Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2678
Views
0
Helpful
19
Replies

Cisco 897 ACL issue - block incoming traffic

sanjay.chauhan38
Level 1
Level 1

‎08-28-2020 11:54 AM

Hi,

 

I am facing an issue which I can't get my head around.  I would like to limit inbound traffic from the outside interface i.e. the WAN.  I have created an ACL and applied it to the WAN interface inbound.  However whenever I apply it, the ACL seems to works but all outbound traffic gets blocked too.

 

here is my config - any pointers would be much appreciated and I guess i'm missing something obvious!

 

interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface Ethernet0
 no ip address
 shutdown
!
interface GigabitEthernet0
 no ip address
!
interface GigabitEthernet1
 no ip address
!
interface GigabitEthernet2
 no ip address
!
interface GigabitEthernet3
 no ip address
!
interface GigabitEthernet4
 no ip address
!
interface GigabitEthernet5
 no ip address
!
interface GigabitEthernet6
 no ip address
!
interface GigabitEthernet7
 no ip address
!
interface GigabitEthernet8
 ip address 1.1.1.1 255.255.255.248
 ip access-group outside_access_in in
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no cdp enable
!
interface Wlan-GigabitEthernet8
 no ip address
!
interface wlan-ap0
 no ip address
!
interface Vlan1
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
!
!
ip nat inside source list 101 interface GigabitEthernet8 overload
ip route 0.0.0.0 0.0.0.0 9.9.9.9
ip ssh port 2222 rotary 1
!
ip access-list extended ACL-CONSOLE-PERMIT
 permit ip 3.3.3.3 0.0.0.255 any
 permit ip 4.4.4.4 0.0.0.255 any
 deny   ip any any
ip access-list extended outside_access_in
 permit icmp any any time-exceeded
 permit icmp any any unreachable
 permit ip 3.3.3.3 0.0.0.255 any
 permit ip 4.4.4.4 0.0.0.255 any
 permit esp any any
 permit gre any any
 permit udp any any eq isakmp
 permit udp any any eq non500-isakmp
 permit udp any any eq bootpc
 deny   ip any any log
!
logging trap debugging
dialer-list 1 protocol ip permit
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
no vstack
!
line con 0
 no modem enable
line aux 0
 access-class ACL-CONSOLE-PERMIT in
line 2
 access-class ACL-CONSOLE-PERMIT in
 exec-timeout 60 0
 no activation-character
 no exec
 transport preferred none
 transport input all
 stopbits 1
line vty 0 4
 access-class ACL-CONSOLE-PERMIT in
 login local
 rotary 1
 transport input ssh
!
scheduler allocate 20000 1000
!
end

Labels:
0 Helpful
19 Replies 19

Georg Pauwen
VIP
VIP

‎08-28-2020 12:02 PM

Which traffic do you want to allow ? Right now, your access list does not include any traffic originating from your inside (192.168.0.0.24).

0 Helpful

sanjay.chauhan38
Level 1
Level 1
In response to Georg Pauwen

‎08-28-2020 12:08 PM

I would like to allow outbound traffic towards the internet from 192.168.0.0/24. 

would like to block incoming traffic from the internet towards the wan interface as per ACL outside_access_in. 

0 Helpful

Georg Pauwen
VIP
VIP
In response to sanjay.chauhan38

‎08-28-2020 12:29 PM

Hello,

 

add the line marked in bold to your access list:

 

ip access-list extended outside_access_in
permit icmp any any time-exceeded
permit icmp any any unreachable
permit ip 3.3.3.3 0.0.0.255 any
permit ip 4.4.4.4 0.0.0.255 any
--> permit ip 192.168.0.0 0.0.0.255 any
permit esp any any
permit gre any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit udp any any eq bootpc
deny ip any any log

0 Helpful

sanjay.chauhan38
Level 1
Level 1
In response to Georg Pauwen

‎08-28-2020 01:00 PM

Thanks for that. I entered the permit rule as suggested above but it still doesn’t work. I can only reach out to 3.3.3.3 and 4.4.4.4 from source vlan1 192.168.0.0 but nothing else. 

0 Helpful

Georg Pauwen
VIP
VIP
In response to sanjay.chauhan38

‎08-28-2020 01:17 PM

Hello,

 

add the line in bold:

 

ip access-list extended outside_access_in
permit icmp any any time-exceeded
permit icmp any any unreachable
permit ip 3.3.3.3 0.0.0.255 any
permit ip 4.4.4.4 0.0.0.255 any
--> permit ip 192.168.0.0 0.0.0.255 any

--> permit ip any 192.168.0.0 0.0.0.255
permit esp any any
permit gre any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit udp any any eq bootpc
deny ip any any log

0 Helpful

sanjay.chauhan38
Level 1
Level 1
In response to Georg Pauwen

‎08-28-2020 01:35 PM - edited ‎08-28-2020 01:53 PM

Sorry that still didn’t work...

 

permit icmp any any time-exceeded
permit icmp any any unreachable
permit ip 2.2.2.2 0.0.0.255 any
permit ip 3.3.3.3 0.0.0.255 any
permit ip 192.168.0.0 0.0.0.255 any
permit ip any 192.168.0.0 0.0.0.255
permit esp any any
permit gre any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit udp any any eq bootpc
deny ip any any log

0 Helpful

Georg Pauwen
VIP
VIP
In response to sanjay.chauhan38

‎08-28-2020 01:46 PM

Hello,

 

apply the access list outbound instead of inbound:

 

ip access-group outside_access_in out

0 Helpful

sanjay.chauhan38
Level 1
Level 1
In response to Georg Pauwen

‎08-28-2020 01:54 PM

If I apply outbound then the access to the internet from 192.168.0.0 works. However the ACL doesn’t work correctly. I can still ping my wan interface. So I don’t think it’s working correctly. 

0 Helpful

Georg Pauwen
VIP
VIP
In response to sanjay.chauhan38

‎08-28-2020 02:19 PM

Hello,

 

if you want to block pings, add the line in bold:

 

deny icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
permit ip 3.3.3.3 0.0.0.255 any
permit ip 4.4.4.4 0.0.0.255 any
--> permit ip 192.168.0.0 0.0.0.255 any
--> permit ip any 192.168.0.0 0.0.0.255
permit esp any any
permit gre any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit udp any any eq bootpc
deny ip any any log

0 Helpful

sanjay.chauhan38
Level 1
Level 1
In response to Georg Pauwen

‎08-28-2020 02:33 PM

Sorry that’s still not working. I do not think this ACL should on out the outbound of the interface as the ACL is not doing any inbound filtering if set on the outside. 

0 Helpful

Georg Pauwen
VIP
VIP
In response to sanjay.chauhan38

‎08-28-2020 02:43 PM

Where is the ping originating, the Internet, or the inside of your network ?

0 Helpful

sanjay.chauhan38
Level 1
Level 1
In response to Georg Pauwen

‎08-28-2020 02:55 PM

The ping is originating from the internet. 

0 Helpful

paul driver
VIP
VIP

‎08-28-2020 03:06 PM

Hello

May I ask what is it you are trying to allow it looks like anything from those two subnets and gre/ipsec traffic ?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

sanjay.chauhan38
Level 1
Level 1
In response to paul driver

‎08-28-2020 03:16 PM

hi

 

i would like to allow 2.2.2.2 and 3.3.3.3 full access inbound from internet. Then also allow ipsec/gre/ike from any source but block everything else including ping to the wan interface itself from the internet. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card