ACL blocks Internet Access.

Discussion in 'Cisco' started by nateevs, Feb 14, 2010.

  1. nateevs

    nateevs

    Joined:
    Feb 13, 2010
    Messages:
    6
    Hello Everyone.

    I have a big problem. I have a ADSL Cisco 837 router. I have access-list configured on the router. When I take off all the access-list, I can get internet access. When I replace the access-list, internet access is denied again.

    I have the explicit "deny ip any any log" statement at the end of ACL and so I can see that returning udp traffic is constantly being denied inbound from the configured dns servers.

    The problem I have however is that I can't seem to find a way round it. No matter what I try. I have researched and and used several methods.

    I have used the tcp established keyword. I have permitted udp from the host dns servers inbound. I have tried everything I can and I can't solve it.

    This is the access-list I have applied inbound on the Dialer interface.


    access-list 101 deny ip 10.10.10.0 0.0.00.255 any
    access-list 101 permit icmp any any unreachable
    access-list 101 permit icmp any any time-exceeded
    access-list 101 permit icmp any any echo-reply
    access-list 101 permit tcp any any eq domain
    access-list 101 permit udp any any eq domain
    access-list 101 deny ip host 0.0.0.0 any
    access-list 101 deny ip host 255.255.255.255 any
    access-list 101 deny ip 192.168.0.0 0.0.255.255 any
    access-list 101 deny ip 172.16.0.0 0.15.255.255 any
    access-list 101 deny ip 10.0.0.0 0.255.255.255 any
    access-list 101 deny ip 224.0.0.0 7.255.255.255 any
    access-list 101 deny ip any any log





    Please help.
     
    nateevs, Feb 14, 2010
    #1
    1. Advertising

  2. nateevs

    nateevs

    Joined:
    Feb 13, 2010
    Messages:
    6
    Anyone help please!
     
    nateevs, Feb 15, 2010
    #2
    1. Advertising

  3. nateevs

    bryanpalacios

    Joined:
    Jan 6, 2010
    Messages:
    9
    Location:
    Guatemala
    just one question bud... if the acl is applied inbound to you interface that connects to the internet why are you deniyng traffic from 172.x or another private network segments? also i got another question why are you denying 0.0.0.0?

    with those answers maybe i can help you :barresed:
     
    bryanpalacios, Feb 16, 2010
    #3
  4. nateevs

    nateevs

    Joined:
    Feb 13, 2010
    Messages:
    6
    Hello Bryan.

    I'm sorry for the late reply. By denying those addresses, I am mitigating unauthorized network access. It is preventing anti-spoofing.

    Also host 0.0.0.0 means any device. Therefore I am preventing any host from gaining access into my network except one I explicitly permit.


    Thanks.
     
    nateevs, Feb 16, 2010
    #4
  5. nateevs

    bryanpalacios

    Joined:
    Jan 6, 2010
    Messages:
    9
    Location:
    Guatemala
    Hello the ACL is placed in the inbound side of the interface that connects to the internet ?



    Regards,
     
    bryanpalacios, Feb 17, 2010
    #5
  6. nateevs

    nateevs

    Joined:
    Feb 13, 2010
    Messages:
    6
    Yes the ACL is applied to the inbound interface from the internet.
     
    nateevs, Feb 18, 2010
    #6
  7. nateevs

    nateevs

    Joined:
    Feb 13, 2010
    Messages:
    6
    Someone please help.. I still have not been able to fix this issue. I ran a debug ip packet on the router and this is the output.


    *Nov 16 05:14:15.834: IP: tableid=0, s=81.148.xx.xx (local), d=194.72.9.34 (Dialer0), routed via FIB
    *Nov 16 05:14:15.834: IP: s=81.148.xx.xx (local), d=194.72.9.34 (Dialer0), len 56, sending
    *Nov 16 05:14:16.847: IP: s=81.148.xx.xx (local), d=62.6.40.178 (Dialer0), len 56, sending
    *Nov 16 05:14:16.851: IP: s=194.72.9.34 (Dialer0), d=81.148.xx.xx, len 125, access denied




    81.148.xx.xx is the IP address on my dialer 0 interface.
    62.6.40178 and 194.72.9.34 are the dns servers.


    The debug output indicates that traffic reaches the dns servers and traffic is sent back as well. It's only just denied on my router. That's why the internet works when I clear the access-list.

    I know that I need to permit udp traffic from my dns servers back into my network but no matter what I try I still can't crack it.

    Can anyone help please?


    Thanks.
     
    nateevs, Feb 18, 2010
    #7
  8. nateevs

    KrisJun

    Joined:
    Feb 19, 2010
    Messages:
    2
    I am just taking a stab at it since I just learned about ACL's recently and I do not posses the knowledge (yet) to correctly interpret the debug you posted
    but what happens when you add a rule to allow established inbound connections?
     
    KrisJun, Feb 19, 2010
    #8
  9. nateevs

    nateevs

    Joined:
    Feb 13, 2010
    Messages:
    6
    I have solved the problem eventually.

    I added these lines to the access list and it worked.

    permit udp host 62.6.40.178 eq domain any (1467 matches)
    permit udp host 194.72.9.34 eq domain any (30 matches)
    permit udp host 62.6.40.162 eq domain any
    permit udp host 194.72.9.38 eq domain any
    permit tcp any eq www any gt 1023 (2721 matches)



    Those addresses are my DNS Servers.
    I can now get access to the internet without having to remove my access list. Does it make the network less secure? I don't know. I guess I'll learn that as I continue my journey in Cisco networking. Thank God it's not a production network. It's just my home ADSL connection.

    Thanks to everyone that attempted a solution. I hope this helps anyone with similar problems.
     
    nateevs, Feb 20, 2010
    #9
  10. nateevs

    kevin.morales

    Joined:
    Feb 16, 2009
    Messages:
    3
    the wrong the first ACL is
    access-list 101 permit udp any any eq domain,

    the dns server of your ISP use the port source 53 and port destination in you network above 1024 think.

    the correcto ACL is:
    access-list 101 permit udp any eq domain any
     
    kevin.morales, Apr 7, 2010
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Shad T
    Replies:
    0
    Views:
    699
    Shad T
    Jun 29, 2004
  2. SuperIce
    Replies:
    2
    Views:
    1,901
    James
    Oct 1, 2004
  3. Ed
    Replies:
    2
    Views:
    626
    ┬░Mike┬░
    Jul 13, 2004
  4. Vimokh
    Replies:
    3
    Views:
    5,790
    Vimokh
    Sep 6, 2006
  5. =?Utf-8?B?UG9lbmtpdHRlbg==?=

    Installing Updates blocks access to web via IE 32 and 32 Bit Progr

    =?Utf-8?B?UG9lbmtpdHRlbg==?=, Jul 30, 2005, in forum: Windows 64bit
    Replies:
    11
    Views:
    559
    Charlie Russel - MVP
    Jul 31, 2005
Loading...

Share This Page