?
Solved

Update access control list on Cisco 2610 router

Posted on 2003-02-21
17
Medium Priority
?
413 Views
Last Modified: 2010-04-17
I have a Cisco 2610 router running IOS 12.0

I have a vendor with a website that has a user forum for our salesmen.  When we access the website from our LAN - we cannot load the forum.  The forum is a Lotus Notes Domino Java applet.

When I dial up an ISP (bypassing our router) and connect to the forum on the same computer is loads fine.

So - our router must be blocking something.

I was wondering if I can just add a line to my access control list to say allow everything from this site (I know the IP address of the forum) so that my salesman can get into the forum.

If this is the case can someone give me the syntax for the command.


Thanks so much

Robby
0
Comment
Question by:robbyj90
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
  • 4
17 Comments
 
LVL 5

Expert Comment

by:rrhunt28
ID: 7994476
Are the entries named or just numbered?  You will need to take the ACL off the interface first.  Then edit the list, then reapply it to the interface.  The best thing to do is always keep a text copy of your ACL's.  

Router(config)# access-list access-list-number {permit| deny} protocol source-address source-mask destination-address destination-mask [operator port] [established]

That is the general form for a extended ip access list.  

so it might be something like
access-list 101 permit tcp xxx.xxx.xxx.xxx 0.0.0.255 xxx.xxx.xxx.xxx 0.0.0.255

That would assume your using a tcp/ip network. And both the addresses are class c networks.  That command will allow anything from your network to their network, and vice versa if you apply it on the in and out.  If you have not done this before I highly recomend getting someone who knows more about it to help ACL's can be tricky, and are very important.  Good luck.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 7997285
Can you post your existing access-list?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8036026
You still with us, robby?
0
Limited time offer using promo code EXPERTS30

Designed with a wealth of functionality and convenience, ATEN's new Thunderbolt™ 2 Sharing Switch takes your Thunderbolt setup to the next level. Now through September 15, 2017, Experts Exchange members get 30% off the US7220 on the ATEN USA eShop using promo code EXPERTS30.

 

Author Comment

by:robbyj90
ID: 8036443
This is the result I get from doing a show access-list

Standard IP access list 1
    permit 172.20.2.0, wildcard bits 0.0.1.255
    permit 172.20.7.0, wildcard bits 0.0.0.255
    permit 172.20.8.0, wildcard bits 0.0.0.255
Extended IP access list 103
    permit tcp any host x.x.x.x eq smtp
    permit icmp any any echo-reply
    permit icmp any any traceroute
    permit tcp any host x.x.x.x eq www
    deny tcp any any
    deny udp any any

I am not sure what interfaces are using these lists?

Thanks
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8036483
Does not look like any interface is using them, or there would be hit counts like this example from one of my active routers:
Extended IP access list 105
    deny ip any 172.16.0.0 0.0.255.255 (484 matches)
    deny ip any 10.0.0.0 0.255.255.255 (11087599 matches)
    deny ip any 140.0.0.0 0.255.255.255 (47136 matches)
    permit ip 199.135.0.0 0.0.255.255 any (126850 matches)
Extended IP access list 109
    permit ip 129.135.128.0 0.0.0.63 172.16.0.0 0.0.255.255 time-range weekdays
(active)
    permit ip 172.16.0.0 0.0.255.255 129.135.128.0 0.0.0.63 time-range weekdays
(active) (12281270 matches)

I think you are going to have to post your complete configuration (change the passwords/usernames/etc)

