• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 246
  • Last Modified:

expand access-lists to control incoming traffic?

Right now I have access-lists on a 2600 router that control outgoing traffic.  

I tried to configure priority on access-lists to guarantee that my VPN traffic isn't swamped when internet downloads are being done, but it didn't work.

I think the problem was, that my access lists only apply to my outgoing traffic.

How can I best add access controls to the incoming traffic, by writing new access-lists or by adding entries to my existing access lists?

My configuration (edited):

version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname llnq
!
boot system flash c2600
enable secret  
enable password
!
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 14
 hash md5
 authentication pre-share
crypto isakmp key letmein! address 203.196.40.253
!
!
crypto ipsec transform-set llnq esp-des esp-md5-hmac
!
crypto map nolan 14 ipsec-isakmp
 set peer 203.196.40.253
 set transform-set llnq
 match address 123
!
call rsvp-sync
!
!
interface FastEthernet0/0
 ip address  10.95.1.254 255.255.0.0
 ip accounting output-packets
 ip nat inside
 duplex auto
 speed auto
!
interface FastEthernet0/0.1
 no ip redirects
 shutdown
!
interface FastEthernet0/0.2
 encapsulation isl 106
 ip address 211.73.30.190 255.255.255.248
 no ip redirects
!
interface Serial0/0
 no ip address
 encapsulation frame-relay
 no ip route-cache
 no ip mroute-cache
 no fair-queue
 frame-relay lmi-type ansi
 crypto map nolan
!
interface Serial0/0.1 point-to-point
 ip address 210.105.121.242 255.255.255.252
 no ip route-cache
 no ip mroute-cache
 shutdown
 frame-relay interface-dlci 23 IETF
 crypto map nolan
!
interface Serial0/0.2 point-to-point
 description LINE via SEATTLE (25-666983)
 ip address 210.148.50.190 255.255.255.252
 ip nat outside
 no ip route-cache
 no ip mroute-cache
 frame-relay interface-dlci 24 IETF
 crypto map nolan
!
ip nat translation timeout 300
ip nat translation tcp-timeout 360
ip nat inside source list 106 interface Serial0/0.2 overload
ip nat inside source static tcp  10.95.1.2 6453 211.73.30.186 6453 extendable
ip nat inside source static tcp  10.95.1.1 6453 211.73.30.187 6453 extendable
ip nat inside source static tcp  10.95.1.254 23 211.73.30.188 23 extendable
ip nat outside source static  10.88.125.79 10.0.0.0
ip classless
ip route 0.0.0.0 0.0.0.0 210.148.50.189
ip http server
ip pim bidir-enable
!
access-list 106 deny   ip  10.95.0.0 0.0.255.255  10.88.0.0 0.0.255.255
access-list 106 deny   ip  10.95.0.0 0.0.255.255 172.16.5.0 0.0.0.255
access-list 106 permit ip  10.95.0.0 0.0.255.255 any
access-list 135 permit ip  10.95.0.0 0.0.255.255  10.88.0.0 0.0.255.255
access-list 135 permit ip  10.95.0.0 0.0.255.255 172.16.5.0 0.0.0.255
access-list 135 deny   ip  10.95.0.0 0.0.255.255 any
access-list 168 deny   ip  10.95.0.0 0.0.255.255  10.88.0.0 0.0.255.255
access-list 168 permit ip  10.95.0.0 0.0.255.255 any
route-map nonat permit 10
 match ip address 168
!
!
snmp-server community liufkkeu RW
snmp-server community oidifjoickjiif RW
snmp-server enable traps tty
!
dial-peer cor custom
!
line con 0
line aux 0
line vty 0 4
 password
 login
line vty 5
 password
 login
!
end

0
gateguard
Asked:
gateguard
  • 2
  • 2
2 Solutions
 
JFrederick29Commented:
Applying access lists would drop your Internet traffic which probably isn't what you want to happen.  Sounds like you want to guarantee bandwidth for your VPN traffic.  Have you looked into priority-queing or traffic shaping?

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/qos_c/qcpart2/qcpq.htm
0
 
gateguardAuthor Commented:
I used these commands (because I want remote desktop and telnet to have high priority, ftp low priority, and default medium):

priority-list 4 protocol ip low tcp 20
priority-list 4 protocol ip low tcp 21
priority-list 4 protocol ip high tcp 23
priority-list 4 protocol ip high tcp 3389
priority-list 4 protocol ip medium
priority-list 4 default medium

interface serial 0/0
priority-group 4

But it won't let me put the priority-group 4 on interface serial 0/0.2.

Why?
0
 
JFrederick29Commented:
Add the priority-group to your subinterfaces.

interface serial 0.1
priority-group 4

interface serial 0.2
priority-group 4

That should apply it to both interfaces.
0
 
gateguardAuthor Commented:
I switched to priority-lists by protocol and it seems to be working.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now