Help with ACL

ralmendares · ‎11-08-2011

Buenas tardes, tengo un problema tengo una central UC540 en la matriz, en una sucursal tengo un router SA520W y en otra sucursal un router SR520, he logrado que haya comunicacion(voice vlan) entre todos los locales, pero no logro acceder a la red de datos desde la sucursal A a la sucursal C

Sucursal A<=====>Matriz B<=====>Sucursal C

(SR520) (UC540) (SA520W)

192.168.75.0 192.168.10.0 192.168.20.0

Sucursal A<==X==>Sucursal C

A continuacion pongo la configuracion de las acl que tengo en la UC540, no se si me falta alguna:

ip nat inside source list 180 interface FastEthernet0/0 overload

ip route 10.1.10.1 255.255.255.255 Integrated-Service-Engine0/0

!

ip access-list extended exclude-vpn-statics

permit tcp any eq 1723 any

permit gre any any

permit ipinip any any

!

logging esm config

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.10.0 0.0.0.255

access-list 1 permit 10.1.1.0 0.0.0.255

access-list 1 permit 11.1.1.0 0.0.0.255

access-list 1 permit 10.1.10.0 0.0.0.3

access-list 2 remark SDM_ACL Category=2

access-list 2 permit 192.168.10.0 0.0.0.255

access-list 2 permit 10.1.1.0 0.0.0.255

access-list 2 permit 11.1.1.0 0.0.0.255

access-list 2 permit 10.1.10.0 0.0.0.3

access-list 3 remark SDM_ACL Category=2

access-list 3 permit 192.168.10.0 0.0.0.255

access-list 3 permit 10.1.1.0 0.0.0.255

access-list 3 permit 11.1.1.0 0.0.0.255

access-list 3 permit 10.1.10.0 0.0.0.3

access-list 4 remark SDM_ACL Category=2

access-list 4 permit 192.168.10.0 0.0.0.255

access-list 4 permit 10.1.1.0 0.0.0.255

access-list 4 permit 11.1.1.0 0.0.0.255

access-list 4 permit 10.1.10.0 0.0.0.3

access-list 1723 permit 192.168.10.1

access-list 100 remark auto generated by SDM firewall configuration##NO_ACES_4##

access-list 100 remark SDM_ACL Category=1

access-list 100 permit udp any host 192.168.10.1 eq non500-isakmp

access-list 100 permit udp any host 192.168.10.1 eq isakmp

access-list 100 permit esp any host 192.168.10.1

access-list 100 permit ahp any host 192.168.10.1

access-list 100 deny ip 10.1.1.0 0.0.0.255 any

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 remark auto generated by SDM firewall configuration##NO_ACES_4##

access-list 101 remark SDM_ACL Category=1

access-list 101 permit udp any host 10.1.1.1 eq non500-isakmp

access-list 101 permit udp any host 10.1.1.1 eq isakmp

access-list 101 permit esp any host 10.1.1.1

access-list 101 permit ahp any host 10.1.1.1

access-list 101 deny ip 192.168.10.0 0.0.0.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 permit ip any any

access-list 102 remark auto generated by SDM firewall configuration##NO_ACES_14##

