I'm confused (Cisco)

Soldato
Joined
18 Oct 2002
Posts
17,864
Location
Cambridge
I have a Cisco 857w which works fine unless i apply an access list. The access list is incoming only yet when i apply it it stops all sorts of things from working. Ventrillo can't communicate with the server, Heroes of Newerth cant see the server list, pings don't work. I have a syslog running and see nothing at all when these things dont work. Vent and HoN both list the problems as outoing. Everything on the access list works fine though.

Here's how i apply the access list:

interface Dialer0
ip access-group WAN-IN in

And this is the access list:

ip access-list extended WAN-IN
remark VPN from office
permit udp host 217.33.###.### eq 4500 host 77.107.###.###
permit udp host 217.33.###.### eq 500 host 77.107.###.###
permit udp host 217.33.###.### eq 259 host 77.107.###.###
permit udp host 81.145.###.### eq 4500 host 77.107.###.###
permit udp host 81.145.###.### eq 500 host 77.107.###.###
remark VNC
permit tcp host 217.33.###.### host 77.107.###.### eq 55896
permit udp host 217.33.###.### host 77.107.###.### eq 55896
remark Torrent uses TCP and UDP
permit tcp any host 77.107.###.### eq 55897
permit udp any host 77.107.###.### eq 55897
remark Established
permit tcp any host 77.107.###.### established
remark DNS
permit udp host 194.72.0.98 eq domain host 77.107.###.###
permit udp host 194.74.65.68 eq domain host 77.107.###.###
remark NTP
permit udp any host 77.107.###.### eq ntp
remark Log Other
deny ip any any log

I've set it to debug all yet still see nothing in it when things aren't working. Is there something wrong with the list, how i've applied it or even something i need to set which makes the syslog send more?

Any suggestions?
 
The ACL will block ALL incoming traffic other than those you have explicitly allowed, all other traffic is going to be blocked, so seeing as you haven't allowed return traffic from Ventrillo it will be blocked.

If you configure IP Inspect as well as an ACL then this will allow traffic back in for sessions that you have started.....
 
Thats what this does:

remark Established
permit tcp any host 77.107.###.### established

Plus my syslogs aren't showing anything being blocked incoming.
 
Thats what this does:

remark Established
permit tcp any host 77.107.###.### established

Plus my syslogs aren't showing anything being blocked incoming.

Opps my bad, missed that line :)

I assume you have checked that the problem is being caused by the ACL - Granted it deffo does sound like it is, but try removing the ACL just to make 100% (Guessing you already will have tried that as well though) :)
 
Yeah i removed the ACL and everthing starts working again. I just don't understand it as everything being blocked by it gets logged. Yet these outbound issues don't get logged at all.
 
Syngress is right, return traffic is being blocked.

permit tcp ... established applies only to TCP and won't handle return traffic for your other outgoing connections. You need to have entries to explicitly allow UDP, for example, similar to that listed for DNS and NTP.

The best solution is to use CBAC, as suggested, with IP inspect rules for outgoing traffic and this will dynamically change the incoming ACL to allow return traffic for at least TCP and UDP. Later versions of IOS also support ICMP.
 
Read all about it here:
http://www.cisco.com/en/US/docs/ios...tainer_external_docbase_0900e4b1807afcc8.html

In addition to your access-list allowing explicit inbound traffic traffic, you add inspect entries for outgoing traffic.

For example:

ip inspect name WAN-OUT ftp
ip inspect name WAN-OUT icmp router-traffic
ip inspect name WAN-OUT tcp router-traffic
ip inspect name WAN-OUT udp router-traffic
ip inspect name WAN-OUT ntp
ip inspect name WAN-OUT dns
ip inspect name WAN-OUT isakmp
ip inspect name WAN-OUT ipsec-msft
ip inspect name WAN-OUT sip

interface Dialer0
ip inspect WAN-OUT out


Depending on your IOS version, you may not be able to do ICMP, or have the router-traffic option, in which case you'll need to configure the access-list to suit.
 
Cheers i shall have a read, how do i know what my IOS supports? I presume the dns, vpn and ntp entries you listed would negate the need of it on the incoming access list?

EDIT

Have done added what you linked earlier (minus sip) and it appears to be working ok now, thanks a lot :D. Just to clarify though: I presume the dns, vpn and ntp entries you listed would negate the need of it on the incoming access list?
 
Last edited:
Not if you need inbound access. IP Inspect/CBAC inspects your outbound connections and dynamically allows the return traffic. If somebody is connecting in to your router then the ACL will be needed.

If you just need VPN client access out then you should not need the ACL entry.

Personally I set up inspect for TCP, UDP and ICMP and do not bother setting up individual inspection for apps/protocols.
 
For the lack of syslog messages, enter;
show logging

and look at Trap logging. The level should be at least 6 (informational or debugging) and should have the correct host IP address/port used and link status as up.
 
Back
Top Bottom