cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6477
Views
0
Helpful
24
Replies

Possible firewall / acl issue ?

mcbosher71
Level 1
Level 1

Can anyone help please ?

I need my web server to be accessable and i have used >>>

ip nat inside source static tcp 80 interface fa0/0 80 but the packets are still being blocked by the access-list maybe ?

%SEC-6-IPACCESSLOGP: list 101 denied tcp 119.63.196.89(34388) -> 81.***.***.***(80)

First off .. is it safe to post your security / access list on here ?

Many thanks guys

24 Replies 24

Garry,

This would have only worked if you had a public address to map the internal web server ip too, I assumed you did have one.

Can you for testing remove CBAC and ACL's  from you interface settings

Then if you get connection reapply the acls making sure the TCP statement for port 80 isnt listed as a low priority in the acl

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi pdriver,

I have disabled the acl 100 in and 101 in but i dont know what you mean by CBAC ?

internet is working again now but for how long ??

this happened before ... it worked then slowly blocked and no http?

Phish#sh startup-config

Using 1818 out of 196600 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Phish

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$mUiL$Wp/m0Ciaigy4nQA77SeI0.

enable password *********

!

no aaa new-model

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.1 192.168.1.30

!

ip dhcp pool insudeDHCP

   network 192.168.1.0 255.255.255.0

   default-router 192.168.1.1

!

!

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW esmtp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

!

!

!

!

!

!

!

!

interface FastEthernet0/0

description WAN$FW_OUTSIDE$

mac-address 0012.1742.1fe9

ip address dhcp

ip access-group 101 in

ip nat outside

ip inspect SDM_LOW out

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

description LAN$FW_INSIDE$

ip address 192.168.1.1 255.255.255.0

ip access-group 100 in

ip nat inside

ip virtual-reassembly

speed auto

full-duplex

no mop enabled

!

!

!

no ip http server

no ip http secure-server

ip nat inside source list 1 interface FastEthernet0/0 overload

ip nat inside source static tcp 192.168.1.10 80 interface FastEthernet0/0 80

!

access-list 1 permit 192.168.1.0 0.0.0.255

!

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line vty 0 4

password *******

login

!

scheduler allocate 20000 1000

end

this is before applying johns settings

thanks

Hi garry,

remove ip inspect SDM_LOW out from you wan interface,

Do you say that you now have connection your WEB server?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

hi,

yes i have internet again ? but no www routing to my server

will remove ip inspect SDM_LOW out now ... brb

thanks

ok done that ... removed ip inspect sdm low for http only

here is a port scan result

GRC Port Authority Report created on UTC: 2011-07-21 at 07:54:06

Results from scan of ports: 0, 21-23, 25, 79, 80, 110, 113,

                            119, 135, 139, 143, 389, 443, 445,

                            1002, 1024-1030, 1720, 5000

    2 Ports Open

   21 Ports Closed

    3 Ports Stealth

---------------------

   26 Ports Tested

Ports found to be OPEN were: 23, 80

Ports found to be STEALTH were: 135, 139, 445

Other than what is listed above, all ports are CLOSED.

TruStealth: FAILED - NOT all tested ports were STEALTH,

                   - NO unsolicited packets were received,

                   - A PING REPLY (ICMP Echo) WAS RECEIVED.

Okay so can you now post your exisitng config:


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Garry,

Its looks like you have removed the acl config instead of just removing the ip access-group statements, would be good to remove all ios sec just for the time being, but if you dont wish to do that, try the following.


int fa0/1

no ip access-group 100 in

add:

ip inspect name SDM_LOW http

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

no access-list 101

access-list 101 deny   ip 192.168.1.0 0.0.0.255 any

access-list 101 deny   ip 127.0.0.0 0.255.255.255 any

access-list 101 deny   ip 172.16.0.0 0.0.255.255 any

access-list 101 deny   ip 192.168.0.0 0.0.255.255 any

access-list 101 deny   ip 224.0.0.0 15.255.255.255 any

access-list 101 deny   ip any host 192.168.1.255

access-list 101 deny   ip any host 192.168.1.0

access-list 101 permit tcp any any eq www - ( or use public ip address)

access-list 101 deny   icmp any any redirect

access-list 101 deny   icmp any any mask-request

access-list 101 permit icmp any host x.x.x.x (public ip address)

ip nat inside source list 1 interface FastEthernet0/0 overload

ip nat inside source static tcp 192.168.1.10 80 interface FastEthernet0/0 80

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi Paul,

Sorry but I have been unable to make any posts from my network on the 1841 ??

And today is the first day I have been able to use my iPhone on this forum too?

I tried your setting and I lost all Internet access so I have wiped and restarted as i feel the iOS security was an issue

So I am back with a default config again and I now have Internet access yet again.

My server is accessible from my iPhone on 3G but not using Internet to my domain name on my pc that

Is on the 1841 network though I can access my server on my internal LAN?

Will try and get the basic config up for you in the next few hrs.

Thanks for your time.

Hi,

I think i have found the reason for all of this not being able to call my www up from my external address.

It's an DNS issue...sort of, as well as a consumer router issue...sort of.

Essentially, most businesses are using running their own DNS server so you just need to put the appropriate entries into DNS but it probably doesn't need to be the full domain, just the name (exmaple, "mailserver" instead of "mailserver.domain.com").

Most consumer routers have a loopback style feature that will allow you to resolve back to internal devices using the external IP address or DNS name

It's an DNS issue...sort of, as well as a consumer router issue...sort of.

Essentially, most businesses are using running their own DNS server so you just need to put the appropriate entries into DNS but it probably doesn't need to be the full domain, just the name (exmaple, "mailserver" instead of "mailserver.domain.com").

Most consumer routers have a loopback style feature that will allow you to resolve back to internal devices using the external IP address or DNS name.

I believe that some thing like this would correct this ? correct me please if need be ...

ip dns view default

domain timeout 1

domain retry 0

domain round-robin

dns forwarder 4.2.2.2

dns forwarder 4.2.2.1

ip dns server

Then just make sure your DNS server match your routers internal IP in your DHCP scope.

ip dhcp pool insideDHCP

network 192.168.1.0 255.255.255.0

dns-server 192.168.1.1

default-router 192.168.1.1

Any thoughts ?
thank you 

mcbosher71
Level 1
Level 1

Hi,

Well its been a month or so now and all is pretty much ok, with a few exceptions and it is about the fact i just cant access my extrenal ip address from inside the network im hosting my server from?

I was told its due to the device not allowing it ?

So thanks again to those of you who had the time to help out.