access-list 102 remark SDM_ACL Category=1

access-list 102 permit udp any any eq non500-isakmp

access-list 102 permit udp any any eq isakmp

access-list 102 permit esp any any

access-list 102 permit ahp any any

access-list 102 deny ip 10.1.1.0 0.0.0.255 any

access-list 102 deny ip 192.168.10.0 0.0.0.255 any

access-list 102 permit udp any eq bootps any eq bootpc

access-list 102 permit udp host 200.124.247.202 eq domain any

access-list 102 permit udp host 200.124.247.205 eq domain any

access-list 102 permit icmp any any echo-reply

access-list 102 permit icmp any any time-exceeded

access-list 102 permit icmp any any unreachable

access-list 102 deny ip 10.0.0.0 0.255.255.255 any

access-list 102 deny ip 172.16.0.0 0.15.255.255 any

access-list 102 deny ip 192.168.0.0 0.0.255.255 any

access-list 102 deny ip 127.0.0.0 0.255.255.255 any

access-list 102 deny ip host 255.255.255.255 any

access-list 102 deny ip any any log

access-list 103 remark SDM_ACL Category=4

access-list 103 permit ip 192.168.10.0 0.0.0.255 any

access-list 103 permit ip 10.1.1.0 0.0.0.255 any

access-list 103 permit ip 10.1.10.0 0.0.0.255 any

access-list 103 permit ip 192.168.20.0 0.0.0.255 any

access-list 103 permit ip 192.168.75.0 0.0.0.255 any

access-list 150 remark SDM_ACL Category=16

access-list 150 permit ip 10.1.1.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 150 permit ip 10.1.10.0 0.0.0.3 192.168.20.0 0.0.0.255

access-list 150 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 180 deny ip 10.1.1.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 180 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 180 deny ip 10.1.10.0 0.0.0.3 192.168.20.0 0.0.0.255

access-list 180 permit ip 192.168.10.0 0.0.0.255 any

Gracias

ralmendares · ‎11-08-2011

Good afternoon, I have a problem I have a UC540 in the central matrix, I have a router branch and another branch SA520W a SR520 router, I managed to have communications (voice vlan) among all sites, but I can not access the network data from the branch to the branch C

Sucursal A<=====>Matriz B<=====>Sucursal C

(SR520) (UC540) (SA520W)

192.168.75.0 192.168.10.0 192.168.20.0

Sucursal A<==X==>Sucursal C

Then place the ACL settings I have on the UC540, I do not know if missing:

ip nat inside source list 180 interface FastEthernet0/0 overload

ip route 10.1.10.1 255.255.255.255 Integrated-Service-Engine0/0

!

ip access-list extended exclude-vpn-statics

permit tcp any eq 1723 any

permit gre any any

permit ipinip any any

!

logging esm config

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.10.0 0.0.0.255

access-list 1 permit 10.1.1.0 0.0.0.255

access-list 1 permit 11.1.1.0 0.0.0.255

access-list 1 permit 10.1.10.0 0.0.0.3

access-list 2 remark SDM_ACL Category=2

access-list 2 permit 192.168.10.0 0.0.0.255

access-list 2 permit 10.1.1.0 0.0.0.255

access-list 2 permit 11.1.1.0 0.0.0.255

access-list 2 permit 10.1.10.0 0.0.0.3

access-list 3 remark SDM_ACL Category=2

access-list 3 permit 192.168.10.0 0.0.0.255

access-list 3 permit 10.1.1.0 0.0.0.255

access-list 3 permit 11.1.1.0 0.0.0.255

access-list 3 permit 10.1.10.0 0.0.0.3

access-list 4 remark SDM_ACL Category=2

access-list 4 permit 192.168.10.0 0.0.0.255

access-list 4 permit 10.1.1.0 0.0.0.255

access-list 4 permit 11.1.1.0 0.0.0.255

access-list 4 permit 10.1.10.0 0.0.0.3

access-list 1723 permit 192.168.10.1

access-list 100 remark auto generated by SDM firewall configuration##NO_ACES_4##

access-list 100 remark SDM_ACL Category=1

access-list 100 permit udp any host 192.168.10.1 eq non500-isakmp

access-list 100 permit udp any host 192.168.10.1 eq isakmp

access-list 100 permit esp any host 192.168.10.1

access-list 100 permit ahp any host 192.168.10.1

access-list 100 deny ip 10.1.1.0 0.0.0.255 any

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 remark auto generated by SDM firewall configuration##NO_ACES_4##

access-list 101 remark SDM_ACL Category=1

access-list 101 permit udp any host 10.1.1.1 eq non500-isakmp

access-list 101 permit udp any host 10.1.1.1 eq isakmp

access-list 101 permit esp any host 10.1.1.1

access-list 101 permit ahp any host 10.1.1.1

access-list 101 deny ip 192.168.10.0 0.0.0.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 permit ip any any

access-list 102 remark auto generated by SDM firewall configuration##NO_ACES_14##

