problem with access list deny

goran ljubic · ‎08-20-2015

i have cisco router 1921 that connect two network 192.168.0.0/24 and 192.168.200.0/24 in network 192.168.200.0/24 i have servers, in network 192.168.0.0/24 i have workstations that access to servers. problem is that my workstations can access to servers but my servers can not access workstations when i set rule deny ip any any on inbound traffic outside interface but when i set permit rule permit ip any any instead deny rule my servers can access to workstations.can you help me? my configuration is

Building configuration...

Current configuration : 9484 bytes

!

! Last configuration change at 09:01:44 Prague Thu Aug 20 2015 by administrator

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname servers-r

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

enable secret 5 $1$zUjL$rAvZbXspCYjotGe/jL48T1

enable password 7 097C4F1A0A1218000F4D557878

!

no aaa new-model

clock timezone Prague 1 0

clock summer-time Prague date Mar 30 2003 2:00 Oct 26 2003 3:00

!

no ipv6 cef

!

ip port-map user-paragraf port tcp 6190 list 2

!

ip domain name dri.local

ip name-server 192.168.0.20

ip name-server 192.168.0.24

ip cef

multilink bundle-name authenticated

!

crypto pki trustpoint TP-self-signed-2259530887

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2259530887

revocation-check none

rsakeypair TP-self-signed-2259530887

!

crypto pki trustpoint test_trustpoint_config_created_for_sdm

subject-name e=sdmtest@sdmtest.com

revocation-check crl

!

crypto pki certificate chain TP-self-signed-2259530887

certificate self-signed 01

3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 32323539 35333038 3837301E 170D3135 30373038 31333139

31385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 32353935

33303838 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100B259 D0C431C4 B525F2EE 1D9BF630 C149CE34 786795EC B6355D65 A8EF7B3D

C65EEAC8 729155F5 5BC853AE 976AC249 B40FFED6 59CF457F 0F4FA191 2080218C

4380C255 33DAEF9C E103307A 69477BC6 5A740E2C D944326B 461DC373 2F1F6CE2

F1B8C22E A5010323 815804D3 7C3BAFB2 62BC7842 C8D0D506 0FB9CA8B 0F49236E

AE8B0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

551D2304 18301680 14A5124D 5912F9BC C4109E65 E49489B7 24AC8345 22301D06

03551D0E 04160414 A5124D59 12F9BCC4 109E65E4 9489B724 AC834522 300D0609

2A864886 F70D0101 05050003 81810033 1A9BEBA8 0736025C 5740E525 0A45910B

406A0CFA F2ADE31F 76D92B73 40EBBF98 F2E261C0 247D6BD9 94D3AE79 313D7AE4

0CA635B3 A62205B4 67F9CD78 6CD47554 F5F184BD C88BB35C C01E44AD E8491DF7

0A46F0AF 39867593 6F21B2D3 E8B5B787 D430E64B F3F7A7D3 C2D54690 E31E2B35

E77E55D8 02E035B1 0965616F 00AC1A

quit

crypto pki certificate chain test_trustpoint_config_created_for_sdm

license udi pid CISCO1921/K9 sn FCZ163293TE

!

object-group network DRI_mreze

192.168.0.0 255.255.255.0

192.168.1.0 255.255.255.0

192.168.2.0 255.255.255.0

192.168.3.0 255.255.255.0

192.168.4.0 255.255.255.0

192.168.5.0 255.255.255.0

192.168.7.0 255.255.255.0

192.168.8.0 255.255.255.0

192.168.50.0 255.255.255.0

!

object-group network REMOTE_DESKTOP_client

host 192.168.0.123

host 192.168.0.188

host 192.168.0.61

192.168.50.0 255.255.255.0

!

object-group service SPSQL_server

description sql server for sharepoint

tcp eq 135

tcp eq 139

tcp eq 3389

tcp eq 445

tcp eq 2383

tcp eq www

tcp eq 5357

tcp-udp eq 1433

icmp echo

icmp echo-reply

!

object-group network SQL_servers

host 192.168.200.14

host 192.168.200.34

host 192.168.200.16

!

