Re: Access-list problem

Hello,

I have seen this issue before and I think it may been brought up on GS too,
although I couldn't find anything in the archives. This happens when you use
"permit ip any any" in the NAT ACL. If you look at the NAT translations you
will see that when you telnet to the router from the outside, address
translation is taking place on the reply, screwing up the tcp connection.

In this case 200.0.0.2 is the outside interface address (the interface with
"ip nat outside"). I am telnetting from 200.0.0.3 to 200.0.0.2:

R2#sho ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 200.0.0.2:1 200.0.0.2:23 200.0.0.3:41927 200.0.0.3:41927

R2 translates the SYN-ACK packet from 200.0.0.2 back to 200.0.0.3 using port
1, instead of port 23 and the 3-way handshake never completes. 200.0.0.3
sends an RST because it is not expecting anything on this port. I used the
packet capture in Dynagen to verify this behavior.

If you narrow down your ACL so only the inside hosts are specified, then you
don't have this issue.

Bryan Bartik
CCIE #23707, CCNP
Sr. Support Engineer - IPexpert, Inc.
URL: http://www.IPexpert.com

On Sat, Apr 25, 2009 at 1:23 PM, Pavel Bykov <slidersv_at_gmail.com> wrote:

> looks like a bug.
> Are you telnetting to the Dialer interface?
>
> On Wed, Apr 22, 2009 at 4:17 PM, marish shah <contactmarish_at_gmail.com
> >wrote:
>
> > Hi All,
> > Scenario.
> > DSL Router 857 connecting to ISP with dialer interface and connecting
> with
> > LOCAL AREA NETWORK with vlan 1.
> >
> > Requirement,
> >
> > Customer want to stop browsing for some computer from 192.168.2.128 to
> > 192.168.2.191 and allow any other traffic.
> >
> > Remaining IP s are allowed all traffic.So I put this configuration on
> > customer router.
> >
> > *access-list 102 deny tcp 192.168.2.128 0.0.0.63 any eq www *
> >
> > *access-list 102 permit ip any any*
> >
> > *ip nat inside source list 102 interface Dialer1 overload
> > *
> >
> > * interface Vlan1
> > ip address 192.168.2.1 255.255.255.0
> > ip nat inside
> >
> > !
> > interface Dialer1
> > ip address negotiated
> > ip nat outside*
> >
> > After this every thing is work fine there was no browsing for few user's
> as
> > customer want and they can access every thing else (FTP,TELNET,etc)
> >
> > And all other customer can use every thing include browsing .
> >
> > But here problem come from outside I cannot telnet customer router but I
> > can
> > ping if u see my config I didn't block port 23 for inside not for outside
> > and my access-list is only effect inside traffic but from outside I can't
> > able to telnet and strange from inside I can telnet.
> >
> > So Q is why my telnet from outside is block ?
> >
> > I solve this problem I just remove
> >
> > *no access-list 102 deny tcp 192.168.2.128 0.0.0.63 any eq www *
> >
> > *no access-list 102 permit ip any any*
> >
> > *n replace with
> > *
> >
> > *access-list 102 deny tcp 192.168.2.128 0.0.0.63 any eq www*
> >
> > *access-list 102 permit ip 192.168.2.0 0.0.0.255 any*
> >
> > *and telnet from outside is also working so why its block and after
> > removing
> > Permit any any its work.*
> >
> >
> > **
> >
> > *Thanks.
> > *
> >
> > *
> > *
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
>
>
> --
> Pavel Bykov
> ----------------
> Don't forget to help stopping the braindumps, use of which reduces value of
> your certifications. Sign the petition at http://www.stopbraindumps.com/
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

--
Blogs and organic groups at http://www.ccie.net