Permit Established ? does it work?

Discussion in 'Cisco' started by Graeme, Dec 19, 2003.

  1. Graeme

    Graeme Guest

    This ACL should allow a pc connected to the router to browse the web? is
    that right? Why can i ping but not browse the web?

    When i apply this list [ip access-group 102 in] to the S0 (external
    interface) i can't browse!!! when i remove the list i can browse but my NO
    NAT config is wide open..!
    !
    !
    access-list 102 permit tcp any any established
    access-list 102 permit tcp any any eq telnet
    access-list 102 permit icmp any any
    !
    ps. i've also tried this:

    access-list 102 permit tcp 0.0.0.0 255.255.255.255 xx.xx.xx.0 0.0.0.255
    established


    Many thanks in advance

    Graeme.
     
    Graeme, Dec 19, 2003
    #1
    1. Advertising

  2. Graeme

    Rod Dorman Guest

    In article <3fe34385$0$37275$>,
    Graeme <> wrote:
    >This ACL should allow a pc connected to the router to browse the web? is
    >that right? Why can i ping but not browse the web?
    >
    >When i apply this list [ip access-group 102 in] to the S0 (external
    >interface) i can't browse!!! when i remove the list i can browse but my NO
    >NAT config is wide open..!
    >!
    >access-list 102 permit tcp any any established
    >access-list 102 permit tcp any any eq telnet
    >access-list 102 permit icmp any any


    So which line is it that you think will allow an HTTP session to be
    established?

    --
    -- Rod --
    rodd(at)polylogics(dot)com
     
    Rod Dorman, Dec 19, 2003
    #2
    1. Advertising

  3. Graeme

    Rik Bain Guest

    On Fri, 19 Dec 2003 12:29:24 -0600, Graeme wrote:

    > This ACL should allow a pc connected to the router to browse the web?
    > is that right? Why can i ping but not browse the web?
    >
    > When i apply this list [ip access-group 102 in] to the S0 (external
    > interface) i can't browse!!! when i remove the list i can browse but my
    > NO NAT config is wide open..!
    > !
    > !
    > access-list 102 permit tcp any any established access-list 102 permit
    > tcp any any eq telnet access-list 102 permit icmp any any !
    > ps. i've also tried this:
    >
    > access-list 102 permit tcp 0.0.0.0 255.255.255.255 xx.xx.xx.0 0.0.0.255
    > established
    >
    >
    > Many thanks in advance
    >
    > Graeme.


    DNS problem?
     
    Rik Bain, Dec 19, 2003
    #3
  4. Graeme

    Graeme Guest

    Rod,

    Is that a "No" then? that's all i needed; i though as the interface wasn't
    ACL'ed going 'out' the HTTP traffic would be allowed 'out' and then allowed
    back 'in' because it was 'established' i think, if that's not the case i'll
    have to read further.

    Many thanks,

    Graeme.
     
    Graeme, Dec 19, 2003
    #4
  5. Graeme

    Graeme Guest

    Rick,

    I can ping both URLs and IPs from ther connected PC through the router but
    not surf the web?

    Is this right?

    Graeme.
     
    Graeme, Dec 19, 2003
    #5
  6. In article <brvgjc$4h1$>, Rod Dorman <> wrote:
    |In article <3fe34385$0$37275$>,
    |Graeme <> wrote:
    |>This ACL should allow a pc connected to the router to browse the web? is
    |>that right? Why can i ping but not browse the web?

    |>When i apply this list [ip access-group 102 in] to the S0 (external
    |>interface) i can't browse!!! when i remove the list i can browse but my NO
    |>NAT config is wide open..!

    |>access-list 102 permit tcp any any established
    |>access-list 102 permit tcp any any eq telnet
    |>access-list 102 permit icmp any any

    |So which line is it that you think will allow an HTTP session to be
    |established?

    Graeme applied this 'in' his WAN interface, so this ACL is dealing
    with responses from the remote end, not with what is allowed
    to go outwards. That being the case, the permit tcp established
    is going to allow back the HTTP responses to the outgoing packets
    that weren't filtered by any ACL.


