Hi,
I've got an issue that I've been working on for a while that I was hoping someone could provide some insight on. We have google fiber and whenever I try to apply an ACL on the WAN interface I lose internet access. The WAN interface is DHCP, and I have the static IP on a subinterface and a couple of port forwards and a routed ipsec tunnel.
Basically I'm trying to apply OUTSIDE_IN to GigabitEthernet0/0/1 via:
ip access-group OUTSIDE_IN in
Basically I just want a firewall on the WAN that only allows the port forwards and the IPSEC. I'm somewhat of a novice here and I really appreciate any insight. Happy to answer any questions.
Here's the obfuscated config:
crypto isakmp policy 26 encr 3des authentication pre-share group 2 crypto isakmp key KEY_IPSEC address IPSEC.PEER.IP.2 crypto ipsec transform-set EBIZ26 esp-3des esp-sha-hmac mode tunnel crypto map EBIZ local-address GigabitEthernet0/0/1.1 crypto map EBIZ 26 ipsec-isakmp set peer IPSEC.PEER.IP.2 set transform-set EBIZ26 set pfs group2 match address ACCESS_LIST_IPSEC interface GigabitEthernet0/0/1 ip address dhcp no ip unreachables ip nat outside negotiation auto crypto map EBIZ interface GigabitEthernet0/0/1.1 encapsulation dot1Q 20 ip address WAN.IP.ROUTING.178 255.255.255.248 ip access-group OUTSIDE_IN in crypto map EBIZ interface Vlan1 ip address 10.45.0.7 255.255.255.0 ip nat inside ip nat pool inside_pool WAN.IP.ROUTING.178 WAN.IP.ROUTING.178 netmask 255.255.255.248 ip nat pool outside_pool 10.45.0.1 10.45.0.254 prefix-length 24 ip nat inside source static tcp 10.45.0.90 80 WAN.IP.ROUTING.179 80 extendable ip nat inside source static tcp 10.45.0.90 443 WAN.IP.ROUTING.179 443 extendable ip nat inside source static tcp 10.45.0.90 943 WAN.IP.ROUTING.179 943 extendable ip nat inside source static tcp 10.45.0.2 1192 WAN.IP.ROUTING.179 1192 extendable ip nat inside source static udp 10.45.0.90 1194 WAN.IP.ROUTING.179 1194 extendable ip nat inside source list NAT-SOURCE-NETS pool inside_pool overload ip forward-protocol nd ip http server ip http authentication local ip http secure-server ip route 192.168.200.0 255.255.255.0 10.45.0.1 ip access-list standard NAT-DEST-NETS permit WAN.IP.ROUTING.178 ip access-list standard NAT-SOURCE-NETS permit 10.45.0.0 0.0.0.255 ip access-list extended EBIZ26 permit ip host 136.40.199.178 host 144.160.96.131 ip access-list extended ACCESS_LIST_IPSEC permit ip host WAN.IP.ROUTING.178 x.x.0.0 0.0.255.255 permit ip host WAN.IP.ROUTING.178 x.x.0.0 0.0.255.255 permit ip host WAN.IP.ROUTING.178 x.6.0.0 0.0.255.255 permit ip host WAN.IP.ROUTING.178 x.8.0.0 0.0.255.255 permit ip host WAN.IP.ROUTING.178 x.9.0.0 0.0.255.255 ... Continues for about 20 lines ... ip access-list extended OUTSIDE_IN permit ip host IPSEC.PEER.IP.1 any permit ip host IPSEC.PEER.IP.2 any permit ip object-group fiber_subnet any permit ip any host 10.45.0.90 
No comments:
Post a Comment