Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1001
Views
0
Helpful
11
Replies

Help with ACL on new bridged config

commandlinekid
Level 1
Level 1

‎06-07-2018 06:22 AM - edited ‎03-08-2019 03:17 PM

Hello. THANK YOU in advance for helping me. -J

 

Background: My config until yesterday: Old ISP: Traditionally routed /28 to WAN interface, with VLANS on a 1924 attached to my 2621. One VLAN was NAT using one of the /28 IPs as overload, and the other VLAN was the /28 itself for servers.

 

My config now and what I need help with:

1.) I have a new ISP and new /28 assigned to my bridged connection (ethernet).

2.) Problem is: They won't route me the subnet, but instead they'll hang it off Their  router and make me use the first IP in the subnet as my gateway.

3.) Now: I have this working but I'm having a problem assigning ACL and inspect FOR the 0/1.4 interface (NAT interface seems fine) so my servers have these ACLs assigned like they used to.

 

My setup in layman's terms as new background:

1.) Same VLAN setup as before. One NATting and one with Public IPs.

2.) I can assign the inspect stuff to the BVI interface BUT....my FE 0/1.4 which has my public IPs on it is WIDE open and the ACL isn't taking on there.

Question: How do I fix?

 

Here is my config. So again it's all working fine Except......... On FE 0/1.4 where I have my servers (public IPs of the /28), I cannot assign these two things that I need:

ip access-group internet-facing in
ip inspect AllowtoComeBack out

 

Config (partial):



!
interface FastEthernet0/0
description DMZ TO ISP
no ip address
no ip mroute-cache
duplex auto
speed auto
ntp disable
no cdp enable
bridge-group 32
!
interface FastEthernet0/1
description dot1Q trunk to switch 10.1.40.2
no ip address
no ip mroute-cache
duplex auto
speed auto
ntp disable
!

!
interface FastEthernet0/1.2
description EMPLOYEE VLAN 2
encapsulation dot1Q 2
ip address 10.1.41.1 255.255.255.0
ip helper-address 10.1.41.3
no ip redirects
ip nat inside
no snmp trap link-status
!

!
interface FastEthernet0/1.4
description Internet SERVERS PUBLIC IPS IN THE /28
encapsulation dot1Q 4
no ip redirects
no snmp trap link-status
no cdp enable
bridge-group 32
bridge-group 32 spanning-disabled
!

interface BVI32
ip address 207.81.254.137 255.255.255.240
ip access-group internet-facing in
no ip redirects
ip nat outside
ip inspect AllowtoComeBack out
crypto map cm-cryptomap
!
ip nat pool thenatpool 207.81.254.137 207.81.254.137 netmask 255.255.255.240
ip nat inside source route-map nat-allow interface BVI32 overload
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 207.81.254.129
!
!
!

ip access-list extended internet-facing
permit udp host 192.5.41.40 host 207.81.254.137 eq ntp
permit udp host 192.5.41.41 host 207.81.254.137 eq ntp
permit tcp any 207.81.254.128 0.0.0.15 eq www
permit tcp any 207.81.254.128 0.0.0.15 eq 993
permit tcp any 207.81.254.128 0.0.0.15 eq pop3
permit tcp any 207.81.254.128 0.0.0.15 eq smtp
deny ip any any

Labels:
0 Helpful
11 Replies 11

Reza Sharifi
Hall of Fame
Hall of Fame

‎06-07-2018 06:51 AM

Hi,

So, to summarize you are trying to apply these access-lists

ip access-group internet-facing in
ip inspect AllowtoComeBack out

to interface FastEthernet0/1.4 and BVI32, BVI32 takes the command but not fa0/1.4, right?

HTH

0 Helpful

commandlinekid
Level 1
Level 1
In response to Reza Sharifi

‎06-07-2018 07:18 AM

Sort of. I wrote it a little wrong. Almost. 

 

1.) I want:

ip access-group internet-facing in
ip inspect AllowtoComeBack out

...To apply to FastEthernet 0/0. They used to be on "Dialer 1" which was attached to FastEthernet 0/0 but now FE 0/0 is a L2 bridge.