access-list 102 remark SDM_ACL Category=1

access-list 102 permit udp any any eq non500-isakmp

access-list 102 permit udp any any eq isakmp

access-list 102 permit esp any any

access-list 102 permit ahp any any

access-list 102 deny ip 10.1.1.0 0.0.0.255 any

access-list 102 deny ip 192.168.10.0 0.0.0.255 any

access-list 102 permit udp any eq bootps any eq bootpc

access-list 102 permit udp host 200.124.247.202 eq domain any

access-list 102 permit udp host 200.124.247.205 eq domain any

access-list 102 permit icmp any any echo-reply

access-list 102 permit icmp any any time-exceeded

access-list 102 permit icmp any any unreachable

access-list 102 deny ip 10.0.0.0 0.255.255.255 any

access-list 102 deny ip 172.16.0.0 0.15.255.255 any

access-list 102 deny ip 192.168.0.0 0.0.255.255 any

access-list 102 deny ip 127.0.0.0 0.255.255.255 any

access-list 102 deny ip host 255.255.255.255 any

access-list 102 deny ip any any log

access-list 103 remark SDM_ACL Category=4

access-list 103 permit ip 192.168.10.0 0.0.0.255 any

access-list 103 permit ip 10.1.1.0 0.0.0.255 any

access-list 103 permit ip 10.1.10.0 0.0.0.255 any

access-list 103 permit ip 192.168.20.0 0.0.0.255 any

access-list 103 permit ip 192.168.75.0 0.0.0.255 any

access-list 150 remark SDM_ACL Category=16

access-list 150 permit ip 10.1.1.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 150 permit ip 10.1.10.0 0.0.0.3 192.168.20.0 0.0.0.255

access-list 150 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 180 deny ip 10.1.1.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 180 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 180 deny ip 10.1.10.0 0.0.0.3 192.168.20.0 0.0.0.255

access-list 180 permit ip 192.168.10.0 0.0.0.255 any

Thanks.

jcinco_555 · ‎11-08-2011

Podrías adjuntar los show running-config de los tres router.

por favor.

Saludos

ralmendares · ‎11-08-2011

el show running del router SR520:

Building configuration...

Current configuration : 8259 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname SR520

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

enable secret 5 $1$JF9J$7qq8amfNhIs85j.MKsUJ4.

!

no aaa new-model

!

crypto pki trustpoint TP-self-signed-4089235246

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-4089235246

revocation-check none

rsakeypair TP-self-signed-4089235246

!

crypto pki certificate chain TP-self-signed-4089235246

certificate self-signed 02

3082023D 308201A6 A0030201 02020102 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 34303839 32333532 3436301E 170D3131 31313033 30313136

31395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30383932

33353234 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100C6BB 9B7A45AF 7550E6FD 13F81CC4 E3B01A84 9CD76A7A D37C70DF 1AF525AB

9EFE301D D82A6924 84039664 70C65A88 879134C8 C9E36445 6F8DD405 9979355F

FC485B8B 62BABD66 E19FED29 705983E1 329135E6 CC23982F 076DBD91 CFA344D0

BE357D39 C09BE031 16FBE391 FD33FA50 98478463 CD573799 843C4AB1 2E698A32

51890203 010001A3 65306330 0F060355 1D130101 FF040530 030101FF 30100603

551D1104 09300782 05535235 3230301F 0603551D 23041830 1680143D A29C8AF2

CA2446E2 98C87317 C96DB2CB CB581330 1D060355 1D0E0416 04143DA2 9C8AF2CA

2446E298 C87317C9 6DB2CBCB 5813300D 06092A86 4886F70D 01010405 00038181

00B781EE 59C69397 9CAF3CCE BCFB0022 292A5188 C4E02D2B 688BFC67 F65F8970

57586A72 7DF77164 35C25BAF 899F4BAF F22C6161 D5C1F926 BA60D94F 41DAF8F2

59F5CDAD AF2339BB 3CDA25E5 5E70526F 9B5F3B83 5F4CF80E B533579F 15DA3923

F6E4AF60 CFAF6C82 AF29A2A9 FA09B4E8 C4100A30 DC1BA25C BFEBCDB4 8F01C556 8D

quit

dot11 syslog

ip source-route

!