    The reference to 'no nat' becoming wide open leads me to wonder whether
    perhaps this one ACL has been applied as both a NAT exemption ACL
    and as an IP filter. Doesn't seem credible, but if it were to be
    the case, then the solution might be to use different ACLs for the
    two cases. Reusing ACLs can lead to oddities.
    --
    Oh, yeah, an African swallow maybe, but not a European swallow.
    That's my point.
     
    Walter Roberson, Dec 19, 2003
    #6
  7. Graeme

    Graeme Guest

    Hello and thank your (all) for your help :)

    At the moment the ACL '102' is applied just to the 'in' on Serial0.

    The router config is very simple so far i'm just trying to get the bare
    bones working...

    It seemed to work and then suddenlty stop. I checked it with my online
    banking (SSL) and
    did a prot scan using http://grc.com again using SSL.Then it seemed to
    sudenly stop working with
    pings still working.....!

    Her's my config if that helps.!

    Many thanks again..

    Graeme.

    config:
    Current configuration : 966 bytes
    !
    version 12.2
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    !
    hostname <ROUTER_NAME>
    enable secret 5 <ENCRYPTED_PASSWORD>
    !
    ip subnet-zero
    ip name-server <DNS_IP_ONE>
    ip name-server <DNS_IP_TWO>
    !
    !
    !
    !
    interface FastEthernet0
    ip address <FIRST_HOST_MY_RANGE> 255.255.255.248
    speed auto
    full-duplex
    !
    interface Serial0
    ip address <B_END_ROUTER_IP> 255.255.255.252
    ip access-group 102 in <==ip access-group 102 in, command.
    encapsulation frame-relay IETF
    logging event subif-link-status
    logging event dlci-status-change
    no fair-queue
    frame-relay map ip <A_END_ROUTER_IP> 20 broadcast IETF
    frame-relay interface-dlci 20
    frame-relay lmi-type ansi
    !
    interface Serial1
    no ip address
    shutdown
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 <A_END_ROUTER_ip>
    ip http server
    !
    !
    access-list 102 permit tcp any any established
    access-list 102 permit tcp any any eq telnet
    access-list 102 permit icmp any any
    !
    line con 0
    line aux 0
    line vty 0 4
    password <PASSWORD>
    login
    !
    end

    > Graeme applied this 'in' his WAN interface, so this ACL is dealing
    > with responses from the remote end, not with what is allowed
    > to go outwards. That being the case, the permit tcp established
    > is going to allow back the HTTP responses to the outgoing packets
    > that weren't filtered by any ACL.
    >
    >
    > The reference to 'no nat' becoming wide open leads me to wonder whether
    > perhaps this one ACL has been applied as both a NAT exemption ACL
    > and as an IP filter. Doesn't seem credible, but if it were to be
    > the case, then the solution might be to use different ACLs for the
    > two cases. Reusing ACLs can lead to oddities.
    > --
    > Oh, yeah, an African swallow maybe, but not a European swallow.
    > That's my point.
     
    Graeme, Dec 19, 2003
    #7
  8. In article <3fe357df$0$39099$>,
    Graeme <> wrote:
    :It seemed to work and then suddenlty stop. I checked it with my online
    :banking (SSL) and
    :did a prot scan using http://grc.com again using SSL.Then it seemed to
    :sudenly stop working with
    :pings still working.....!

    :Her's my config if that helps.!

    :interface Serial0
    : ip address <B_END_ROUTER_IP> 255.255.255.252
    : ip access-group 102 in <==ip access-group 102 in, command.

    : frame-relay map ip <A_END_ROUTER_IP> 20 broadcast IETF
    : frame-relay interface-dlci 20


    Hmmmm, frame relay. Sorry, I don't know anything about that or its
    failure modes. The ACL part looked okay.
    --
    Sub-millibarn resolution bio-hyperdimensional plasmatic space
    polyimaging is just around the corner. -- Corry Lee Smith
     
    Walter Roberson, Dec 19, 2003
    #8
  9. Graeme wrote:

    > Rick,
    >
    > I can ping both URLs and IPs from ther connected PC through the router but
    > not surf the web?
    >
    > Is this right?