 

2.) I don't think it matters if they're on BVI32 or not since it's NATing and these ACLs were made for the public /28 block but yes I have it on that interface too.

 

So #1 above is really my priority.

Because: Right now I am Wide open. I can Ping, SSH, whatever... to ANY of the IPs on the /28 and it's scaring me. I need that extended access-list called "internet-facing" to take hold. 

 

Thank you.

0 Helpful

commandlinekid
Level 1
Level 1
In response to Reza Sharifi

‎06-07-2018 07:24 AM

But yes, Fast Ethernet 0/1.4 is where my public IPs are and what I need protected BUT as with before I think the ACL should be on the "most wan address" which used to be the Dialer and is now the FastEthernet 0/0. It's just not taking. Thanks.

 

Joe

 

0 Helpful

commandlinekid
Level 1
Level 1
In response to Reza Sharifi

‎06-07-2018 08:29 AM - edited ‎06-07-2018 10:05 AM

 
0 Helpful

commandlinekid
Level 1
Level 1
In response to Reza Sharifi

‎06-07-2018 11:37 AM

It appears the access-group "internet-facing" is now applying TO my nat overload IP instead of the public ip's (/28). It's supposed to apply to Those. Any idea?

0 Helpful

commandlinekid
Level 1
Level 1

‎06-07-2018 12:22 PM

What I think is now happening: The ACL is Only being applied to the NAT stuff. It's not being applied to anything going over that bridge group. Is that because it's L2? Fine...but how on earth is this a reasonable solution when of Course we need an ACL to apply to traffic?

 

So how do I take this subnet assiged to a router on the other side of my bridge (the ISP), who is using the first usable IP as the router... and use the rest of the addresses On my virtual interface FE 0/1.4? With an ACL?

 

Please advise. Thanks

0 Helpful

Reza Sharifi
Hall of Fame
Hall of Fame
In response to commandlinekid

‎06-07-2018 01:48 PM

So, when the ACL is applied on the BVI, it is not effective at all?

Do you see the ACL counter increasing at all by using "sh ip access-list <name of the access list>"

HH 

0 Helpful

commandlinekid
Level 1
Level 1
In response to Reza Sharifi

‎06-07-2018 02:12 PM - edited ‎06-07-2018 02:15 PM

Hi.

 

1.) The access-list counter is only showing (and incrementing) for the One "overload IP" I have set on the BVI which means.... only NAT traffic is being seen I believe by that ACL.

 

2.) Can you please clarify ....should the gateway router of my devices using the /28 (hanging off FE 0/1.4) be the address I have configured for the BVI? I did (until just now) have it set to the first IP in the /28 which my ISP is holding on their side). This IP on the BVI also happens to be the NAT overload but separate thing. I read somewhere this should be the case. What I notice if I do this is weird: The ACL, if I make it have Nothing at all in it (empty) will allow all packets to pass for the "real ips" on FE 0.1.4. BUT...if I put in even one little thing there like say "eq icq" or something I'm not using... it makes the gateway unreachable and from a server pinging says "destination unreachable."

0 Helpful

Reza Sharifi
Hall of Fame
Hall of Fame
In response to commandlinekid

‎06-07-2018 07:04 PM

Since the servers IPs are in the subnet as the provider IP address .129

The gateway for all your servers should be .129 and not the BVI's IP address (.137)

 

HTH

0 Helpful

commandlinekid
Level 1
Level 1
In response to Reza Sharifi

‎06-07-2018 07:44 PM

The problem is if I don't use .137 the traffic appears to skip right over that ACL. It isn't even addressed. 

0 Helpful

commandlinekid
Level 1
Level 1
In response to Reza Sharifi

‎06-07-2018 07:45 PM

Can you help me understand this? When I had a traditional ACL it made sense. Now it seems like with this setup "in is out" and "out is in." The only way the ACL works is if I write it almost backwards. I don't get it.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card