«

[nateevs]

Hello Everyone.

I have a big problem. I have a ADSL Cisco 837 router. I have access-list configured on the router. When I take off all the access-list, I can get internet access. When I replace the access-list, internet access is denied again.

I have the explicit "deny ip any any log" statement at the end of ACL and so I can see that returning udp traffic is constantly being denied inbound from the configured dns servers.

The problem I have however is that I can't seem to find a way round it. No matter what I try. I have researched and and used several methods.

I have used the tcp established keyword. I have permitted udp from the host dns servers inbound. I have tried everything I can and I can't solve it.

This is the access-list I have applied inbound on the Dialer interface.


access-list 101 deny ip 10.10.10.0 0.0.00.255 any
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any echo-reply
access-list 101 permit tcp any any eq domain
access-list 101 permit udp any any eq domain
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 224.0.0.0 7.255.255.255 any
access-list 101 deny ip any any log




Please help.

[nateevs]

Anyone help please!

[bryanpalacios]

just one question bud... if the acl is applied inbound to you interface that connects to the internet why are you deniyng traffic from 172.x or another private network segments? also i got another question why are you denying 0.0.0.0?

with those answers maybe i can help you

[nateevs]

Hello Bryan.

I'm sorry for the late reply. By denying those addresses, I am mitigating unauthorized network access. It is preventing anti-spoofing.

Also host 0.0.0.0 means any device. Therefore I am preventing any host from gaining access into my network except one I explicitly permit.


Thanks.

[bryanpalacios]

Hello the ACL is placed in the inbound side of the interface that connects to the internet ?



Regards,

[nateevs]

Yes the ACL is applied to the inbound interface from the internet.

[nateevs]

Someone please help.. I still have not been able to fix this issue. I ran a debug ip packet on the router and this is the output.


*Nov 16 05:14:15.834: IP: tableid=0, s=81.148.xx.xx (local), d=194.72.9.34 (Dialer0), routed via FIB
*Nov 16 05:14:15.834: IP: s=81.148.xx.xx (local), d=194.72.9.34 (Dialer0), len 56, sending
*Nov 16 05:14:16.847: IP: s=81.148.xx.xx (local), d=62.6.40.178 (Dialer0), len 56, sending
*Nov 16 05:14:16.851: IP: s=194.72.9.34 (Dialer0), d=81.148.xx.xx, len 125, access denied



81.148.xx.xx is the IP address on my dialer 0 interface.
62.6.40178 and 194.72.9.34 are the dns servers.


The debug output indicates that traffic reaches the dns servers and traffic is sent back as well. It's only just denied on my router. That's why the internet works when I clear the access-list.

I know that I need to permit udp traffic from my dns servers back into my network but no matter what I try I still can't crack it.

Can anyone help please?


Thanks.

[KrisJun]

I am just taking a stab at it since I just learned about ACL's recently and I do not posses the knowledge (yet) to correctly interpret the debug you posted
but what happens when you add a rule to allow established inbound connections?

[nateevs]

I have solved the problem eventually.

I added these lines to the access list and it worked.

permit udp host 62.6.40.178 eq domain any (1467 matches)
permit udp host 194.72.9.34 eq domain any (30 matches)
permit udp host 62.6.40.162 eq domain any
permit udp host 194.72.9.38 eq domain any
permit tcp any eq www any gt 1023 (2721 matches)


Those addresses are my DNS Servers.
I can now get access to the internet without having to remove my access list. Does it make the network less secure? I don't know. I guess I'll learn that as I continue my journey in Cisco networking. Thank God it's not a production network. It's just my home ADSL connection.

Thanks to everyone that attempted a solution. I hope this helps anyone with similar problems.

[kevin.morales]

the wrong the first ACL is
access-list 101 permit udp any any eq domain,

the dns server of your ISP use the port source 53 and port destination in you network above 1024 think.

the correcto ACL is:
access-list 101 permit udp any eq domain any