extended ACL

lakhwaraa · ‎07-28-2022

I have following acl's on my router. I want to ping remote location 202.165.40.65 with port 443 but i am unable to do so. remote location will only allow traffic from my IP (119.65.22.32 and port 443). all other ports are block at remote location. Currently i am receiving traffic from 119.65.22.32 on ports 476,475,531,532 etc but not from 443.

any help

My Ip address: 119.65.22.32

Remote ip address: 202.165.40.65

1. ip access-list extended GigabitEthernet0/1 (this is my interface with ip 119.65.22.32)

this acl has no entry but i still put entry of these

permit tcp host 202.165.40.65 any eq 443
permit tcp host 202.165.40.65 any eq 443

permit udp host 202.165.40.65 any eq 443
permit udp host 202.165.40.65 any eq 443

2. ip access-list extended NAT-OUT-IN

ip nat outside source list NAT-OUT-IN pool POOL-OUT-IN

ip nat pool POOL-OUT-IN 10.10.0.0 10.10.255.255 prefix-length 16

this acl does not have anything to do with remote ip

3. ip access-list extended firewall

this acl was empty but i still put these entries in it

permit tcp host 202.165.40.65 any eq 443
permit tcp host 202.165.40.65 any eq 443

permit udp host 202.165.40.65 any eq 443
permit udp host 202.165.40.65 any eq 443

4. ip access-list extended mynat

this acl is for my lan computers

what i should do ?????. how to ping remote location with 443 port and got positive response. i am not blocking anything.

MHM Cisco World · ‎07-28-2022

First the icmp is l3 protocol dont have l4 port.

Second try telnet and use port

The remote will give you open if port 443 is allow in his router.

lakhwaraa · ‎07-28-2022

Sir

I dont have access to remote location. They only provide me logs. i can only access my router.

attached image shows that connectivity is there but not from 443 port

MHM Cisco World · ‎07-28-2022

Are you run http server in your route?

443 port also use for http server.

lakhwaraa · ‎08-01-2022

i have following configuration also

no ip http server
ip http port 8080
ip http authentication local
no ip http secure-server

i had put no in front of

ip http port 8080
ip http authentication local

but no use

lakhwaraa · ‎08-02-2022

In which acl do i have to write this

permit tcp any host 207.67.74.157 eq 443 <<- forward traffic
permit tcp host 207.67.74.157 eq 443 any <<- return traffic

Router#sh ip access-lists

Extended IP access list GigabitEthernet0/1
40 permit tcp any any eq 443

Extended IP access list NAT-OUT-IN
10 permit tcp any host 110.36.216.82 eq 1689

Extended IP access list firewall
10 permit tcp host 182.180.123.154 any eq 22

Extended IP access list mynat
60 permit ip 10.20.1.0 0.0.0.255 any (14120261 matches)

lakhwaraa · ‎08-02-2022

In which acl do i have to write this

permit tcp any host 207.67.74.157 eq 443 <<- forward traffic
permit tcp host 207.67.74.157 eq 443 any <<- return traffic

Router#sh ip access-lists

Extended IP access list GigabitEthernet0/1
40 permit tcp any any eq 443

Extended IP access list NAT-OUT-IN
10 permit tcp any host 110.36.216.82 eq 1689

Extended IP access list firewall
10 permit tcp host 182.180.123.154 any eq 22

Extended IP access list mynat
60 permit ip 10.20.1.0 0.0.0.255 any (14120261 matches)

Joseph W. Doherty · ‎07-28-2022

"I want to ping remote location 202.165.40.65 with port 443 . . ."

Port 443 is used by TCP. While ping use IGMP. I.e. if IGMP ping requests are blocked, you're not going to be able to, by default, ping another host.

Further even if ping used TCP, sending any TCP traffic on any "unexpected" port on the host, the host will discard the packet.

If the blockage is on an ACL on a router you control, you might provide ACL ACEs that permit ping request and/or reply.

e.g. https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html#anc13

lakhwaraa · ‎08-02-2022

I have following configuration

version 15.4!
key chain eigrp_keys
track 1 interface Tunnel2 line-protocol
track 6 ip sla 6 reachability
(Different track commands)
crypto isakmp policy 100!

interface Loopback1
no ip address
!
interface Tunnel1
bandwidth 1602
ip address 10.2.1.254 255.255.255.0
tunnel source GigabitEthernet0/1
!
interface Tunnel2
bandwidth 1602
ip address 10.2.2.254 255.255.255.0
no ip redirects
tunnel source GigabitEthernet0/1
!
interface GigabitEthernet0/1
ip address 214.189.74.51 255.255.255.248
ip mtu 1492
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!

interface Vlan1
ip address 10.20.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
!
router eigrp 10

network 10.2.1.0 0.0.0.255

router eigrp 2

network 10.2.2.0 0.0.0.255

no ip http server
ip http port 8080
ip http authentication local
no ip http secure-server
!
ip dns server
ip nat pool POOL-OUT-IN 10.50.0.0 10.50.255.255 prefix-length 16
ip nat inside source list mynat interface GigabitEthernet0/1 overload
ip nat inside source static tcp 10.20.1.11 80 interface GigabitEthernet0/1 81
ip nat inside source static tcp 10.20.1.12 1521 interface GigabitEthernet0/1 121

ip nat outside source list NAT-OUT-IN pool POOL-OUT-IN
ip route 10.20.1.11 (Internal network) 255.255.255.0 10.20.1.249 (To layer 3 switch) track 6

ip route 0.0.0.0 0.0.0.0 214.189.74.51

ip tacacs source-interface Vlan1
!
ip access-list extended GigabitEthernet0/1
permit tcp any host 207.67.74.157 eq 443
permit udp host 207.67.74.157 any eq 443
permit udp host 63.91.129.157 any eq 443
permit tcp any any eq 443

ip access-list extended NAT-OUT-IN
permit tcp any host 63.91.129.157 eq 443
permit tcp any host 207.67.74.157 eq 443
permit udp any host 63.91.129.157 eq 443
permit udp any host 207.67.74.157 eq 443
permit tcp any any eq 443

ip access-list extended firewall

permit tcp host 207.67.74.157 any eq 443
permit tcp host 63.91.129.157 any eq 443
permit udp host 207.67.74.157 any eq 443
permit udp host 63.91.129.157 any eq 443
permit tcp any any eq 443

ip access-list extended mynat
deny ip any 10.20.1.0 0.0.0.255
deny ip host 10.20.1.19 any
deny ip 172.12.20.0 0.0.0.255 172.12.20.0 0.0.0.255
deny ip 172.12.20.0 0.0.0.255 172.18.20.0 0.0.0.255
deny tcp host 172.12.20.102 eq 1521 any
permit ip 10.20.1.0 0.0.0.255 any
permit ip 172.20.41.0 0.0.0.255 any
permit ip 192.168.20.0 0.0.0.255 any
permit ip 172.20.12.0 0.0.0.255 any

Router# traceroute 63.91.129.157 port 443
Type escape sequence to abort.
Tracing the route to user157.temgdwdp.com (63.91.129.157)
VRF info: (vrf in name/id, vrf out name/id)
1 119.159.230.54 0 msec 0 msec 0 msec
2 221.120.221.65 4 msec 4 msec 4 msec
3 221.120.221.18 4 msec 0 msec 4 msec
4 221.120.221.57 4 msec 4 msec 4 msec
5 10.253.8.38 0 msec 0 msec 4 msec
6 10.253.4.36 20 msec
10.253.4.16 16 msec 20 msec
7 10.253.4.4 16 msec 20 msec 20 msec
8 Frankfurt-MX80.incapsula.com (80.81.193.87) 140 msec 144 msec 144 msec
9 * * *
10 * * *
11 * *

Unable to open 443

MHM Cisco World · ‎08-02-2022

I will analysis the config tonight, If I get some thing I will update you

lakhwaraa · ‎08-03-2022

Sir

Did you find the time to review the configuration.

MHM Cisco World · ‎08-03-2022

Yes I start review what I dont get

interface GigabitEthernet0/1
ip address 214.189.74.51 255.255.255.248
ip mtu 1492
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
ip access-list extended GigabitEthernet0/1 <- this must apply to this interface but I dont see ip access-group
permit tcp any host 207.67.74.157 eq 443
permit udp host 207.67.74.157 any eq 443
permit udp host 63.91.129.157 any eq 443
permit tcp any any eq 443

second
ip access-list extended firewall <<<- what you meaning firewall here ??
permit tcp host 207.67.74.157 any eq 443
permit tcp host 63.91.129.157 any eq 443
permit udp host 207.67.74.157 any eq 443
permit udp host 63.91.129.157 any eq 443
permit tcp any any eq 443

Joseph W. Doherty · ‎08-02-2022

How and/or where are you invoking those ACLs?

lakhwaraa · ‎08-02-2022

That's all the configuration in router. i don't have any other device attached. check the configuration again and suggest me something.

thanks

MHM Cisco World · ‎08-07-2022

Are this issue solved or not ?