Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > ACL blocks Internet Access.

Reply
Thread Tools

ACL blocks Internet Access.

 
 
nateevs nateevs is offline
Junior Member
Join Date: Feb 2010
Posts: 6
 
      02-14-2010
Hello Everyone.

I have a big problem. I have a ADSL Cisco 837 router. I have access-list configured on the router. When I take off all the access-list, I can get internet access. When I replace the access-list, internet access is denied again.

I have the explicit "deny ip any any log" statement at the end of ACL and so I can see that returning udp traffic is constantly being denied inbound from the configured dns servers.

The problem I have however is that I can't seem to find a way round it. No matter what I try. I have researched and and used several methods.

I have used the tcp established keyword. I have permitted udp from the host dns servers inbound. I have tried everything I can and I can't solve it.

This is the access-list I have applied inbound on the Dialer interface.


access-list 101 deny ip 10.10.10.0 0.0.00.255 any
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any echo-reply
access-list 101 permit tcp any any eq domain
access-list 101 permit udp any any eq domain
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 224.0.0.0 7.255.255.255 any
access-list 101 deny ip any any log





Please help.
 
Reply With Quote
 
 
 
 
nateevs nateevs is offline
Junior Member
Join Date: Feb 2010
Posts: 6
 
      02-15-2010
Anyone help please!
 
Reply With Quote
 
 
 
 
bryanpalacios bryanpalacios is offline
Junior Member
Join Date: Jan 2010
Location: Guatemala
Posts: 9
 
      02-16-2010
just one question bud... if the acl is applied inbound to you interface that connects to the internet why are you deniyng traffic from 172.x or another private network segments? also i got another question why are you denying 0.0.0.0?

with those answers maybe i can help you
 
Reply With Quote
 
nateevs nateevs is offline
Junior Member
Join Date: Feb 2010
Posts: 6
 
      02-16-2010
Hello Bryan.

I'm sorry for the late reply. By denying those addresses, I am mitigating unauthorized network access. It is preventing anti-spoofing.

Also host 0.0.0.0 means any device. Therefore I am preventing any host from gaining access into my network except one I explicitly permit.


Thanks.
 
Reply With Quote
 
bryanpalacios bryanpalacios is offline
Junior Member
Join Date: Jan 2010
Location: Guatemala
Posts: 9
 
      02-17-2010
Hello the ACL is placed in the inbound side of the interface that connects to the internet ?



Regards,
 
Reply With Quote
 
nateevs nateevs is offline
Junior Member
Join Date: Feb 2010
Posts: 6
 
      02-18-2010
Yes the ACL is applied to the inbound interface from the internet.
 
Reply With Quote
 
nateevs nateevs is offline
Junior Member
Join Date: Feb 2010
Posts: 6
 
      02-18-2010
Someone please help.. I still have not been able to fix this issue. I ran a debug ip packet on the router and this is the output.


*Nov 16 05:14:15.834: IP: tableid=0, s=81.148.xx.xx (local), d=194.72.9.34 (Dialer0), routed via FIB
*Nov 16 05:14:15.834: IP: s=81.148.xx.xx (local), d=194.72.9.34 (Dialer0), len 56, sending
*Nov 16 05:14:16.847: IP: s=81.148.xx.xx (local), d=62.6.40.178 (Dialer0), len 56, sending
*Nov 16 05:14:16.851: IP: s=194.72.9.34 (Dialer0), d=81.148.xx.xx, len 125, access denied




81.148.xx.xx is the IP address on my dialer 0 interface.
62.6.40178 and 194.72.9.34 are the dns servers.


The debug output indicates that traffic reaches the dns servers and traffic is sent back as well. It's only just denied on my router. That's why the internet works when I clear the access-list.

I know that I need to permit udp traffic from my dns servers back into my network but no matter what I try I still can't crack it.

Can anyone help please?


Thanks.
 
Reply With Quote
 
KrisJun KrisJun is offline
Junior Member
Join Date: Feb 2010
Posts: 2
 
      02-19-2010
I am just taking a stab at it since I just learned about ACL's recently and I do not posses the knowledge (yet) to correctly interpret the debug you posted
but what happens when you add a rule to allow established inbound connections?
 
Reply With Quote
 
nateevs nateevs is offline
Junior Member
Join Date: Feb 2010
Posts: 6
 
      02-20-2010
I have solved the problem eventually.

I added these lines to the access list and it worked.

permit udp host 62.6.40.178 eq domain any (1467 matches)
permit udp host 194.72.9.34 eq domain any (30 matches)
permit udp host 62.6.40.162 eq domain any
permit udp host 194.72.9.38 eq domain any
permit tcp any eq www any gt 1023 (2721 matches)



Those addresses are my DNS Servers.
I can now get access to the internet without having to remove my access list. Does it make the network less secure? I don't know. I guess I'll learn that as I continue my journey in Cisco networking. Thank God it's not a production network. It's just my home ADSL connection.

Thanks to everyone that attempted a solution. I hope this helps anyone with similar problems.
 
Reply With Quote
 
kevin.morales kevin.morales is offline
Junior Member
Join Date: Feb 2009
Posts: 3
 
      04-07-2010
the wrong the first ACL is
access-list 101 permit udp any any eq domain,

the dns server of your ISP use the port source 53 and port destination in you network above 1024 think.

the correcto ACL is:
access-list 101 permit udp any eq domain any
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Dhcp Relay Agent And Acl On Sw 3750, DHCP Relay Agent and ACL on Sw 3750 Vimokh Cisco 3 09-06-2006 02:16 AM
"Building Blocks" are "Application Blocks" Arjen ASP .Net 3 02-27-2005 01:06 AM
procs/blocks - blocks with procs, blocks with blocks? matt Ruby 1 08-06-2004 01:33 AM
PIX - Can extended ACL's be used as crypto ACL's on a PIX Shad T Cisco 0 06-29-2004 06:27 PM



Advertisments