cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1118
Views
0
Helpful
5
Replies

Internet blocked on cisco 892

johan_th01
Level 1
Level 1

I do have some problems with internet connectivity,
tried different solutions but traffic gets blocked.

First i tried to use reflexive acl's:
#inspect?
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive

#Lan connection to 192.168.115.0/24
interface FastEthernet0
no ip address

#Wan interface
interface GigabitEthernet0
description $ES_WAN$$FW_OUTSIDE$
ip address dhcp
ip access-group WAN_GE0_IN in
ip access-group WAN_GE0_OUT out
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly in
duplex auto
speed auto
crypto map WINVPN

#default vlan
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.115.253 255.255.255.0
ip access-group VLAN1 in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452

#nat
ip nat inside source list NAT_ADRESSES interface GigabitEthernet0 overload
ip nat inside source static tcp 192.168.115.11 80 interface GigabitEthernet0 80
ip nat inside source static tcp 192.168.115.11 443 interface GigabitEthernet0 443


#acl's
ip access-list standard NAT_ADRESSES
permit 192.168.115.0 0.0.0.255

ip access-list extended WAN_GE0_IN
evaluate TCPTRAFFIC
evaluate ICMPTRAFFIC
permit tcp any host <wanIP> eq 80
permit tcp any host <wanIP> eq 443
permit udp any eq bootps any eq bootpc
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
permit ip host <remoteSupportIP> any
deny   ip 10.0.0.0 0.255.255.255 any
deny   ip 172.16.0.0 0.15.255.255 any
deny   ip 192.168.0.0 0.0.255.255 any
deny   ip 127.0.0.0 0.255.255.255 any
deny   ip host 255.255.255.255 any
remark Permit VPN
permit udp any any eq isakmp
permit esp any any
permit udp any any eq non500-isakmp
permit udp any any eq 10000
permit udp any any eq ntp
deny   ip any any

ip access-list extended WAN_GE0_OUT
permit tcp 192.168.115.0 0.0.0.255 any reflect TCPTRAFFIC
permit icmp 192.168.0.0 0.0.0.255 any reflect ICMPTRAFFIC
permit ip any any


After that i tried with Estasblished instead of reflect, still no luck:

int gi0
no ip access-group WAN_GE0_OUT out
no ip access-list extended WAN_GE0_OUT
no ip access-list extended WAN_GE0_IN
ip access-list extended WAN_GE0_IN
permit tcp any host <wanIP> eq 80
permit tcp any host <wanIP> eq 443
permit tcp any host <wanIP> established
permit udp any host <wanIP>
permit udp any eq bootps any eq bootpc
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
permit ip host <remoteSupportIP> any
deny   ip 10.0.0.0 0.255.255.255 any
deny   ip 172.16.0.0 0.15.255.255 any
deny   ip 192.168.0.0 0.0.255.255 any
deny   ip 127.0.0.0 0.255.255.255 any
deny   ip host 255.255.255.255 any
remark Permit VPN
permit udp any any eq isakmp
permit esp any any
permit udp any any eq non500-isakmp
permit udp any any eq 10000
permit udp any any eq ntp
deny   ip any any

Only solution i've found till now is to put a permit ip any any in the WAN_GE0_IN ACL
What could be the problem here?

5 Replies 5

John Blakley
VIP Alumni
VIP Alumni

Johan,

Can you get out to the internet when you don't have an acl applied at all? And can you post the names of your acls with the entries? It's difficult to tell which entry belongs to which acl the way that you've posted it.

John

HTH, John *** Please rate all useful posts ***

You can easily troubleshoot this case by running the show ip access-list command when you attempt to have access to the internet (as you mentioned the problem is noticed when you try to access the internet).

Then check which entry in your access-list increases (hits).

According to your output you should focus to the next access-list

WAN_GE0_IN ACL

Without ACL i have no problems, also when using "permit ip any any" in the WAN_GE0_IN it's working.

When looking in "show ip access-lists" i see the traffic gets blocked by "WAN_GE0_IN deny ip any any"

When looking at the INSPECT commands, it should not even be neccesary to use the reflexive ACL or to use the ESTABLISHED. I just don't get why it isnot working.

Following the three acl's again, hope this is gives a better overview.

#ACL NAT_ADDRESSES

ip access-list standard NAT_ADRESSES

permit 192.168.115.0 0.0.0.255

#ACL WAN_GE0_IN

ip access-list extended WAN_GE0_IN
evaluate TCPTRAFFIC
evaluate ICMPTRAFFIC
permit tcp any host eq 80
permit tcp any host eq 443
permit udp any eq bootps any eq bootpc
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
permit ip host any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
remark Permit VPN
permit udp any any eq isakmp
permit esp any any
permit udp any any eq non500-isakmp
permit udp any any eq 10000
permit udp any any eq ntp
deny ip any any                      <------------------- blocks the traffic coming back when trying to open a website from LAN

#ACL WAN_GE0_OUT

ip access-list extended WAN_GE0_OUT
permit tcp 192.168.115.0 0.0.0.255 any reflect TCPTRAFFIC
permit icmp 192.168.0.0 0.0.0.255 any reflect ICMPTRAFFIC
permit ip any any

May be it was mentioned or not, why don't you try Zone Based Firewall, you can get rid of these ACL and use stateful firewalling on the router, I am sure 892 with 15.X IOS supports it, I have a 881 with 15.X and ZBF works fine.

Problem is solved working with CBAC now, deleted the 'reflexive' and 'established' rules from the ACL's.

added:

ip inspect name DEFAULT100 dns

i assumed wrongly that was handled by:

ip inspect name DEFAULT100 udp

Review Cisco Networking for a $25 gift card