Cisco Firewall/ACL rule.

Slinwagh · 23 Mar 2006 at 11:37

Im trying to setup the L8NC service to ping my router. i have created the following rule....

access-list 101 permit icmp host 80.249.110.123 host 84.92.182.81 log

Can anyone see anythig wrong with this rule as all ICMP traffic from that host is blocked.

Thanks!

FordPrefect · 23 Mar 2006 at 15:33

IS the rule positioned in the correct place, ie above any rule which would restrict ICMP?

Slinwagh · 23 Mar 2006 at 15:53

Assuming the rule is correct then it must be in the wrong place......

Am i right in saying that the rules are processed in the order they are listed.

FordPrefect · 23 Mar 2006 at 18:01

I think you need to add a rule for the reverse traffic. ICMP is not a protocol that CISCO treats in a stateful manner.

Either add a rule from 84.92.182.81 to 80.249.110.123 which restricts ICMP to echo-reply or just allow any ICMP on that rule.

Slinwagh · 23 Mar 2006 at 18:38

I have added that rule on the Dialer 0 interface but all ICMP traffic is being blocked from the L8NC service.

FordPrefect · 23 Mar 2006 at 19:24

Slinwagh said:
I have added that rule on the Dialer 0 interface but all ICMP traffic is being blocked from the L8NC service.

You will need to apply the rule either outbound on that interface or inbound on the incoming interface.

Slinwagh · 23 Mar 2006 at 20:04

i have tried both, what am i doing wrong !!

Nozzer · 23 Mar 2006 at 20:14

paste relevant bits from running config pls

Slinwagh · 23 Mar 2006 at 21:09

Here we go.....

access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 10.10.10.0 0.0.0.255
access-list 2 deny any
access-list 100 remark auto-generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 84.92.152.80 0.0.0.3 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto-generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark Auto generated by SDM for NTP (123) 212.23.8.6
access-list 101 permit udp host 212.23.8.6 eq ntp host 84.92.152.81 eq ntp
access-list 101 permit udp host 212.159.6.10 eq domain host 84.92.152.81 log
access-list 101 remark L8NC check
access-list 101 permit icmp host 80.249.110.123 host 84.92.182.81 log
access-list 101 remark L8NC check
access-list 101 permit icmp host 84.92.182.81 host 80.249.110.123 log
access-list 101 remark Skype
access-list 101 permit tcp any host 84.92.182.81 eq 61160 log
access-list 101 permit udp host 10.10.10.1 eq domain host 84.92.152.81 log
access-list 101 permit icmp any host 84.92.152.81 echo-reply log
access-list 101 permit icmp any host 84.92.152.81 time-exceeded log
access-list 101 permit icmp any host 84.92.152.81 unreachable log
access-list 101 deny ip 10.10.10.0 0.0.0.255 any log
access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny ip host 255.255.255.255 any log
access-list 101 deny ip host 0.0.0.0 any log
access-list 101 deny ip any any log
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
access-list 102 deny ip any any
dialer-list 1 protocol ip permit

Tui · 23 Mar 2006 at 21:27

The lines allowing external return traffic are to 84.92.152.81

For the incoming ICMP you have it to 84.92.182.81

Slinwagh · 23 Mar 2006 at 23:09

I have changed it and it still doesn't work !!

Tui · 24 Mar 2006 at 06:59

What have you changed?

For L8NC you need to allow ICMP echo to your WAN address. Allow it from any to start with and since you're logging it, check the logs to find what's happening.

Slinwagh · 24 Mar 2006 at 07:41

Tui said:
What have you changed?

For L8NC you need to allow ICMP echo to your WAN address. Allow it from any to start with and since you're logging it, check the logs to find what's happening.

I changed

The lines allowing external return traffic are to 84.92.152.81

For the incoming ICMP you have it to 84.92.182.81

I had the wrong IP address entered as my WAN interface.