
no shut
exit
interface FastEthernet2
no shut
exit
interface FastEthernet3
no shut

no ip http server
ip http access-class 2
ip http authentication local
ip http secure-server

ip route 0.0.0.0 0.0.0.0 Ethernet0
ip route 172.16.0.0 255.255.254.0 203.30.44.1
ip route 172.16.10.0 255.255.254.0 203.30.44.1
ip route 192.168.0.0 255.255.255.0 203.30.44.1
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
snmp-server community LO_snmp RO
access-list 101 permit ip any any
access-list 102 permit ip any any
access-list 121
access-list 121 remark incoming traffic via dial interface dialer 0
access-list 121 deny tcp any any eq 5938
access-list 121 deny udp any any eq 5938
access-list 121 deny ip host 213.251.75.74 any
access-list 121 permit icmp any host 203.30.44.1 administratively-prohibited
access-list 121 permit icmp any host 203.30.44.1 echo-reply
access-list 121 permit icmp any host 203.30.44.1 packet-too-big
access-list 121 permit icmp any host 203.30.44.1 time-exceeded
access-list 121 permit icmp any host 203.30.44.1 traceroute
access-list 121 permit icmp any host 203.30.44.1 unreachable
access-list 121 permit udp any host 203.30.44.1 eq domain
access-list 121 permit tcp any host 203.30.44.1 eq domain
access-list 121 deny udp any host 203.30.44.1 eq 3104
access-list 121 deny tcp any host 203.30.44.1 eq 3104
access-list 121 permit tcp any host 203.30.44.1 eq 2703
access-list 121 permit icmp any host 203.30.44.2 administratively-prohibited
access-list 121 permit icmp any host 203.30.44.2 echo-reply
access-list 121 permit icmp any host 203.30.44.2 packet-too-big
access-list 121 permit icmp any host 203.30.44.2 time-exceeded
access-list 121 permit icmp any host 203.30.44.2 traceroute
access-list 121 permit icmp any host 203.30.44.2 unreachable
access-list 121 permit udp any host 203.30.44.2 eq domain
access-list 121 permit tcp any host 203.30.44.2 eq domain
access-list 121 permit tcp any host 203.30.44.2 eq 2703
access-list 121 permit tcp any host 203.30.44.2 eq ftp
access-list 121 permit tcp any host 203.30.44.2 eq ftp-data established
access-list 121 permit tcp any host 203.30.44.2 eq www
access-list 121 permit tcp any host 203.30.44.4 eq www
access-list 121 permit tcp any host 203.30.44.4 eq 443
access-list 121 permit tcp any host 203.30.44.6 eq www
access-list 121 permit tcp any host 203.30.44.6 eq 443
access-list 121 permit tcp any host 203.30.44.7 eq www
access-list 121 permit tcp any host 203.30.44.7 eq 443
access-list 121 permit tcp any host 203.30.44.8 eq www
access-list 121 permit tcp any host 203.30.44.8 eq 443
access-list 121 permit tcp any host 203.30.44.12 eq 2703
access-list 121 permit tcp any host 203.30.44.13 eq www
access-list 121 permit tcp any host 203.30.44.13 eq 443
access-list 121 permit tcp any host 203.30.44.17 eq www
access-list 121 permit tcp any host 203.30.44.17 eq 443
access-list 121 permit tcp any host 203.30.44.18 eq www
access-list 121 permit tcp any host 203.30.44.18 eq 443
access-list 121 permit tcp any host 203.30.44.19 eq www
access-list 121 permit tcp any host 203.30.44.19 eq 443
access-list 121 permit tcp any host 203.30.44.19 eq 554
access-list 121 permit tcp any host 203.30.44.19 eq 8000
access-list 121 permit tcp any host 203.30.44.20 eq www
access-list 121 permit tcp any host 203.30.44.20 eq 443
access-list 121 permit tcp any host 203.30.44.31 eq www
access-list 121 permit tcp any host 203.30.44.33 eq www
access-list 121 permit tcp any host 203.30.44.34 eq www
access-list 121 permit tcp any host 203.30.44.35 eq www
access-list 121 permit tcp any host 203.30.44.36 eq www
access-list 121 permit ip any host 203.30.44.60
access-list 121 deny ip any any log
access-list 122 remark outbound traffic via dial interface dialer 0
access-list 122 deny tcp any any eq 5938
access-list 122 deny udp any any eq 5938
access-list 122 permit ip any any
!
banner login ^CCCCYou have reached the guardian at the gate, if you know the password enter it now.
If you don't know the password then you are not authorised to enter, turn back now
or risk the sheer terror of the deepest depths of hell where the foulest of creatures
lurk awaiting the unwary traveller.
Have a nice day ;-)
^C

line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
exec-timeout 30 0
password PASSWORD
transport input telnet ssh

no cdp run

ntp clock-period 17180370
ntp server 129.143.2.23

webvpn cef

line vty 0 4
access-class 1 in
no exec-timeout
privilege level 15
login local
transport preferred ssh
transport input ssh
controller vdsl 0
lldp run

 

I have tried blowing the ACL away then re-applying it with rules for a single DMZ host and again there is no incoming traffic unless I specify a permit ip any host DMZHOST

Please help

8 Replies 8

Georg Pauwen
VIP Master VIP Master
VIP Master

Hello,

 

three of your four access lists are redundant. You don't need access lists 101 and 102 on your DMZ interface, because they allow everything. Access list 122, without the 'permit ip any any' at the end, blocks everything because of the implicit deny at the end of the access list.

 

Remove the lines marked in bold:

 

 

hostname MINOTAUR
!
clock timezone AWST 8
!
no ip source-route
ip cef
!
multilink bundle-name authenticated
!
username admin privilege 15 secret SECRET
!
enable secret SECRET
enable password PASSWORD
!
archive
log config
hidekeys
exit
exit
!
interface ATM0
shut
exit
!
interface Dialer0
shut
exit
!
interface Ethernet0
description TELSTRA CONNECTION
ip address negotiated
ip access-group 121 in
--> no ip access-group 122 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
no cdp enable
!
interface Vlan1
description DMZ
ip address 203.30.44.62 255.255.255.128
--> no ip access-group 101 in
--> no ip access-group 102 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly in
ip tcp adjust-mss 1452
hold-queue 100 out
!
interface FastEthernet0
no shut
exit
interface FastEthernet1
no shut
exit
interface FastEthernet2
no shut
exit
interface FastEthernet3
no shut
!
no ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 Ethernet0
ip route 172.16.0.0 255.255.254.0 203.30.44.1
ip route 172.16.10.0 255.255.254.0 203.30.44.1
ip route 192.168.0.0 255.255.255.0 203.30.44.1
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
snmp-server community LO_snmp RO
access-list 101 permit ip any any
access-list 102 permit ip any any
access-list 121
access-list 121 remark incoming traffic via dial interface dialer 0
access-list 121 deny tcp any any eq 5938
access-list 121 deny udp any any eq 5938
access-list 121 deny ip host 213.251.75.74 any
access-list 121 permit icmp any host 203.30.44.1 administratively-prohibited
access-list 121 permit icmp any host 203.30.44.1 echo-reply
access-list 121 permit icmp any host 203.30.44.1 packet-too-big
access-list 121 permit icmp any host 203.30.44.1 time-exceeded
access-list 121 permit icmp any host 203.30.44.1 traceroute
access-list 121 permit icmp any host 203.30.44.1 unreachable
access-list 121 permit udp any host 203.30.44.1 eq domain
access-list 121 permit tcp any host 203.30.44.1 eq domain
access-list 121 deny udp any host 203.30.44.1 eq 3104
access-list 121 deny tcp any host 203.30.44.1 eq 3104
access-list 121 permit tcp any host 203.30.44.1 eq 2703
access-list 121 permit icmp any host 203.30.44.2 administratively-prohibited
access-list 121 permit icmp any host 203.30.44.2 echo-reply
access-list 121 permit icmp any host 203.30.44.2 packet-too-big
access-list 121 permit icmp any host 203.30.44.2 time-exceeded
access-list 121 permit icmp any host 203.30.44.2 traceroute
access-list 121 permit icmp any host 203.30.44.2 unreachable
access-list 121 permit udp any host 203.30.44.2 eq domain
access-list 121 permit tcp any host 203.30.44.2 eq domain
access-list 121 permit tcp any host 203.30.44.2 eq 2703
access-list 121 permit tcp any host 203.30.44.2 eq ftp
access-list 121 permit tcp any host 203.30.44.2 eq ftp-data established
access-list 121 permit tcp any host 203.30.44.2 eq www
access-list 121 permit tcp any host 203.30.44.4 eq www
access-list 121 permit tcp any host 203.30.44.4 eq 443
access-list 121 permit tcp any host 203.30.44.6 eq www
access-list 121 permit tcp any host 203.30.44.6 eq 443
access-list 121 permit tcp any host 203.30.44.7 eq www
access-list 121 permit tcp any host 203.30.44.7 eq 443
access-list 121 permit tcp any host 203.30.44.8 eq www
access-list 121 permit tcp any host 203.30.44.8 eq 443
access-list 121 permit tcp any host 203.30.44.12 eq 2703
access-list 121 permit tcp any host 203.30.44.13 eq www
access-list 121 permit tcp any host 203.30.44.13 eq 443
access-list 121 permit tcp any host 203.30.44.17 eq www
access-list 121 permit tcp any host 203.30.44.17 eq 443
access-list 121 permit tcp any host 203.30.44.18 eq www
access-list 121 permit tcp any host 203.30.44.18 eq 443
access-list 121 permit tcp any host 203.30.44.19 eq www
access-list 121 permit tcp any host 203.30.44.19 eq 443
access-list 121 permit tcp any host 203.30.44.19 eq 554
access-list 121 permit tcp any host 203.30.44.19 eq 8000
access-list 121 permit tcp any host 203.30.44.20 eq www
access-list 121 permit tcp any host 203.30.44.20 eq 443
access-list 121 permit tcp any host 203.30.44.31 eq www
access-list 121 permit tcp any host 203.30.44.33 eq www
access-list 121 permit tcp any host 203.30.44.34 eq www
access-list 121 permit tcp any host 203.30.44.35 eq www
access-list 121 permit tcp any host 203.30.44.36 eq www
access-list 121 permit ip any host 203.30.44.60
access-list 121 deny ip any any log
access-list 122 remark outbound traffic via dial interface dialer 0
access-list 122 deny tcp any any eq 5938
access-list 122 deny udp any any eq 5938
access-list 122 permit ip any any
!
banner login ^CCCCYou have reached the guardian at the gate, if you know the password enter it now.
If you don't know the password then you are not authorised to enter, turn back now
or risk the sheer terror of the deepest depths of hell where the foulest of creatures
lurk awaiting the unwary traveller.
Have a nice day ;-)
^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
exec-timeout 30 0
password PASSWORD
transport input telnet ssh
!
no cdp run
!
ntp clock-period 17180370
ntp server 129.143.2.23
!
webvpn cef
!
line vty 0 4
access-class 1 in
no exec-timeout
privilege level 15
login local
transport preferred ssh
transport input ssh
controller vdsl 0
lldp run

