Re: Host/Network off of a Cisco ISR 1100 doesn't have web access

aastaguy · ‎06-03-2020

I have a Cisco ISR with a private network of 192.168.191.0/24 on Vlan1 and I can't get host 192.168.191.250 to have web access. I can ping public ips and resolve them to name so routing and dns are both working.

Any help is greatly appreciated, I am new to the Cisco CLI...

Thanks!

show run
Building configuration...

Current configuration : 8991 bytes
!
! Last configuration change at 14:42:47 PDT Wed Jun 3 2020
!
version 16.9
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
service call-home
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
!
boot-start-marker
boot-end-marker
!
!
logging buffered 16386
logging rate-limit 100 except warnings
no logging console
no logging monitor
!
no aaa new-model
clock timezone pacific -8 0
clock summer-time PDT recurring
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
no destination transport-method email
!
ip name-server X.X.X.X Y.Y.Y.Y Z.Z.Z.Z
ip domain name mydomainname
!
ip dhcp pool WEBUIPool
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
!
!
!
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
!
chat-script ltescript "" "AT!CALL1" TIMEOUT 20 "OK"
!
!
!
cts logging verbose
license udi pid C1111-4PLTEEA
license smart enable
license smart conversion automatic
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
!
redundancy
mode none
!
controller Cellular 0/2/0
lte sim data-profile 3 attach-profile 3 slot 0
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface Loopback1
description ### always-on interface ###
ip address 1.2.3.4 255.255.255.255
ip nat inside
!
interface Loopback4321
description ### DMNR NEMO Router Address -- Dummy non-routable IP ###
ip address 4.3.2.1 255.255.255.255
!
interface GigabitEthernet0/0/0
description Internal - 192.168.191.0
no ip address
ip tcp adjust-mss 1300
ip policy route-map clear-df
negotiation auto
!
interface GigabitEthernet0/0/1
ip address 192.168.1.1 255.255.255.0
negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface Cellular0/2/0
description Primary_
ip address negotiated
no ip unreachables
ip nat outside
ip access-group 150 in
load-interval 30
dialer in-band
dialer idle-timeout 0
dialer enable-timeout 6
dialer watch-group 1
dialer-group 1
ipv6 enable
pulse-time 1
!
interface Cellular0/2/1
no ip address
!
interface Vlan1
ip address 192.168.191.93 255.255.255.0
ip nat inside
ip tcp adjust-mss 1390
ip policy route-map clear-df
ntp broadcast
vrrp 91 ip 192.168.191.252
vrrp 91 priority 110
!
ip nat inside source list 100 interface Cellular0/2/0 overload
ip forward-protocol nd
ip tcp mss 1300
ip http server
ip http authentication local
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 Cellular0/2/0
ip ssh time-out 60
ip ssh version 2
!
!
access-list 100 permit ip 192.168.191.0 0.0.0.255 any log
access-list 150 permit ip host remoteofficeip1 any log
access-list 150 permit ip host remoteofficeip2 any log
access-list 150 permit icmp host 8.8.8.8 any log
access-list 150 permit udp host dns1 eq domain any
access-list 150 permit udp host dns2 eq domain any
access-list 150 permit udp host dns3 eq domain any
dialer watch-list 1 ip 5.6.7.8 0.0.0.0
dialer watch-list 1 delay route-check initial 60
dialer watch-list 1 delay connect 1
dialer-list 1 protocol ip permit
!
!
route-map clear-df permit 10
set ip df 0
!
!
!
control-plane
!
!
line con 0
transport input none
stopbits 1
line vty 0 4
login local
length 0
transport input ssh
!
!
!
!
!
!
end

Cristian David Rincon J. · ‎06-03-2020

Hi Friend, i hope you be ok,

Firstable i think you have a mistake in this line of this ACL,

access-list 100 permit ip 192.168.191.0 0.0.0.255 any log ---------------- THIS ONE---
access-list 150 permit ip host remoteofficeip1 any log
access-list 150 permit ip host remoteofficeip2 any log

instead of being access-list 100 should be access-list 150, cause i see in yout config.txt you only define the access-group in this interface.

interface Cellular0/2/0
description Primary_
ip address negotiated
no ip unreachables
ip nat outside
ip access-group 150 in------------------ this one
load-interval 30
dialer in-band
dialer idle-timeout 0
dialer enable-timeout 6
dialer watch-group 1

hope you solve the problem! take care

paul driver · ‎06-03-2020

Hello

This a duplicate post related to Here?

As suggest from that post:

Remove the ACL from the Cellular0/2/0 and also logging from the nat ACL then test again.

interface Cellular0/2/0
no ip access-group 150 in

no access-list 100 permit ip 192.168.191.0 0.0.0.255 any log
access-list 100 permit ip 192.168.191.0 0.0.0.255 any

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

aastaguy · ‎06-04-2020

Hi Paul,

Not a duplicate per se, but I see why you would think that. Poorly worded on my behalf. The first issue of ping and dns has been solved and as I progress in this acl and configuration, the latest issue is web access. removing ip access list 150 from cellular 0/2/0 does the trick, but it also opens the router up from the internet over any port.

Ideally, I would have outbound access, but inbound access would be locked down to 2 ip addresses over a handful of ports. I am clearly misconfiguring something with ACL 150, but I also feel like there is an easier way to do this?

Extended IP access list 150

10 permit ip host IPADDRESS1 any log

20 permit ip host IPADDRESS2 any log

30 permit icmp host 8.8.8.8 any log

40 permit udp host IP-dns1 eq domain any

50 permit udp host IP-dns2 eq domain any

60 permit udp host IP-dns3 eq domain any

I am assuming the explicit deny any any rule at the end of an ACL is what is not allowing return web traffic?

Thanks!

Georg Pauwen · ‎06-04-2020

Hello,

for web (http/https) traffic, you need to add the lines in bold:

Extended IP access list 150
10 permit ip host IPADDRESS1 any log
20 permit ip host IPADDRESS2 any log
30 permit icmp host 8.8.8.8 any log
40 permit udp host IP-dns1 eq domain any
50 permit udp host IP-dns2 eq domain any
60 permit udp host IP-dns3 eq domain any
70 permit tcp any any eq www
80 permit tcp any any eq https

aastaguy · ‎06-04-2020

Hi Georg, wouldn't this allow everyone in the world to hit the router at 80 and 443? I just want my internal clients to be able to go out of the cellular interface and hit the web.

paul driver · ‎06-04-2020

Hello

@aastaguy wrote:

Ideally, I would have outbound access, but inbound access would be locked down to 2 ip addresses over a handful of ports. I am clearly misconfiguring something with ACL 150, but I also feel like there is an easier way to do this?

Remove that acl 150 and try a context based ACL (CBAC) - Please review attached file

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

aastaguy · ‎06-04-2020

Hi Paul,

Thakns for this, it looks like I don;t have the code-base for these commands. I can go down that road, but ultimately this is going to be half of an ip sec vpn tunnel in which makes this configuration moot. I was just trying to logically progress through the steps of setting up a cisco router, which is now very confusing to me. :)

In a fresh bare router, with a gig interface and a cell interface, how would you setup a private vlan and network to be able to talk to the internet while not exposing your router to the world?

Is it this convoluted everytime or did I make it more confusing than it has to be with other commands/configurations?? I am new to the Cisco CLI, so it is probably me. :)

Thank you for all of your help, I really appreciate it!