Extended ACL "Established or Reflective"

charles-moore · ‎10-04-2010

Hi All,

NEED A LITTLE HELP !

I have a 2811 Router connected to my ISP using NAT.

I have no issus with my network, it works well & is very fast. However I have decided to tighten up on my security and looked at utilizing

ACL Extended to Allow / permit any external Host to connect to my Hosts, using the ACL command "Established".

The Issue I have, when I apply the ACL to the Int FA0/0 on R1 the rule blocks All access to the Wan Link.

not sure what I'm doing wrong, but I'm obviously missing something. I have tried using either of the two ACL's below, currently I'm using the ACL 101.

Please note from a SH Access-list 101 you can see the ACL is being hit as there are 94 matches.

Your help is appreciated.

IP access list 101
10 permit tcp any any established

or

Extended IP access list Established_Connection
    10 permit tcp 10.1.1.0 0.0.0.255 any established
    20 permit tcp 10.2.2.0 0.0.0.255 any established
    30 permit tcp 10.3.3.0 0.0.0.255 any established
    40 permit tcp 172.16.1.0 0.0.0.255 any established
    50 permit tcp 192.168.1.0 0.0.0.255 any established
    60 permit tcp 172.12.123.0 0.0.0.255 any established
    70 permit tcp 172.12.124.0 0.0.0.255 any established
    80 permit tcp 172.23.23.0 0.0.0.255 any established

Sh access-list

Extended IP access list 101
10 permit tcp any any established (94 matches)

interface FastEthernet0/0
description Bridgewood WAN Connection-2
ip address dhcp
ip nat outside
ip access-group 101 in
ip virtual-reassembly
duplex full
speed 100
end

Jason Masker · ‎10-04-2010

Where do you have the "Established_Connection" ACL that you have specified applied?

Jon Marshall · ‎10-05-2010

Charles

I have no issus with my network, it works well & is very fast. However I have decided to tighten up on my security and looked at utilizing

ACL Extended to Allow / permit any external Host to connect to my Hosts, using the ACL command "Established".

Just to clarify what tou mean by the above. Do you mean to allow external hosts to send return traffic to your internal hosts ie. the internal host has initiated the connection ?

How have you tested the access from an internal host once you applied acl 101 ?

Jon

charles-moore · ‎10-05-2010

Yes !

To Allow external hosts to send return traffic to my internal hosts ie. the internal host has initiated the connection.

When I apply the ACL 101 to fa0/0. The internal host are unable to connect to the Wan.

interface FastEthernet0/0
description Bridgewood WAN Connection-2
ip address dhcp
ip nat outside
ip access-group 101 in
ip virtual-reassembly
duplex full
speed 100

Jon Marshall · ‎10-05-2010

How are you trying to connect with the internal hosts ie. are you trying to use http or ping or something else.

Also bear in mind that if your clients resolve DNS names off an internet DNS server then you need to allow UDP DNS responses. If you are using http have you tried connecting to an IP address rather than a URL ?

Jon

charles-moore · ‎10-05-2010

Hi Jon,

I think your right a light bulb just came on, I think I need to add the following to the access-list 101.

IP access list 101
10 permit tcp any any established

permit udp 92.238.44.0 0.0.0.255 any any

Extended IP access list 101
10 permit tcp any any established (94 matches)

interface FastEthernet0/0
description Bridgewood WAN Connection-2
ip address dhcp
ip nat outside
ip access-group 101 in
ip virtual-reassembly
duplex full
speed 100
end

Jon Marshall · ‎10-05-2010

charles-moore wrote:

Hi Jon,

I think your right a light bulb just came on, I think I need to add the following to the access-list 101.

IP access list 101
10 permit tcp any any established

permit udp 92.238.44.0 0.0.0.255 any any

Extended IP access list 101
10 permit tcp any any established (94 matches)

interface FastEthernet0/0
description Bridgewood WAN Connection-2
ip address dhcp
ip nat outside
ip access-group 101 in
ip virtual-reassembly
duplex full
speed 100
end

Charles

Presumably 92.238.44.x are the DNS server addresses yes ?

Please let me know if this works as i'm interested to find out.

Jon

charles-moore · ‎10-05-2010

Hi the IP address was just a figure of speech, but I was refering to DNS.

Nevertheless I still having the same issues.

Any ideas anyone ?

Regards

charles