I am having a problem with my ACL configuration on a 1720 router. When users try to surf with the following ACL they get blocked:
ip access-list extended PERIMETER
permit udp host 17.29.14.73 host 21.31.116.209 eq isakmp
permit esp host 17.29.14.73 host 21.31.116.209
permit ip 172.18.3.0 0.0.0.255 172.22.3.0 0.0.0.255
permit icmp any any unreachable
permit icmp any any echo-reply
permit tcp any any eq www
deny ip any any log
Here are the log messages from the deny statement:
*Mar 1 17:03:13: %SEC-6-IPACCESSLOGP: list PERIMETER denied tcp 74.125.91.113(80) -> 21.31.116.209(2791), 1 packet
*Mar 1 17:03:17: %SEC-6-IPACCESSLOGP: list PERIMETER denied tcp 69.28.155.49(80) -> 21.31.116.209(2794), 1 packet
*Mar 1 17:03:18: %SEC-6-IPACCESSLOGP: list PERIMETER denied tcp 63.245.209.93(80) -> 21.31.116.209(2796), 1 packet
*Mar 1 17:03:31: %SEC-6-IPACCESSLOGP: list PERIMETER denied tcp 74.125.91.139(80) -> 21.31.116.209(2731), 2 packets
*Mar 1 17:03:37: %SEC-6-IPACCESSLOGP: list PERIMETER denied tcp 74.125.91.138(80) -> 21.31.116.209(2769), 2 packets
So I can see that the packet goes out on port 80 but comes back on a dynamic port. How can I allow this traffic without opening a ton of ports?
Complete config:
1720#sh run
Building configuration...
Current configuration : 2197 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug datetime
service timestamps log datetime
service password-encryption
!
hostname 1720
!
no logging buffered
no logging buffered
logging rate-limit console 10 except errors
!
memory-size iomem 25
clock timezone EST -5
ip subnet-zero
no ip finger
no ip domain-lookup
ip dhcp excluded-address 172.22.3.1 172.22.3.20
!
ip dhcp pool dhcppool
network 172.22.3.0 255.255.255.0
default-router 172.22.3.1
dns-server 172.18.3.24 172.18.3.26
!
ip audit notify log
ip audit po max-events 100
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 17.29.14.73
!
!
crypto ipsec transform-set ASA5510 esp-des esp-md5-hmac
!
crypto map VPNmap 10 ipsec-isakmp
set peer 17.29.14.73
set transform-set ASA5510
set pfs group2
match address ASA5510
!
!
!
!
interface Ethernet0
ip address 21.31.116.209 255.255.255.252
ip access-group PERIMETER in
ip nat outside
half-duplex
crypto map VPNmap
!
interface FastEthernet0
description LAN
ip address 172.22.3.1 255.255.255.0
ip nat inside
speed auto
!
ip nat inside source list NAT_ADDRESSES interface Ethernet0 overload
ip kerberos source-interface any
ip classless
ip route 0.0.0.0 0.0.0.0 21.31.116.210
no ip http server
!
!
ip access-list extended NAT_ADDRESSES
deny ip 172.22.3.0 0.0.0.255 172.18.3.0 0.0.0.255
permit ip 172.22.3.0 0.0.0.255 any
ip access-list extended PERIMETER
permit udp host 17.29.14.73 host 21.31.116.209 eq isakmp
permit esp host 17.29.14.73 host 21.31.116.209
permit ip 172.18.3.0 0.0.0.255 172.22.3.0 0.0.0.255
permit icmp any any unreachable
permit icmp any any echo-reply
permit tcp any any eq www
deny ip any any log
ip access-list extended ASA5510
permit ip 172.22.3.0 0.0.0.255 172.18.3.0 0.0.0.255
alias exec sr show run
alias exec s sh ip int br
alias exec srt show ip route
!
line con 0
logging synchronous
transport input none
line aux 0
line vty 0 4
exec-timeout 0 0
logging synchronous
login local
!
no scheduler allocate
end
