02-24-2012 07:14 AM - edited 03-04-2019 03:25 PM
Hi everyone, I was wandering if anyone of you can help me with an issue I am having with an inbound ACL on my router's public interface. Even though I allow web traffic, it still blocks it as I am not able to surf out. What am I doing wrong?
ip access-list extended BLOCK
permit udp any eq bootps any eq bootpc
remark Block antispoofing
deny ip host 255.255.255.255 any log
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
deny ip any 10.0.0.0 0.255.255.255 log
deny ip any 172.16.0.0 0.15.255.255 log
deny ip any 192.168.0.0 0.0.255.255 log
remark permit web traffic
permit tcp any any eq www
remark allow reply to an echo request
permit icmp any any echo-reply
deny icmp any any redirect
deny ip any any
02-24-2012 07:18 AM
Can you post the counts for the acl?
sh access-list BLOCK
02-24-2012 07:21 AM
Here you go, few extra PERMIT statements here as I had narrowed it down earlier
r-exp-lab-1#sh access-lists BLOCK
Extended IP access list BLOCK
10 permit udp any eq bootps any eq bootpc
20 deny ip host 255.255.255.255 any log
30 deny ip 127.0.0.0 0.255.255.255 any log
40 deny ip 10.0.0.0 0.255.255.255 any log
50 deny ip 172.16.0.0 0.15.255.255 any log
60 deny ip 192.168.0.0 0.0.255.255 any log
70 deny ip any 10.0.0.0 0.255.255.255 log
80 deny ip any 172.16.0.0 0.15.255.255 log
90 deny ip any 192.168.0.0 0.0.255.255 log
100 permit tcp any any eq www
110 permit tcp any any eq 22
120 permit udp any any eq isakmp (28 matches)
130 permit esp any any (19 matches)
140 permit gre any any
150 permit udp any any eq non500-isakmp
160 permit icmp any any echo-reply (6 matches)
170 deny icmp any any redirect
180 deny ip any any (199 matches)
02-24-2012 07:25 AM
Okay...a couple of things:
1. Are you trying to surf the web through the tunnel?
2. It doesn't look like you're allowing dns. Try adding:
ip access-list ext BLOCK
5 permit udp any any eq dns
02-24-2012 08:08 AM
Hi there, so I made some modifications and now it seems to be working.
ip access-list extended BLOCK
permit udp any eq bootps any eq bootpc
remark Block antispoofing
deny ip host 255.255.255.255 any log
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
deny ip any 10.0.0.0 0.255.255.255 log
deny ip any 172.16.0.0 0.15.255.255 log
deny ip any 192.168.0.0 0.0.255.255 log
permit tcp any any eq 22
remark gre tunnels permitted
permit udp any any eq isakmp
permit esp any any
permit gre any any
permit udp any any eq non500-isakmp
remark allow reply to an echo request
permit icmp any any echo-reply
deny icmp any any redirect
deny ip any any
I created a NAT ACL
ip access-list extended nat_control
deny ip 172.18.0.0 0.0.255.255 10.0.0.0 0.255.255.255
deny ip 172.18.0.0 0.0.255.255 172.16.0.0 0.0.255.255
deny ip 172.18.0.0 0.0.255.255 192.168.0.0 0.0.255.255
deny ip 172.18.0.0 0.0.255.255 211.128.0.0 0.0.255.255
deny ip 172.18.0.0 0.0.255.255 199.126.0.0 0.0.255.255
permit ip 172.18.0.0 0.0.255.255 any
Created a route-map and applied nat_control to my outside interface
route-map primary_nat permit 10
description primary_nat
match ip address nat_control
match interface GigabitEthernet0/0
ip nat inside source route-map primary_nat interface GigabitEthernet0/0 overload
Also added an outbound inspect for http on GigabitEthernet0/0
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide