cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
686
Views
0
Helpful
6
Replies

Failed Extended Access-list

ericsonmisagal
Level 1
Level 1

Hello all,

 

I am trying to apply this extended access-list  to my router to permit the selected ports and deny the rest but my emails are not sending outside, all emails are stuck in the queue. If I remove the access-list, all emails goes freely. Whats left in my configuration?

 

access-list 101 permit tcp host 192.168.111.30 eq 53 any
access-list 101 permit udp host 192.168.111.30 eq 53 any
access-list 101 permit tcp host 192.168.111.30 eq 25 any
access-list 101 permit tcp host 192.168.111.30 eq 443 any
access-list 101 permit tcp host 192.168.111.30 eq 587 any
access-list 101 permit tcp host 192.168.111.30 eq 995 any
access-list 101 deny ip any any


Interface Dialer 0

ip access-group 101 out

6 Replies 6

Richard Burts
Hall of Fame
Hall of Fame

You have given us a little information to work with but not enough to fully understand your environment. Based on what you have given here my first question would be whether you can verify that 192.168.111.30 is the correct address of the host? My second question would be whether you are doing address translation on this traffic?

 

One thing that you might try is to add the log parameter on the deny line of the access list. When you test again it will show what is being denied that that may be helpful in identifying what is the problem.

 

HTH

 

Rick

HTH

Rick

Here is the complete configuration.

Router#sh run
Building configuration...

Current configuration : 3665 bytes
!
! Last configuration change at 09:23:31 UTC Wed May 28 2014 by admin
! NVRAM config last updated at 06:42:17 UTC Wed May 28 2014 by admin
! NVRAM config last updated at 06:42:17 UTC Wed May 28 2014 by admin
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
crypto pki token default removal timeout 0
!
!
ip source-route
ip cef
!
!
!
!
!
no ipv6 cef
!
!
license udi pid C887VA-W-E-K9 sn FCZ1624C30K
!
!
username admin privilege 15 password 7 045A0F0B062F
!
!
!
!
controller VDSL 0
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key xxxxxx address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto ipsec profile protect-gre
 set security-association lifetime seconds 86400
 set transform-set TS
!
!
!
!
!
!
interface Loopback0
 ip address 10.10.10.1 255.255.255.255
!
interface Tunnel4120
 ip address 10.0.0.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication cisco
 ip nhrp map multicast dynamic
 ip nhrp network-id 123
 ip tcp adjust-mss 1360
 tunnel source Dialer0
 tunnel mode gre multipoint
 tunnel key 123
 tunnel protection ipsec profile protect-gre
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 pvc 0/35
  pppoe-client dial-pool-number 1
 !
!
interface Ethernet0
 no ip address
 shutdown
 no fair-queue
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface Wlan-GigabitEthernet0
 description Internal switch interface connecting to the embedded AP
 switchport mode trunk
 no ip address
!
interface wlan-ap0
 description Embedded Service module interface to manage the embedded AP
 ip unnumbered Vlan1
!
interface Vlan1
 ip address 192.168.111.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1360
!
interface Dialer0
 ip address negotiated
 ip access-group 101 out
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 ppp authentication chap callin
 ppp chap hostname xxxxxxxxxxxxxxxxx
 ppp chap password 7 03077313552D0F411E512D
!
router rip
 version 2
 network 10.0.0.0
 network 192.168.111.0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.111.30 25 xxx.xxx.xxx.xxx 25 extendable
ip nat inside source static tcp 192.168.111.30 443 xxx.xxx.xxx.xxx 443 extendable
ip nat inside source static tcp 192.168.111.30 587 xxx.xxx.xxx.xxx 587 extendable
ip nat inside source static tcp 192.168.111.30 995 xxx.xxx.xxx.xxx 995 extendable

ip route 0.0.0.0 0.0.0.0 Dialer0
!
access-list 1 permit 192.168.111.30
access-list 10 permit 192.168.111.0 0.0.0.255

access-list 101 permit tcp host 192.168.111.30 eq 53 any
access-list 101 permit udp host 192.168.111.30 eq 53 any
access-list 101 permit tcp host 192.168.111.30 eq 25 any
access-list 101 permit tcp host 192.168.111.30 eq 443 any
access-list 101 permit tcp host 192.168.111.30 eq 587 any
access-list 101 permit tcp host 192.168.111.30 eq 995 any
access-list 101 deny ip any any

 

!

!
!
!
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 stopbits 1
line vty 0 4
 access-class 10 in
 login local
 transport input all
!
scheduler allocate 20000 1000
end

Router#

The way you have written your ACLs:

access-list 101 permit tcp host 192.168.111.30 eq 53 any

Means permit from 192.168.111.30 source port 53 to any address.

Are you sure you don't mean:

access-list 101 permit tcp host 192.168.111.30 any eq 53

I actually did the same but its also not working. like below.

access-list 101 permit tcp host 192.168.111.30 any eq 53
access-list 101 permit udp host 192.168.111.30 any eq 53
access-list 101 permit tcp host 192.168.111.30 any eq 25
access-list 101 permit tcp host 192.168.111.30 any eq 443
access-list 101 permit tcp host 192.168.111.30 any eq 587
access-list 101 permit tcp host 192.168.111.30 any eq 995
access-list 101 deny ip any any

OK - here is something else to consider. Your ACL is applied as an output access list on the dialer0 interface. When the outbound packet hits this ACL it will already have been NAT'ed so the source IP address of the packet will be the public IP address bound to your dialer0 interface. Your ACLs permit the pre-NAT address of the packet. I just labbed this in GNS3 and can confirm that the ACL needs to reference the post-NAT address in order to work.

I agree that the issue is that the 192.168.111.30 has been translated by the time it gets to the outbound access list. I was suggesting that possibility in my post when I asked whether address translation was being done.

 

HTH

 

Rick

HTH

Rick
Review Cisco Networking for a $25 gift card