Solved

expand access-lists to control incoming traffic?

Posted on 2003-10-29
4
241 Views
Last Modified: 2013-11-29
Right now I have access-lists on a 2600 router that control outgoing traffic.  

I tried to configure priority on access-lists to guarantee that my VPN traffic isn't swamped when internet downloads are being done, but it didn't work.

I think the problem was, that my access lists only apply to my outgoing traffic.

How can I best add access controls to the incoming traffic, by writing new access-lists or by adding entries to my existing access lists?

My configuration (edited):

version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname llnq
!
boot system flash c2600
enable secret  
enable password
!
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 14
 hash md5
 authentication pre-share
crypto isakmp key letmein! address 203.196.40.253
!
!
crypto ipsec transform-set llnq esp-des esp-md5-hmac
!
crypto map nolan 14 ipsec-isakmp
 set peer 203.196.40.253
 set transform-set llnq
 match address 123
!
call rsvp-sync
!
!
interface FastEthernet0/0
 ip address  10.95.1.254 255.255.0.0
 ip accounting output-packets
 ip nat inside
 duplex auto
 speed auto
!
interface FastEthernet0/0.1
 no ip redirects
 shutdown
!
interface FastEthernet0/0.2
 encapsulation isl 106
 ip address 211.73.30.190 255.255.255.248
 no ip redirects
!
interface Serial0/0
 no ip address
 encapsulation frame-relay
 no ip route-cache
 no ip mroute-cache
 no fair-queue
 frame-relay lmi-type ansi
 crypto map nolan
!
interface Serial0/0.1 point-to-point
 ip address 210.105.121.242 255.255.255.252
 no ip route-cache
 no ip mroute-cache
 shutdown
 frame-relay interface-dlci 23 IETF
 crypto map nolan
!
interface Serial0/0.2 point-to-point
 description LINE via SEATTLE (25-666983)
 ip address 210.148.50.190 255.255.255.252
 ip nat outside
 no ip route-cache
 no ip mroute-cache
 frame-relay interface-dlci 24 IETF
 crypto map nolan
!
ip nat translation timeout 300
ip nat translation tcp-timeout 360
ip nat inside source list 106 interface Serial0/0.2 overload
ip nat inside source static tcp  10.95.1.2 6453 211.73.30.186 6453 extendable
ip nat inside source static tcp  10.95.1.1 6453 211.73.30.187 6453 extendable
ip nat inside source static tcp  10.95.1.254 23 211.73.30.188 23 extendable
ip nat outside source static  10.88.125.79 10.0.0.0
ip classless
ip route 0.0.0.0 0.0.0.0 210.148.50.189
ip http server
ip pim bidir-enable
!
access-list 106 deny   ip  10.95.0.0 0.0.255.255  10.88.0.0 0.0.255.255
access-list 106 deny   ip  10.95.0.0 0.0.255.255 172.16.5.0 0.0.0.255
access-list 106 permit ip  10.95.0.0 0.0.255.255 any
access-list 135 permit ip  10.95.0.0 0.0.255.255  10.88.0.0 0.0.255.255
access-list 135 permit ip  10.95.0.0 0.0.255.255 172.16.5.0 0.0.0.255
access-list 135 deny   ip  10.95.0.0 0.0.255.255 any
access-list 168 deny   ip  10.95.0.0 0.0.255.255  10.88.0.0 0.0.255.255
access-list 168 permit ip  10.95.0.0 0.0.255.255 any
route-map nonat permit 10
 match ip address 168
!
!
snmp-server community liufkkeu RW
snmp-server community oidifjoickjiif RW
snmp-server enable traps tty
!
dial-peer cor custom
!
line con 0
line aux 0
line vty 0 4
 password
 login
line vty 5
 password
 login
!
end

0
Comment
Question by:gateguard
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 9645235
Applying access lists would drop your Internet traffic which probably isn't what you want to happen.  Sounds like you want to guarantee bandwidth for your VPN traffic.  Have you looked into priority-queing or traffic shaping?

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/qos_c/qcpart2/qcpq.htm
0
 

Author Comment

by:gateguard
ID: 9646013
I used these commands (because I want remote desktop and telnet to have high priority, ftp low priority, and default medium):

priority-list 4 protocol ip low tcp 20
priority-list 4 protocol ip low tcp 21
priority-list 4 protocol ip high tcp 23
priority-list 4 protocol ip high tcp 3389
priority-list 4 protocol ip medium
priority-list 4 default medium

interface serial 0/0
priority-group 4

But it won't let me put the priority-group 4 on interface serial 0/0.2.

Why?
0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 500 total points
ID: 9649563
Add the priority-group to your subinterfaces.

interface serial 0.1
priority-group 4

interface serial 0.2
priority-group 4

That should apply it to both interfaces.
0
 

Author Comment

by:gateguard
ID: 9660426
I switched to priority-lists by protocol and it seems to be working.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolve DNS query failed errors for Exchange
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question