Solved: Cannot get to my web server. How to format my ACL?

Daniel Perez · ‎06-05-2011

Please help. Thank you for looking into this problem. This is for a Cisco 851W

This is a somewhat newb question and I am reluctant to find out how easy this fix is but I have spent countless hours trying different config setups and I just cant seem to get it to work.

I have basically scrapped my entire configuration file and started from scratch.

I have a dynamic ip address for the Wan. I have a client that runs on the web server to update my DYNDNS records. No problems with address resolution.

My web server sits on the Lan side at 192.168.1.60 listening on port 80. Could someone look at this config file and tell me the correct lines I need to forward web traffic to the server?

I have tried "ip nat inside source static tcp 192.168.1.60 80 Inteface FA4 80" and I messed with the ACL's but no dice. I think my problem will be with the ACL's. I have removed any ACL entries I attempted from the attached file.

I am certain the web server is working and I can get to it locally typing 192.168.1.60 in my browser. Also as a test I switched SDM from listening on 8080 to 80 and I get a response from it when I try to access the web server. I do realize that HTTP is not a secure channel for SDM credentials but I only did it as a test to see if I could get a response.

All corrections and/or tweaks are highly appreciated.

Here is my config:

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname MyRouter

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$vUin$z8jVWcVxL3hIVSF3.P5q55

enable password 7 141B171305072528A8

!

aaa new-model

!

aaa authentication login default local

aaa authorization exec default local

!

aaa session-id common

!

crypto pki trustpoint TP-self-signed-1309454896

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1309454896

revocation-check none

rsakeypair TP-self-signed-1309454896

!

crypto pki certificate chain TP-self-signed-1309454896

certificate self-signed 01

3082024F 308201B8 A0030311 02020101 300D0609 2A864886 F70D0101

31312F30 2D060355 04031329 494F532D 53656C56 2D536967 6E65642D

C6608620 598A14DA 65E820EF 29D603FC D8703B............................

quit

!

dot11 ssid GenLabs

!

dot11 ssid GenLabsGuest

vlan 20

authentication open

authentication key-management wpa

wpa-psk ascii 7 0815444B3B16071806182D162F082B253A3B25

!

dot11 ssid Genlabs

vlan 1

authentication open

authentication key-management wpa

guest-mode

wpa-psk ascii 7 091D545D4B5014131818082F

!

ip dhcp excluded-address 192.168.1.1 192.168.1.99

ip dhcp excluded-address 192.168.2.1 192.168.2.99

!

ip dhcp pool Internal-Net

import all

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

domain-name MyDomain.local

lease 4

!

ip dhcp pool VLAN20

import all

network 192.168.2.0 255.255.255.0

default-router 192.168.2.1

domain-name MyDomain.local

lease 4

!

ip cef

ip inspect name MYFW tcp

ip inspect name MYFW udp

no ip domain lookup

ip domain name MyDomain.local

!

username Generatorlabs privilege 15 password 7 10420C010C141D055D

archive

log config

hidekeys

!

bridge irb

!

interface FastEthernet0

spanning-tree portfast

!

interface FastEthernet1

spanning-tree portfast

!

interface FastEthernet2

spanning-tree portfast

!

interface FastEthernet3

spanning-tree portfast

!

interface FastEthernet4

ip address dhcp

ip access-group Internet-inbound-ACL in

ip inspect MYFW out

ip nat outside

ip virtual-reassembly

ip tcp adjust-mss 1460

duplex auto

speed auto

no cdp enable

!

interface Dot11Radio0

no ip address

no dot11 extension aironet

!

encryption vlan 1 mode ciphers aes-ccm

!

encryption vlan 20 mode ciphers aes-ccm

!

encryption mode ciphers aes-ccm

!

ssid GenLabs

!

ssid GenLabsGuest

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

channel 2437

station-role root

no cdp enable

!

interface Dot11Radio0.1

encapsulation dot1Q 1 native

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Dot11Radio0.20

description Guest wireless LAN - routed WLAN

encapsulation dot1Q 20

ip address 192.168.2.1 255.255.255.0

ip access-group Guest-ACL in

ip inspect MYFW out

ip nat inside

ip virtual-reassembly

!

interface Vlan1

description Internal Network

no ip address

ip nat inside

ip virtual-reassembly

bridge-group 1

bridge-group 1 spanning-disabled

!

interface BVI1

description Bridge to Internal Network

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip route 0.0.0.0 0.0.0.0 dhcp

!

ip http server

ip http port 8080

ip http secure-server

ip nat inside source list 1 interface FastEthernet4 overload

ip nat inside source static tcp 192.168.1.60 80 interface FastEthernet4 80

!

ip access-list extended Guest-ACL

deny ip any 192.168.1.0 0.0.0.255

permit ip any any

ip access-list extended Internet-inbound-ACL

permit udp any eq bootps any eq bootpc

permit icmp any any echo

permit icmp any any echo-reply

permit icmp any any traceroute

permit gre any any

permit esp any any

!

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 1 permit 192.168.2.0 0.0.0.255

!

control-plane

!

bridge 1 route ip

!

line con 0

password 7 030888130F0C2E421F

no modem enable

line aux 0

line vty 0 4

password 7 07032457110A160B46

!

scheduler max-task-time 5000

end

Giuseppe Larosa · ‎06-06-2011

Hello Daniel,

on your WAN interface Fas4 you have applied an inbound ACL that doesn't allow http sessions started from outside

you have also configured CBAC and you have it applied outbound on the same interface Fas4.

