cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
471
Views
0
Helpful
3
Replies

ACL Issue when access websites

mmurray
Level 1
Level 1

I am having a problem with my ACL configuration on a 1720 router. When users try to surf with the following ACL they get blocked:

ip access-list extended PERIMETER

permit udp host 17.29.14.73 host 21.31.116.209 eq isakmp

permit esp host 17.29.14.73 host 21.31.116.209

permit ip 172.18.3.0 0.0.0.255 172.22.3.0 0.0.0.255

permit icmp any any unreachable

permit icmp any any echo-reply

permit tcp any any eq www

deny ip any any log

Here are the log messages from the deny statement:

*Mar 1 17:03:13: %SEC-6-IPACCESSLOGP: list PERIMETER denied tcp 74.125.91.113(80) -> 21.31.116.209(2791), 1 packet

*Mar 1 17:03:17: %SEC-6-IPACCESSLOGP: list PERIMETER denied tcp 69.28.155.49(80) -> 21.31.116.209(2794), 1 packet

*Mar 1 17:03:18: %SEC-6-IPACCESSLOGP: list PERIMETER denied tcp 63.245.209.93(80) -> 21.31.116.209(2796), 1 packet

*Mar 1 17:03:31: %SEC-6-IPACCESSLOGP: list PERIMETER denied tcp 74.125.91.139(80) -> 21.31.116.209(2731), 2 packets

*Mar 1 17:03:37: %SEC-6-IPACCESSLOGP: list PERIMETER denied tcp 74.125.91.138(80) -> 21.31.116.209(2769), 2 packets

So I can see that the packet goes out on port 80 but comes back on a dynamic port. How can I allow this traffic without opening a ton of ports?

Complete config:

1720#sh run

Building configuration...

Current configuration : 2197 bytes

!

version 12.1

no service single-slot-reload-enable

service timestamps debug datetime

service timestamps log datetime

service password-encryption

!

hostname 1720

!

no logging buffered

no logging buffered

logging rate-limit console 10 except errors

!

memory-size iomem 25

clock timezone EST -5

ip subnet-zero

no ip finger

no ip domain-lookup

ip dhcp excluded-address 172.22.3.1 172.22.3.20

!

ip dhcp pool dhcppool

network 172.22.3.0 255.255.255.0

default-router 172.22.3.1

dns-server 172.18.3.24 172.18.3.26

!

ip audit notify log

ip audit po max-events 100

!

!

crypto isakmp policy 10

hash md5

authentication pre-share

group 2

crypto isakmp key cisco123 address 17.29.14.73

!

!

crypto ipsec transform-set ASA5510 esp-des esp-md5-hmac

!

crypto map VPNmap 10 ipsec-isakmp

set peer 17.29.14.73

set transform-set ASA5510

set pfs group2

match address ASA5510

!

!

!

!

interface Ethernet0

ip address 21.31.116.209 255.255.255.252

ip access-group PERIMETER in

ip nat outside

half-duplex

crypto map VPNmap

!

interface FastEthernet0

description LAN

ip address 172.22.3.1 255.255.255.0

ip nat inside

speed auto

!

ip nat inside source list NAT_ADDRESSES interface Ethernet0 overload

ip kerberos source-interface any

ip classless

ip route 0.0.0.0 0.0.0.0 21.31.116.210

no ip http server

!

!

ip access-list extended NAT_ADDRESSES

deny ip 172.22.3.0 0.0.0.255 172.18.3.0 0.0.0.255

permit ip 172.22.3.0 0.0.0.255 any

ip access-list extended PERIMETER

permit udp host 17.29.14.73 host 21.31.116.209 eq isakmp

permit esp host 17.29.14.73 host 21.31.116.209

permit ip 172.18.3.0 0.0.0.255 172.22.3.0 0.0.0.255

permit icmp any any unreachable

permit icmp any any echo-reply

permit tcp any any eq www

deny ip any any log

ip access-list extended ASA5510

permit ip 172.22.3.0 0.0.0.255 172.18.3.0 0.0.0.255

alias exec sr show run

alias exec s sh ip int br

alias exec srt show ip route

!

line con 0

logging synchronous

transport input none

line aux 0

line vty 0 4

exec-timeout 0 0

logging synchronous

login local

!

no scheduler allocate

end

3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

In your acl PERMIETER change this line

permit tcp any any eq www

to

permit tcp any eq 80 any

Jon

A reflexife access-list would do the job as well...

something like

ip access-list extended LAN

permit ip any any reflect LAN

Apply this do the fast0/0 on the inbound direction and then you would add this line to the beginning of you perimeter acl

evaluate LAN

Cheers

Im sorry, made a mistake here "ip access-list extended LAN", you should name your acl with a different name then the one after the "reflect" command.

Cheers

P.S. - with this reflexive access-list all you lan traffic to the internet will be permited to pass through the firewall back in....

Review Cisco Networking for a $25 gift card