object-group service WDS_server

tcp eq 135

tcp eq 139

tcp eq 3389

tcp eq 5040

tcp eq 443

tcp eq 445

tcp eq 1032

tcp eq 1039

tcp eq 1089

tcp eq www

tcp eq 5357

icmp echo

icmp echo-reply

tcp range 49151 56535

!

object-group network backup_server

host 192.168.0.152

host 192.168.0.32

range 192.168.0.29 192.168.0.30

!

object-group service backup_servers

tcp eq 135

tcp eq 139

tcp eq 3389

tcp eq 9876

tcp eq 445

tcp eq 2301

tcp eq 2381

tcp eq 3260

!

object-group service domain_controller

udp eq ntp

tcp eq 135

udp eq netbios-ns

udp eq netbios-dgm

tcp eq 139

tcp eq 636

tcp-udp eq 389

tcp-udp eq 445

tcp-udp eq 464

tcp eq 5722

tcp eq smtp

tcp-udp eq domain

tcp-udp eq 88

tcp eq 3268

tcp eq 3269

tcp range 49152 56535

tcp eq 3389

tcp eq 5357

icmp echo

icmp echo-reply

!

object-group network domain_controllers

host 192.168.200.20

host 192.168.200.24

!

object-group service dri-net_server

tcp eq 135

tcp eq 139

tcp eq 3306

tcp eq 445

tcp range 1048 1050

tcp eq domain

tcp eq 3289

icmp echo

icmp echo-reply

tcp eq www

tcp eq 81

!

object-group service finansije_server

tcp eq 135

tcp eq 139

tcp eq 3389

tcp eq 445

tcp eq www

tcp eq 5357

!

object-group service paragraflex_server

tcp eq 135

tcp eq 139

tcp eq 3389

tcp eq 445

tcp eq 5357

tcp eq 6190

icmp echo

icmp echo-reply

tcp eq 5985

tcp range 49151 56535

!

object-group service sharepoint_application_service

tcp eq 135

tcp eq 139

tcp eq 3389

tcp eq 2103

tcp eq 2105

tcp eq 2107

tcp eq 1801

tcp eq smtp

tcp eq 4361

tcp eq 8080

tcp eq 4860

tcp eq 445

tcp eq 1053

tcp eq 5357

tcp range www 82

!

object-group service sharepoint_web_application

tcp eq 135

tcp eq 139

tcp eq 3389

tcp eq 2103

tcp eq 2105

tcp eq 2107

tcp eq 1801

tcp eq 8080

tcp eq 445

tcp eq 1044

tcp eq 1060

tcp eq 1074

tcp range 1025 1028

tcp eq 1102

tcp eq www

icmp echo

icmp echo-reply

!

object-group network sharepoint_web_servers

range 192.168.200.36 192.168.200.37

host 192.168.200.13

host 192.168.200.17

!

object-group service terminal_server

tcp eq 135

tcp eq 139

tcp eq 3389

tcp eq 1947

tcp eq 445

tcp eq 5357

!

object-group service virtual_server_services

tcp eq 135

tcp eq 139

tcp eq 3389

tcp eq 2179

tcp eq 445

tcp eq 2301

tcp eq 2381

icmp echo

icmp echo-reply

!

object-group network virtual_servers

host 192.168.200.11

host 192.168.200.25

host 192.168.200.41

!

object-group network wsus_servers

host 192.168.200.12

host 192.168.200.27

host 192.168.200.15

!

object-group service wsus_services

tcp eq 135

tcp eq 139

tcp eq 3389

tcp eq 445

tcp eq www

tcp eq 5357

tcp eq 8531

tcp eq 443

tcp eq 8530

icmp echo

icmp echo-reply

!

username administrator privilege 15 password 7 01230717481C091D250D1F5B4A

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description $ETH-WAN$

ip address 192.168.0.253 255.255.255.0

ip access-group Outside_in in

ip mask-reply

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/1

description $ETH-LAN$

ip address 192.168.200.254 255.255.255.0

ip access-group Inside_in in

duplex auto

speed auto

!

ip forward-protocol nd

!