    How about you've set the PCs up to access the web through a
    proxy which is down ?

    Try from a command prompt "telnet www.somesite.around 80"
    and see if you get any response back.


    B

    --
    http://www.mailtrap.org.uk/
     
    Bob { Goddard }, Dec 20, 2003
    #9
  10. Graeme

    ZeroKool Guest

    Try this

    access-list 102 permit tcp any any established
    access-list 102 permit tcp any any eq telnet
    access-list 102 permit tcp any any gt 1023
    access-list 102 permit icmp any any




    "Graeme" <> wrote in message
    news:3fe34385$0$37275$...
    > This ACL should allow a pc connected to the router to browse the web? is
    > that right? Why can i ping but not browse the web?
    >
    > When i apply this list [ip access-group 102 in] to the S0 (external
    > interface) i can't browse!!! when i remove the list i can browse but my NO
    > NAT config is wide open..!
    > !
    > !
    > access-list 102 permit tcp any any established
    > access-list 102 permit tcp any any eq telnet
    > access-list 102 permit icmp any any
    > !
    > ps. i've also tried this:
    >
    > access-list 102 permit tcp 0.0.0.0 255.255.255.255 xx.xx.xx.0 0.0.0.255
    > established
    >
    >
    > Many thanks in advance
    >
    > Graeme.
    >
    >
     
    ZeroKool, Dec 20, 2003
    #10
  11. I'm going to bet this is a DNS problem. You don't have any lines in your
    acl for udp 53. Add:

    access-list 102 permit udp any eq 53 any

    Mike

    "Graeme" <> wrote in message
    news:3fe349e8$0$39048$...
    > Rick,
    >
    > I can ping both URLs and IPs from ther connected PC through the router but
    > not surf the web?
    >
    > Is this right?
    >
    > Graeme.
    >
    >
     
    Mike Gallagher, Dec 20, 2003
    #11
  12. In article <3fe34385$0$37275$>,
    "Graeme" <> wrote:

    > This ACL should allow a pc connected to the router to browse the web? is
    > that right? Why can i ping but not browse the web?
    >
    > When i apply this list [ip access-group 102 in] to the S0 (external
    > interface) i can't browse!!! when i remove the list i can browse but my NO
    > NAT config is wide open..!
    > !
    > !
    > access-list 102 permit tcp any any established
    > access-list 102 permit tcp any any eq telnet
    > access-list 102 permit icmp any any
    > !
    > ps. i've also tried this:
    >
    > access-list 102 permit tcp 0.0.0.0 255.255.255.255 xx.xx.xx.0 0.0.0.255
    > established


    Your ACL doesn't allow DNS responses back in. DNS normally uses UDP, so
    you need something like:

    access-list 102 permit udp host <DNS-server-IP> eq domain any

    This assumes you have the machines on your LAN configured to use your
    ISP's DNS server. If you run your own DNS server, it should be:

    access-list 102 permit udp any eq domain host <DNS-server-IP> gt 1023

    But since you're NATting, and this ACL is applied before NAT is done,
    and I'm guessing you don't have a static translation for the DNS server,
    you may need it to be:

    access-list 102 permit udp any eq domain any gt 1023

    --
    Barry Margolin,
    Arlington, MA
     
    Barry Margolin, Dec 20, 2003
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Rob Nicholson
    Replies:
    2
    Views:
    629
    Rob Nicholson
    Nov 29, 2005
  2. just1coder
    Replies:
    1
    Views:
    1,304
    Walter Roberson
    Oct 14, 2004
  3. John Hardin
    Replies:
    1
    Views:
    508
    John Hardin
    Nov 10, 2004
  4. iam23m
    Replies:
    0
    Views:
    685
    iam23m
    Oct 27, 2006
  5. Replies:
    3
    Views:
    5,914
    Walter Roberson
    Jan 5, 2007
Loading...

Share This Page