ip dhcp excluded-address 192.168.75.1 192.168.75.10

!

ip dhcp pool inside

import all

network 192.168.75.0 255.255.255.0

default-router 192.168.75.1

option 150 ip 10.1.1.1

!

ip cef

ip port-map user-ezvpn-remote port udp 10000

!

no ipv6 cef

multilink bundle-name authenticated

password encryption aes

!

username cisco privilege 15 secret 5 $1$A/tV$3ejNcgbAogFIHczj3Fslv1

!

crypto ipsec client ezvpn EZVPN_REMOTE_CONNECTION_1

connect auto

group EZVPN_GROUP_1 key ricardo2009

mode network-extension

peer xxx.xxx.xxx.xxx

virtual-interface 1

username sr520 password xxxxxxx

xauth userid mode local

!

archive

log config

hidekeys

!

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any SDM-Voice-permit

match protocol sip

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any SDM_EASY_VPN_REMOTE_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

match protocol user-ezvpn-remote

class-map type inspect match-all SDM_EASY_VPN_REMOTE_PT

match class-map SDM_EASY_VPN_REMOTE_TRAFFIC

match access-group 101

class-map type inspect match-any Easy_VPN_Remote_VT

match access-group 102

class-map type inspect match-any sdm-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any sdm-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all sdm-invalid-src

match access-group 100

class-map type inspect match-all dhcp_out_self

match access-group name dhcp-resp-permit

class-map type inspect match-all dhcp_self_out

match access-group name dhcp-req-permit

class-map type inspect match-all sdm-protocol-http

match protocol http

!

policy-map type inspect sdm-permit-icmpreply

class type inspect dhcp_self_out

pass

class type inspect sdm-cls-icmp-access

inspect

class class-default

pass

policy-map type inspect sdm-permit_VT

class type inspect Easy_VPN_Remote_VT

pass

class class-default

drop

policy-map type inspect sdm-inspect

class type inspect sdm-invalid-src

drop log

class type inspect sdm-cls-insp-traffic

inspect

class type inspect sdm-protocol-http

inspect

class type inspect SDM-Voice-permit

pass

class class-default

pass

policy-map type inspect sdm-inspect-voip-in

class type inspect SDM-Voice-permit

pass

class class-default

drop

policy-map type inspect sdm-permit

class type inspect SDM_EASY_VPN_REMOTE_PT

pass

class type inspect dhcp_out_self

pass

class class-default

drop

!

zone security out-zone

zone security in-zone

zone security ezvpn-zone

zone-pair security sdm-zp-self-out source self destination out-zone

service-policy type inspect sdm-permit-icmpreply

zone-pair security sdm-zp-out-self source out-zone destination self

service-policy type inspect sdm-permit

zone-pair security sdm-zp-in-out source in-zone destination out-zone

service-policy type inspect sdm-inspect

zone-pair security sdm-zp-out-in source out-zone destination in-zone

service-policy type inspect sdm-inspect-voip-in

zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone

service-policy type inspect sdm-permit_VT

zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone

service-policy type inspect sdm-permit_VT

zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone

service-policy type inspect sdm-permit_VT

zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone

service-policy type inspect sdm-permit_VT

!

interface FastEthernet0

switchport access vlan 75

!

interface FastEthernet1

switchport access vlan 75

!

interface FastEthernet2

switchport access vlan 75

!

interface FastEthernet3

switchport access vlan 75

!

interface FastEthernet4

description $FW_OUTSIDE$

ip address dhcp

ip nat outside

ip virtual-reassembly

zone-member security out-zone

duplex auto

speed auto

crypto ipsec client ezvpn EZVPN_REMOTE_CONNECTION_1

!

interface Virtual-Template1 type tunnel

no ip address

zone-member security ezvpn-zone

tunnel mode ipsec ipv4

!

interface Vlan1

no ip address

shutdown

!

interface Vlan75

description $FW_INSIDE$

ip address 192.168.75.1 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security in-zone

crypto ipsec client ezvpn EZVPN_REMOTE_CONNECTION_1 inside

!

ip forward-protocol nd

ip route 192.168.10.0 255.255.255.0 Vlan75

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 110 interface FastEthernet4 overload

!

ip access-list extended SDM_AH

remark SDM_ACL Category=1

permit ahp any any

ip access-list extended SDM_ESP

remark SDM_ACL Category=1

permit esp any any

ip access-list extended dhcp-req-permit

remark SDM_ACL Category=1

permit udp any eq bootpc any eq bootps

ip access-list extended dhcp-resp-permit

remark SDM_ACL Category=1

permit udp any eq bootps any eq bootpc

!