Hi Georg

 

Thanks for the quick response.

Question; are you saying that with the ACLs 101,102 and 122 removed there will be a free flow of data from DMZ to WAN?

 

There should be. Did you try removing these access lists ?

Thanks Georg

I removed the access-lists as suggested and I am able to connect to up-stream hosts now but my access-list 121 does not seem to be working properly, as I said, this configuration was working on an older ADSL router so there must be something that changed with the IOS version.

I have a host 203.30.44.1 which controls communication between the internal networks and the DMZ - again, this was working perfectly with the older router so I have no reason to suspect it, seems now that answers to DNS queries are blocked by the new router - this is from the router log:

.Aug 31 03:09:59.281: %SEC-6-IPACCESSLOGP: list 121 denied udp 208.67.222.222(53) -> 203.30.44.1(25279), 1 packet
.Aug 31 03:10:00.289: %SEC-6-IPACCESSLOGP: list 121 denied udp 208.67.222.222(53) -> 203.30.44.1(26408), 1 packet
.Aug 31 03:10:01.394: %SEC-6-IPACCESSLOGP: list 121 denied tcp 146.199.16.46(53) -> 203.30.44.61(80), 1 packet
.Aug 31 03:10:02.446: %SEC-6-IPACCESSLOGP: list 121 denied udp 217.146.18.1(53) -> 203.30.44.1(51310), 1 packet

is there a syntax error in my config?

access-list 121 permit udp any host 203.30.44.1 eq domain
access-list 121 permit tcp any host 203.30.44.1 eq domain

 

Hello,

 

the DNS queries go to various other ports, as the log you posted shows.

 

Change the access list entries to:

 

access-list 121 permit udp any eq domain host 203.30.44.1
access-list 121 permit tcp any eq domain host 203.30.44.1

 

If that doesn't work, you need to find out why these random ports are being used. Or just use these entries:

 

access-list 121 permit udp any host 203.30.44.1
access-list 121 permit tcp any host 203.30.44.1

 

 

Hello

@Georg Pauwen"you need to find out why these random ports are being used. Or just use these entries:"
FYI those are ephemeral ports, they are ports being open up dynamically probably by a windows host.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

paul driver
VIP Expert VIP Expert
VIP Expert

Hello

I assume this is related to your acl122

That acl has two specific deny aces entries and then a implicit deny all hence when applied it’s denying all return traffic into the dmz unless has you have stated you append the permit any any 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Thanks Paul

Georg Pauwen steered me in the right direction and I removed the ACLs on the DMZ interface as well as ACL 122 - I was mislead by the fact that the configuration worked on an older router with a much older IOS

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers