I changed routers from a 2611 running 12.2 to a 2811 running
12.3(11)T3. I moved the 16 port async module from the 2611 to the 2811 and used the same programming for the ports. I can successfully connect to the external modems connected to the async ports and I can ping around the internal network just fine. However when I try to ping outside the router, it fails. I use ACL's for in and out. The out's last line ( after many specific deny's ) is a permit ip any any reflect listname. It worked just fine on the
2611, but I never see an entry in the reflective list at all. If I disable the ACL's, I can successfully ping outside the router, but of course that leaves my network wide open. Is this a bug or am I missing something that changed between the versions?
Thanks,
Gordon Montgomery Living Scriptures, Inc snipped-for-privacy@lsi.com (anti spam - replace lsi with livingscriptures) (801) 627-2000
! interface FastEthernet0/0 ip address A.B.C.1 255.255.255.0 duplex half speed auto ! interface FastEthernet0/1 ip address 10.0.10.1 255.255.255.0 shutdown duplex half speed auto ! interface Serial0/0/0 description Broadband ip address A.B.D.46 255.255.255.252 ip access-group broadfilterin in ip access-group broadoutjjok out crypto map SDM_CMAP_1 ! interface Async1/0 ip unnumbered FastEthernet0/0 encapsulation ppp async mode interactive peer default ip address A.B.C.239 ppp authentication chap routing dynamic ! interface Async1/1 ip unnumbered FastEthernet0/0 encapsulation ppp async dynamic routing async mode interactive peer default ip address A.B.C.240 ppp authentication chap ms-chap pap ! interface Async1/2 ip unnumbered FastEthernet0/0 encapsulation ppp async dynamic routing async mode interactive peer default ip address A.B.C.241 ppp authentication chap ms-chap pap !
And the ACL's
ip access-list extended broadfilterin ; ; Deny private ip deny ip 192.168.0.0 0.0.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 10.0.0.0 0.255.255.255 any deny ip 127.0.0.0 0.255.255.255 any deny ip 255.0.0.0 0.255.255.255 any deny ip 224.0.0.0 7.255.255.255 any deny ip host 0.0.0.0 any ; ; Deny our own spoofed addresses deny ip A.B.C.0 0.0.0.255 any ; ; Deny some microsoft holes deny tcp any any eq 135 deny udp any any eq 135 deny tcp any any eq 445 deny tcp any any eq 593 ; ; Main Servers permit tcp any host A.B.C.10 eq ftp permit tcp any host A.B.C.30 eq www permit tcp any host A.B.C.30 eq 443 permit tcp any host A.B.C.14 eq www permit tcp any host A.B.C.14 eq 443 permit tcp any host A.B.C.45 eq ftp permit tcp any host A.B.C.34 eq www permit tcp any host A.B.C.46 eq www permit tcp any host A.B.C.46 eq 443 permit tcp any host A.B.C.49 eq www permit tcp any host A.B.C.49 eq 443 permit tcp any host A.B.C.47 eq www permit tcp any host A.B.C.37 eq www permit tcp any host A.B.C.37 eq ftp permit tcp any host A.B.C.38 eq www permit tcp any host A.B.C.39 eq www permit tcp any host A.B.C.31 eq www permit tcp any host A.B.C.31 eq ftp permit tcp any host A.B.C.41 eq ftp permit tcp any host A.B.C.41 eq www ; ; Nameservers permit udp any host A.B.C.10 eq domain permit udp any host A.B.C.11 eq domain permit udp any eq domain host A.B.C.10 permit udp any eq domain host A.B.C.11 ; ; Mail Servers permit tcp any host A.B.C.14 eq pop3 permit tcp any host A.B.C.14 eq smtp permit tcp any eq smtp host A.B.C.12 permit tcp any eq smtp host A.B.C.77 permit tcp any eq smtp host A.B.C.10 permit tcp any eq smtp host A.B.C.15 permit tcp any eq smtp host A.B.C.14 permit icmp any any unreachable permit icmp any any ttl-exceeded permit icmp any any traceroute permit udp any any eq ntp ; ; Check for outgoing connections evaluate broadnetout
ip access-list extended broadoutjjok ; ; Deny private ips from leaving deny ip 192.168.0.0 0.0.255.255 any log deny ip 172.16.0.0 0.15.255.255 any log deny ip 10.0.0.0 0.255.255.255 any log deny ip any 192.168.0.0 0.0.255.255 log deny ip any 172.16.0.0 0.15.255.255 log deny ip any 10.0.0.0 0.255.255.255 log ; ; Deny some microsoft holes deny tcp any any eq 135 log deny udp any any eq 135 log deny tcp any any eq 137 log deny udp any any eq 137 deny tcp any any eq 445 log deny tcp any any eq 593 log ; Permit Main Servers and services permit tcp host A.B.C.14 eq www any permit tcp host A.B.C.14 eq 443 any permit tcp host A.B.C.30 eq www any permit tcp host A.B.C.30 eq 443 any permit tcp host A.B.C.34 eq www any permit tcp host A.B.C.46 eq www any permit tcp host A.B.C.46 eq 443 any permit tcp host A.B.C.47 eq www any permit tcp host A.B.C.37 eq www any permit tcp host A.B.C.37 eq ftp any permit tcp host A.B.C.38 eq www any permit tcp host A.B.C.39 eq www any permit udp host A.B.C.10 eq domain any permit udp host A.B.C.11 eq domain any permit udp host A.B.C.11 any eq domain permit udp host A.B.C.10 any eq domain permit tcp host A.B.C.12 eq smtp any permit tcp host A.B.C.12 eq pop3 any permit tcp host A.B.C.41 eq www any ; Only let main mail servers out on SMTP permit tcp host A.B.C.14 any eq SMTP permit tcp host A.B.C.14 eq SMTP any permit tcp host A.B.C.10 any eq SMTP permit tcp host A.B.C.12 any eq SMTP permit tcp host A.B.C.15 any eq SMTP permit tcp host A.B.C.15 eq SMTP any permit tcp host A.B.C.45 any eq SMTP permit tcp host A.B.C.77 any eq SMTP deny tcp any any eq SMTP log ; Permit everything else permit ip any any reflect broadnetout
The difference between Async1/0 and the others is just me trying different configs. They all were identical. This config was working great on the 2611.
Thanks,
Gordon Montgomery Living Scriptures, Inc snipped-for-privacy@lsi.com (anti spam - replace lsi with livingscriptures) (801) 627-2000
In broadfilterin you are not allowing ICMP. Even the packet "leave" the network, you must have a permit statment to let it in, the icmp is different to TCP and UDP, there you just allowed the leaving and the router "learns" about and when the packet goes back it is allowed automatically, with ICMP is not. This is only valid to reflexive ACL.
Did something change between the 2611 @ ver 12.2 and the 2811 @ ver 12.3? Because those lists and ports worked just fine on the
2611. It is not just ICMP that is stopped now, nothing from the ASYNC ports gets inserted into the reflexive list at all. I'm inclined to call it a bug and open a TAC case for it. I just thought I would check here first.
Thanks,
Gordon Montgomery Living Scriptures, Inc snipped-for-privacy@lsi.com (anti spam - replace lsi with livingscriptures) (801) 627-2000
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.