ip http server

ip http access-class 1

ip http authentication local

ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 192.168.0.254 255 permanent

ip route 192.168.1.0 255.255.255.0 192.168.0.254 4 permanent

ip route 192.168.2.0 255.255.255.0 192.168.0.254 5 permanent

ip route 192.168.3.0 255.255.255.0 192.168.0.254 3 permanent

ip route 192.168.4.0 255.255.255.0 192.168.0.254 7 permanent

ip route 192.168.5.0 255.255.255.0 192.168.0.254 2 permanent

ip route 192.168.7.0 255.255.255.0 192.168.0.254 6 permanent

ip route 192.168.8.0 255.255.255.0 192.168.0.254 8 permanent

ip route 192.168.50.0 255.255.255.0 192.168.0.10 permanent

!

ip access-list extended Inside_in

remark CCP_ACL Category=1

permit ip any any

ip access-list extended Outside_in

remark CCP_ACL Category=1

permit ip host 192.168.0.61 host 192.168.0.253

permit udp host 192.168.0.20 192.168.200.0 0.0.0.255 range 49152 56535

permit tcp host 192.168.0.20 192.168.200.0 0.0.0.255 range 49152 56535

permit object-group sharepoint_web_application object-group DRI_mreze object-group sharepoint_web_servers log

permit object-group sharepoint_application_service object-group DRI_mreze host 192.168.200.33 log

permit object-group virtual_server_services object-group DRI_mreze object-group virtual_servers log

permit object-group SPSQL_server object-group DRI_mreze object-group SQL_servers log

permit object-group wsus_services object-group DRI_mreze object-group wsus_servers log

permit object-group backup_servers object-group DRI_mreze object-group backup_server log

permit object-group paragraflex_server object-group DRI_mreze host 192.168.200.26 log

permit object-group terminal_server object-group DRI_mreze host 192.168.0.22 log

permit object-group WDS_server object-group DRI_mreze host 192.168.200.28 log

permit object-group finansije_server object-group DRI_mreze host 192.168.200.23 log

permit object-group dri-net_server object-group DRI_mreze host 192.168.200.31 log

permit object-group domain_controller object-group DRI_mreze object-group domain_controllers

deny ip any any

ip access-list extended outside_out

remark CCP_ACL Category=1

permit ip any any

!

access-list 1 permit 192.168.0.61

access-list 1 remark Auto generated by SDM Management Access feature

access-list 1 remark CCP_ACL Category=1

access-list 1 permit 192.168.200.0 0.0.0.255

access-list 2 remark CCP_ACL Category=1

access-list 2 permit 192.168.200.26

access-list 100 remark Auto generated by SDM Management Access feature

access-list 100 remark CCP_ACL Category=1

access-list 100 permit ip 192.168.200.0 0.0.0.255 any

access-list 100 permit ip host 192.168.0.61 any

!

control-plane

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

access-class 100 in

exec-timeout 40 0

privilege level 15

password 7 097C4F1A0A1218000F4D557878

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

!

end

Richard Bradfield · ‎08-21-2015

Hi,

To me it seems you have the

ip access-list extended Outside_in

going the wrong way, should be out not in

interface GigabitEthernet0/0

ip access-group Outside_in out

you can check the access-list by adding log on the deny ip any any

so it is deny ip any any log then you can see the hits in the router log.

HTH

Richard.

goran ljubic · ‎08-21-2015

my servers is not in network 192.168.0.0/24, they are in network 192.168.200.0.24. if i put

interface GigabitEthernet0/0

ip access-group Outside_in out

how my workstations in network 192.168.0.0/24 will know where are my servers?

Richard Bradfield · ‎08-21-2015

The ACL has nothing to do with routing.

have you tried the deny ip any any log at end of the ACL to see what hits you are getting

goran ljubic · ‎08-23-2015

i tryed with this configuration with permit ip any any on below of acl Outeside_in on outside interface

Building configuration...

Current configuration : 10115 bytes

!

! Last configuration change at 15:13:17 PCTime Fri Aug 21 2015 by administrator

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname servers-r

!

boot-start-marker

boot-end-marker

!

logging buffered 51200

enable secret 5 $1$zUjL$rAvZbXspCYjotGe/jL48T1

enable password 7 097C4F1A0A1218000F4D557878

!

no aaa new-model

clock timezone PCTime 1 0

clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00