Hi,

your proposal solves the first issue. Thanks!

However, the second issue remains. I can't access the web from the inside LAN.

show ip access-lists gives:

Extended IP access list 101

    10 permit ip 192.168.43.0 0.0.0.255 any (567952 matches)

Extended IP access list 112

    10 permit icmp any any (14 matches)

    20 permit udp any any eq bootpc (5 matches)

    30 permit udp any any eq bootps

    40 deny ip any any log (1920 matches)

Extended IP access list 102

    10 permit udp any any eq bootpc

    20 permit udp any any eq bootps (52 matches)

    40 permit tcp 192.168.43.0 0.0.0.255 any (170963 matches)

    50 permit udp 192.168.43.0 0.0.0.255 any (227216 matches)

    60 permit icmp 192.168.43.0 0.0.0.255 any (61 matches)

    70 deny ip any any (15 matches)

I've changed the inspection rule (bound to incoming packets on the internal interface) to read:

ip inspect name firewall udp timeout 15

ip inspect name firewall tcp timeout 3600

ip inspect name firewall bootpc

ip inspect name firewall bootps

I'm not sure if letting through bootpc is a good idea here, just did it for testing purposes.

Any further ideas?

Hi again.

Good to hear that something works

Is the router itself able to reach the internet?

For the "inspect ... bootpc": It doesn't have to be there, there is no need for it. Bootpc and bootps is UDP so it's already inspected.

Aparently the traffic returning is getting dropped... It's like the firewall isn't letting through the return-traffic...

Other than that I'm kind of clueless at the moment... What you can do is to try some debugs:

debug ip inspect events

debug ip inspect detail

debug ip inspect tcp
debug ip inspect udp

Try them one at a time and see what result you get. If you are connected using telnet/ssh; use "terminal monitor" to see these commands.

Hi,

on the router, doing e.g. telnet www.google.com 80 doesn't work either with the extern ACL switched on.

debug ip inspect events gives alot of lines like the following (list 112 was renamed to list extern):

005488: Feb  1 17:35:29.651 MEZ: FIREWALL sent a TCP pkt (***.***.***.***:32244) tcp flag:0x4 -> ***.***.***.***:53986 seq 0 ack 0 wnd 2048, FastEthernet4

005489: Feb  1 17:35:29.651 MEZ: FIREWALL sent a TCP pkt (***.***.***.***:53986) tcp flag:0x4 -> ***.***.***.***:32244 seq 325246413 ack 0 wnd 0, Vlan1

005490: Feb  1 17:35:29.679 MEZ: %SEC-6-IPACCESSLOGP: list extern denied tcp ***.***.***.***(80) -> ***.***.***.***(50057), 1 packet

005491: Feb  1 17:35:30.619 MEZ: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 315 packets

005492: Feb  1 17:35:30.707 MEZ: %SEC-6-IPACCESSLOGP: list extern denied udp ***.***.***.***(57851) -> ***.***.***.***(20370), 1 packet

debug ip inspect detaill gives output like the following. The "denied" messages occur relatively seldom:

007165: Feb  1 17:39:42.507 MEZ: FIREWALL: Finding pregen session for src_tableid:0, src_addr:192.168.43.139, src_port:20370, dst_tableid:0, dst_addr:***.***.***.***, dst_port:15756

007166: Feb  1 17:39:42.507 MEZ: FIREWALL: Finding pregen session for src_tableid:0, src_addr:192.168.43.139, src_port:20370, dst_tableid:0, dst_addr:***.***.***.***, dst_port:15756

007167: Feb  1 17:39:42.691 MEZ: %SEC-6-IPACCESSLOGP: list extern denied tcp ***.***.***.***(80) -> ***.***.***.***(59311), 1 packet

debug ip inspect tcp/udp does not exist on my router

Does this help?

If you are using access-list 112 on your outside interface you don't have a rule allowing access from your internal addresses to the Internet. The only two things you are allowing on the outside interface are:

access-list 112 permit icmp any any (which is ping)

access-list 112 deny   ip any any log (your traffic gets denied here)

Make sure your access-list to allow the traffic (after you create it) is before the deny access-list.

Also make sure your default route is setup correctly and nat is configured.

He is using CBAC, which should allow the return-traffic, eventhough there is a ACL on the outside-interface.

The debugs didn't help a bit

Sorry, I'm clueless atm... If you have advanced IP services or avanced enterprise IOS you could configure Zone-based Firewall instead, which is anewer and better IOS firewall.

default route is set to point to the internet-modem (see my config) and nat works properly without the CBAC.

So your "outside" interface has received an address via DHCP?

Please post your current ACLs.

Sent from Cisco Technical Support iPhone App

As I didn't (couldn't, because of my users) restart the router, it still uses its address, that was obtained before the access-list extern was brought up. Anyway see my ACLs here: As you can verify, bootpc is working with the ACL activated:

Extended IP access list 101

    10 permit ip 192.168.43.0 0.0.0.255 any (950718 matches)

Extended IP access list extern

    10 permit icmp any any (64 matches)

    20 permit udp any any eq bootpc (26 matches)

    30 permit udp any any eq bootps

    40 deny ip any any log (4732 matches)

Extended IP access list intern

    10 permit udp any any eq bootpc (1 match)

    20 permit udp any any eq bootps (5674 matches)

    40 permit tcp 192.168.43.0 0.0.0.255 any (10637534 matches)

    50 permit udp 192.168.43.0 0.0.0.255 any (4528087 matches)

    60 permit icmp 192.168.43.0 0.0.0.255 any (4605 matches)

    70 deny ip any any (10578 matches)

Hi Mitch,

I did this after Hendrik's first proposal, see my second post (Ok, the entries are in different order, but bootpc permission comes before ip-any denial, so everything should be fine).

Thanks,

Benjamin

Hello again!

Great that you worked that out.

What I think will fix this issue is to change the location of the inspection:

interface Vlan1

no ip inspect firewall in

interface FastEthernet4

ip inspect firewall in out