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.75.0 0.0.0.255

access-list 100 remark SDM_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 101 remark SDM_ACL Category=128

access-list 101 permit ip host 200.124.246.121 any

access-list 102 remark SDM_ACL Category=1

access-list 102 permit ip any any

access-list 110 remark SDM_ACL

access-list 110 deny ip 192.168.75.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 110 deny ip 192.168.75.0 0.0.0.255 10.1.10.0 0.0.0.255

access-list 110 permit ip 192.168.75.0 0.0.0.255 any

!

control-plane

!

banner login ^CCSR520 Base Config - MFG 1.0 ^C

!

line con 0

login local

no modem enable

line aux 0

line vty 0 4

privilege level 15

login local

transport input telnet ssh

!

scheduler max-task-time 5000

end

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------

y el show running del sa520w no se como sacarlo, ya que todo lo he configurado via la interfaz web

jcinco_555 · ‎11-08-2011

Lo que sucede es que el router en la sucural a no sabe como llegar a la red de la sucursal c

Podrias aplicar este comando en la router de la sucursal A

ip route 192.168.20.0 255.255.255.0 Vlan75

por favor calificarme si mi respuesta te ayudo,

Saludos

ralmendares · ‎11-09-2011

Hola Jorge ya intente con el comando ip route pero nada, cuando hago un tracert 192.168.20.1 de la sucursal A a la sucursal C, los paquetes de datos se quedan en la 192.168.10.1, osea parece que la central no los deja pasar al otro router.

Saludos.

jcinco_555 · ‎11-09-2011

puedes hacer un

show ip route en la central y adjuntarme la por favor

saludos

ralmendares · ‎11-09-2011

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

+ - replicated route, % - next hop override

Gateway of last resort is 200.124.246.65 to network 0.0.0.0

S* 0.0.0.0/0 [254/0] via 200.124.246.65

10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks

C 10.1.1.0/24 is directly connected, BVI100

L 10.1.1.1/32 is directly connected, BVI100

C 10.1.10.0/30 is directly connected, Loopback0

S 10.1.10.1/32 is directly connected, Integrated-Service-Engine0/0

L 10.1.10.2/32 is directly connected, Loopback0

192.168.4.0/32 is subnetted, 1 subnets

S 192.168.4.1 [254/0] via 200.124.246.65, FastEthernet0/0

192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.10.0/24 is directly connected, BVI1

L 192.168.10.1/32 is directly connected, BVI1

S 192.168.75.0/24 [1/0] via 0.0.0.0, Virtual-Access2

200.124.246.0/24 is variably subnetted, 2 subnets, 2 masks

C 200.124.246.64/26 is directly connected, FastEthernet0/0

L 200.124.246.120/32 is directly connected, FastEthernet0/0

jcinco_555 · ‎11-09-2011

dos cosas.

1) Me parece que no tenemos una ruta de la central a la sucursal c, Pruebe haciendo ping desde la central a la sucursal c

2) Si el ping no se logra aplique en la central este comando

ip route 192.168.20.0 interface o ip del siguiente salto

Saludos

jcinco_555 · ‎11-09-2011

el comando es ip route 192.168.20.0 255.255.255.0 interface local o ip del siguiente salto.

lo recomendable es colocar la ip del siguiente salto

por favor calificarme si te ayuda mi respuesta

saludos

ralmendares · ‎11-09-2011

De la central a las dos sucursales si tengo comunicacion, de la sucursal A a la central tengo comunicacion,

de la sucursal C a la central tengo comunicacion, pero de la sucursal A a la sucursal C no, cabe mencionar que todo esta enlazado a traves de una VPN, pongo un pequeño diagrama