0
 

Author Comment

by:robbyj90
ID: 8037117
here is my config

Using 3444 out of 29688 bytes
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname xxxxxx
!
no logging console
enable password xxxxxxxxxxxxx
!
!
!
!
!
ip subnet-zero
no ip domain-lookup
!
ip inspect name fw_out tcp
ip inspect name fw_out udp
ip inspect name fw_out smtp
ip inspect name fw_out ftp
 ip inspect name fw_out http
ip inspect name fw_out realaudio
ip audit notify log
ip audit po max-events 100
!
!
!
interface Ethernet0/0
 description
 ip address x.x.x.x 255.255.254.0
 no ip directed-broadcast
 ip nat inside
!
interface Serial0/0
 bandwidth 128
 no ip address
 no ip directed-broadcast
 encapsulation frame-relay IETF
 no ip mroute-cache
 fair-queue 64 256 0
 cdp enable
 frame-relay lmi-type ansi
!
 interface Serial0/0.1 point-to-point
 description
 ip address x.x.x.x 255.255.255.252
 no ip directed-broadcast
 ip nat outside
 ip inspect fw_out out
 frame-relay interface-dlci 16
!
interface Serial0/1
 description
 bandwidth 56
 ip address x.x.x.x 255.255.255.252
 ip access-group 101 in
 no ip directed-broadcast
 ip nat inside
 fair-queue 64 256 0
!
interface Serial0/2
 description
 bandwidth 56
 ip address x.x.x.x 255.255.255.252
 ip access-group 102 in
 no ip directed-broadcast
  ip nat inside
 shutdown
 fair-queue 64 256 0
!
router rip
 version 2
 passive-interface Serial0/0.1
 network x.x.x.x
 network x.x.x.x
 no auto-summary
!
ip nat pool NAT x.x.x.x x.x.x.x netmask 255.255.255.252
ip nat inside source list 1 pool NAT overload
ip nat inside source static x.x.x.x x.x.x.x
ip classless
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
ip route x.x.x.x 255.255.0.0 x.x.x.x
ip route x.x.x.x 255.255.255.0 x.x.x.x
ip route x.x.x.x 255.255.255.0 x.x.x.x
ip route x.x.x.x 255.255.255.0 x.x.x.x
ip route x.x.x.x 255.255.255.0 x.x.x.x
 ip route x.x.x.x 255.255.255.0 x.x.x.x
ip route x.x.x.x 255.255.255.0 x.x.x.x
ip route x.x.x.x 255.255.255.0 x.x.x.x
ip route x.x.x.x 255.255.255.0 x.x.x.x
ip route x.x.x.x 255.255.255.0 x.x.x.x
ip route x.x.x.x 255.255.255.0 x.x.x.x
ip route x.x.x.x 255.255.255.0 x.x.x.x
ip route x.x.x.x 255.255.255.0 x.x.x.x
no ip http server
!
access-list 1 permit x.x.x.x 0.0.1.255
access-list 1 permit x.x.x.x 0.0.0.255
access-list 1 permit x.x.x.x 0.0.0.255
access-list 103 permit tcp any host x.x.x.x eq smtp
access-list 103 permit icmp any any echo-reply
access-list 103 permit icmp any any traceroute
access-list 103 permit tcp any host x.x.x.x eq www
access-list 103 deny   tcp any any
access-list 103 deny   udp any any
snmp-server engineID local
snmp-server community public RO
banner motd ^CThis is the property of XXXXXXXXXXXXXX. Unauthorized access is prohibited.
 ^C
!
line con 0
 exec-timeout 0 0
 password
 login
 transport input none
line aux 0
 password
 script dialer modem
 login
 modem InOut
 modem autoconfigure discovery
 transport input all
 speed 38400
 flowcontrol hardware
line vty 0 4
 exec-timeout 5 0
 password
 login
!
no scheduler allocate
end
 -
0
 
LVL 5

Expert Comment

by:rrhunt28
ID: 8037196
Did you know your interface serial 0/2 is shut down?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8037205
Ya, I see..

Interface Serial 0/1 has acl 101 applied inbound:

interface Serial0/1
 ip access-group 101 in

Interface Serial 0/2 has acl 102 applied inbound:

interface Serial0/2
 ip access-group 102 in


BUT, you only have acl 103 defined


I think you want to remove the acls from serial 0/1, 0/2 until you define them.
!
interface Serial0/1
 no ip access-group 101 in
!
!
interface Serial0/2
 no ip access-group 102 in
!

And apply 103 to serial 0/0.1 so that your IP Inspect can work.
!
interface Serial0/0.1
 ip access-group 103 in


Do you have two other remote offices that connect through serial 0/1 and serial 0/2?
Do you need ACL's applied to them inbound?
0
 

Author Comment

by:robbyj90
ID: 8037241
Yes - the serial 0/2 was connected to a remote office that we closed last year.
0
 

Author Comment

by:robbyj90
ID: 8037268
Serial 0/1 is a remote office that connects to our site for Internet, email, data for an EPR app.

So I really am not using any ACL's since the only one I have defined has not been applied.

WE had a vendor set this up about 2 years ago and they have since gone out of business and I do not know much about routers.
0
 

Author Comment

by:robbyj90
ID: 8037280
Serial 0/1 is a remote office that connects to our site for Internet, email, data for an EPR app.

So I really am not using any ACL's since the only one I have defined has not been applied.

WE had a vendor set this up about 2 years ago and they have since gone out of business and I do not know much about routers.
0
 
LVL 5

Expert Comment

by:rrhunt28
ID: 8037303
LOL, if you have to take care of them I suggest signing up for CCNA, and getting a few books.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8037397
Hey, many of us have been in robby's shoes at one point or another. Here are a couple of links to some good ACL explanations:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt3/scdacls.htm

http://www.cisco.com/warp/customer/110/32.html

http://www.nwc.com/907/907ws1.html

0
 
LVL 5

Expert Comment

by:rrhunt28
ID: 8037429
I am in his shoes now, I am currently doing CCNA, I just understood the bascis of ACL's so posted it hoping it would help.  It looks like your going to have to finish the last bit tho,  his acl's go little beyond what i have learned.  
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 200 total points
ID: 8037580
>So I really am not using any ACL's since the only one I have defined has not been applied.
All you have to do is apply acl 103 to the inbound interface.

router#config t
router(config)#interface serial 0/0.1
router(config-if)#ip access-group 103 in
router(config-if)#exit
router(config)#exit
router#

If that breaks everyone's access, then you can remove it the same way, regroup and try a new ACL:

router#config t
router(config)#interface serial 0/0.1
router(config-if)#no ip access-group 103 in
router(config-if)#exit
router(config)#exit
router#

But I would still remove acl 101 from the other interface:
router#config t
router(config)#interface serial 0/1
router(config-if)#no ip access-group 101 in
router(config-if)#exit
router(config)#exit
router#

0
 

Author Comment

by:robbyj90
ID: 8044863
Thanks again for your help.  I went ahead and got a hardware vendor in here since it was all getting over my head.

Thanks again.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8044886
Cool. Good luck!
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question