The question is that HTTP sessions are started from client that is on outside world, so even if you haven't provided the configuration of the CBAC policy MYFW we can say that there is no way for CBAC to be of help in this case.

It is helpful in opening temporary permit statements for sessions started from inside to outside not the opposite.

You would need a line that allows HTTP traffic inbound like

ip access-list extended Internet-inbound-ACL

permit tcp any any eq http

to be added to access-list

the real issue is that you cannot know what IP address you get from DHCP in advance so this is not totally safe, but it can demonstrate where the problem is.

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎06-06-2011

Hello Daniel,

on your WAN interface Fas4 you have applied an inbound ACL that doesn't allow http sessions started from outside

you have also configured CBAC and you have it applied outbound on the same interface Fas4.

The question is that HTTP sessions are started from client that is on outside world, so even if you haven't provided the configuration of the CBAC policy MYFW we can say that there is no way for CBAC to be of help in this case.

It is helpful in opening temporary permit statements for sessions started from inside to outside not the opposite.

You would need a line that allows HTTP traffic inbound like

ip access-list extended Internet-inbound-ACL

permit tcp any any eq http

to be added to access-list

the real issue is that you cannot know what IP address you get from DHCP in advance so this is not totally safe, but it can demonstrate where the problem is.

Hope to help

Giuseppe

Daniel Perez · ‎06-06-2011

Giuseppe:

I tried it again and it worked this time. I know I tried this same combination before but here is where my snag is.

If I try to access www.mysite.com from inside the lan it will not work. If I do it from a completely different network it resolves ok.

So if I may ask you advice again I have 3 questions:

a) Why does the domain name not resolve on the local network? If my LAN's DHCP server is dishing out addresses and DNS server info to each client wouldn't any DNS request ulitimately be passed on to my ISP's DNS servers and then re-routed back to me?

b) I quote the following statement: "the real issue is that you cannot know what IP address you get from DHCP in advance so this is not totally safe" This confuses me a little. If I have all port 80 traffic being forwarded to a specific IP address on the LAN how does it become unsafe for the rest of the network by using 'permit tcp any any'?

c) Is there no command convention that can be used to capture the Dynamic WAN address in ACL commands? EX something like 'permit any fa4 dhcp eq www' (I realize this is not a legal command)

This boggles my mind because I have used many of the GUI based low-end SOHO products by Cisco (RV042) and implementing a simple web forward always is an option on these devices even when using Dynamic DNS. I love the 851/871, so much so that I created digital art with it (see photo) but I have to admit it is not the most inuitive device.

Thanks to all for any help.

ashok_boin · ‎06-06-2011

Hi,

You may consider Reflexive ACLs for your purpose.

http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfreflx.html#wp1001270

Regards..

-Ashok.

With best regards...
Ashok

cadet alain · ‎06-06-2011

Hi Ashok,

He wants to initiate connections from outside to his internal server so reflexive ACLs won't help at all as they are only used to open holes in a restrictive ACL permitting return traffic to go through the firewall but here it is not return traffic , it is initial traffic so he must permit tcp from any to any on port 80 as was already answered by Giuseppe.

Regards.

Alain.

Don't forget to rate helpful posts.

Daniel Perez · ‎06-06-2011

Sorry for the duplicate post. I put my initial response in the wrong place.

Thank you everyone for your responses. I always find good information on this forum.

Giuseppe:

I tried it again and it worked this time. I know I tried that same ACL combination so I can't explain what went wrong. Here is my current snag.

If I try to access www.mysite.com from inside the lan it will not work. If I do it from a completely different network it resolves ok.

So if I may ask you advice again I have 3 questions:

a) Why does the domain name not resolve on the local network? If my LAN's DHCP server is dishing out addresses and DNS server info to each client wouldn't any DNS request ulitimately be passed on to my ISP's DNS servers and then re-routed back to me?

b) I quote the following statement: "the real issue is that you cannot know what IP address you get from DHCP in advance so this is not totally safe" This confuses me a little. If I have all port 80 traffic being forwarded to a specific IP address on the LAN how does it become unsafe for the rest of the network by using 'permit tcp any any'?

c) Is there no command convention that can be used to capture the Dynamic WAN address in ACL commands? EX something like 'permit any fa4 dhcp eq www' (I realize this is not a legal command)

This boggles my mind because I have used many of the GUI based low-end SOHO products by Cisco (RV042) and implementing a simple web forward was always an EASY option on these devices even when using Dynamic DNS. I love the 851/871, so much so that I created a working digital art piece with it which is hung on my wall (see photo). I still have to admit, it is not the most inuitive device.

cadet alain · ‎06-07-2011

Daniel,

1) your ISP DNS reply will give you the public address not the LAN address unless you do what is called DNS doctoring but I don't think this is a feature of the 800 serie.

2)

permit tcp any any

so you are permitting http connection to anybody in your LAN not just the server with the static PAT

3) I think you can use hostnames in your ACL

It's because you are accustomed to SMB routers with GUI that you find the 800 serie non intuitive but once you have played more with it you'll see you can do more stuff with the CLI than on any other low end router.

Regards.

Alain.

Don't forget to rate helpful posts.

Daniel Perez · ‎06-07-2011

After some thought, why couldn't I use "tcp any host 192.168.1.60 eq www"? Wouldn't that close the scope on that ACL?

cadet alain · ‎06-08-2011

No you can't use this address as it is a private address which is not routeable on the internet and so will never appear as destination IP.

Regards.

Alain.

Don't forget to rate helpful posts.