08-28-2020 11:54 AM
Hi,
I am facing an issue which I can't get my head around. I would like to limit inbound traffic from the outside interface i.e. the WAN. I have created an ACL and applied it to the WAN interface inbound. However whenever I apply it, the ACL seems to works but all outbound traffic gets blocked too.
here is my config - any pointers would be much appreciated and I guess i'm missing something obvious!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Ethernet0
no ip address
shutdown
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
ip address 1.1.1.1 255.255.255.248
ip access-group outside_access_in in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
!
interface Wlan-GigabitEthernet8
no ip address
!
interface wlan-ap0
no ip address
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
!
!
ip nat inside source list 101 interface GigabitEthernet8 overload
ip route 0.0.0.0 0.0.0.0 9.9.9.9
ip ssh port 2222 rotary 1
!
ip access-list extended ACL-CONSOLE-PERMIT
permit ip 3.3.3.3 0.0.0.255 any
permit ip 4.4.4.4 0.0.0.255 any
deny ip any any
ip access-list extended outside_access_in
permit icmp any any time-exceeded
permit icmp any any unreachable
permit ip 3.3.3.3 0.0.0.255 any
permit ip 4.4.4.4 0.0.0.255 any
permit esp any any
permit gre any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit udp any any eq bootpc
deny ip any any log
!
logging trap debugging
dialer-list 1 protocol ip permit
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
no vstack
!
line con 0
no modem enable
line aux 0
access-class ACL-CONSOLE-PERMIT in
line 2
access-class ACL-CONSOLE-PERMIT in
exec-timeout 60 0
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line vty 0 4
access-class ACL-CONSOLE-PERMIT in
login local
rotary 1
transport input ssh
!
scheduler allocate 20000 1000
!
end
08-28-2020 12:02 PM
Which traffic do you want to allow ? Right now, your access list does not include any traffic originating from your inside (192.168.0.0.24).
08-28-2020 12:08 PM
I would like to allow outbound traffic towards the internet from 192.168.0.0/24.
would like to block incoming traffic from the internet towards the wan interface as per ACL outside_access_in.
08-28-2020 12:29 PM
Hello,
add the line marked in bold to your access list:
ip access-list extended outside_access_in
permit icmp any any time-exceeded
permit icmp any any unreachable
permit ip 3.3.3.3 0.0.0.255 any
permit ip 4.4.4.4 0.0.0.255 any
--> permit ip 192.168.0.0 0.0.0.255 any
permit esp any any
permit gre any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit udp any any eq bootpc
deny ip any any log
08-28-2020 01:00 PM
Thanks for that. I entered the permit rule as suggested above but it still doesn’t work. I can only reach out to 3.3.3.3 and 4.4.4.4 from source vlan1 192.168.0.0 but nothing else.
08-28-2020 01:17 PM
Hello,
add the line in bold:
ip access-list extended outside_access_in
permit icmp any any time-exceeded
permit icmp any any unreachable
permit ip 3.3.3.3 0.0.0.255 any
permit ip 4.4.4.4 0.0.0.255 any
--> permit ip 192.168.0.0 0.0.0.255 any
--> permit ip any 192.168.0.0 0.0.0.255
permit esp any any
permit gre any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit udp any any eq bootpc
deny ip any any log
08-28-2020 01:35 PM - edited 08-28-2020 01:53 PM
Sorry that still didn’t work...
permit icmp any any time-exceeded
permit icmp any any unreachable
permit ip 2.2.2.2 0.0.0.255 any
permit ip 3.3.3.3 0.0.0.255 any
permit ip 192.168.0.0 0.0.0.255 any
permit ip any 192.168.0.0 0.0.0.255
permit esp any any
permit gre any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit udp any any eq bootpc
deny ip any any log
08-28-2020 01:46 PM
Hello,
apply the access list outbound instead of inbound:
ip access-group outside_access_in out
08-28-2020 01:54 PM
If I apply outbound then the access to the internet from 192.168.0.0 works. However the ACL doesn’t work correctly. I can still ping my wan interface. So I don’t think it’s working correctly.
08-28-2020 02:19 PM
Hello,
if you want to block pings, add the line in bold:
deny icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
permit ip 3.3.3.3 0.0.0.255 any
permit ip 4.4.4.4 0.0.0.255 any
--> permit ip 192.168.0.0 0.0.0.255 any
--> permit ip any 192.168.0.0 0.0.0.255
permit esp any any
permit gre any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit udp any any eq bootpc
deny ip any any log
08-28-2020 02:33 PM
Sorry that’s still not working. I do not think this ACL should on out the outbound of the interface as the ACL is not doing any inbound filtering if set on the outside.
08-28-2020 02:43 PM
Where is the ping originating, the Internet, or the inside of your network ?
08-28-2020 02:55 PM
The ping is originating from the internet.
08-28-2020 03:06 PM
Hello
May I ask what is it you are trying to allow it looks like anything from those two subnets and gre/ipsec traffic ?
08-28-2020 03:16 PM
hi
i would like to allow 2.2.2.2 and 3.3.3.3 full access inbound from internet. Then also allow ipsec/gre/ike from any source but block everything else including ping to the wan interface itself from the internet.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide