Solved

expand access-lists to control incoming traffic?

Posted on 2003-10-29
4
235 Views
Last Modified: 2013-11-29
Right now I have access-lists on a 2600 router that control outgoing traffic.  

I tried to configure priority on access-lists to guarantee that my VPN traffic isn't swamped when internet downloads are being done, but it didn't work.

I think the problem was, that my access lists only apply to my outgoing traffic.

How can I best add access controls to the incoming traffic, by writing new access-lists or by adding entries to my existing access lists?

My configuration (edited):

version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname llnq
!
boot system flash c2600
enable secret  
enable password
!
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 14
 hash md5
 authentication pre-share
crypto isakmp key letmein! address 203.196.40.253
!
!
crypto ipsec transform-set llnq esp-des esp-md5-hmac
!
crypto map nolan 14 ipsec-isakmp
 set peer 203.196.40.253
 set transform-set llnq
 match address 123
!
call rsvp-sync
!
!
interface FastEthernet0/0
 ip address  10.95.1.254 255.255.0.0
 ip accounting output-packets
 ip nat inside
 duplex auto
 speed auto
!
interface FastEthernet0/0.1
 no ip redirects
 shutdown
!
interface FastEthernet0/0.2
 encapsulation isl 106
 ip address 211.73.30.190 255.255.255.248
 no ip redirects
!
interface Serial0/0
 no ip address
 encapsulation frame-relay
 no ip route-cache
 no ip mroute-cache
 no fair-queue
 frame-relay lmi-type ansi
 crypto map nolan
!
interface Serial0/0.1 point-to-point
 ip address 210.105.121.242 255.255.255.252
 no ip route-cache
 no ip mroute-cache
 shutdown
 frame-relay interface-dlci 23 IETF
 crypto map nolan
!
interface Serial0/0.2 point-to-point
 description LINE via SEATTLE (25-666983)
 ip address 210.148.50.190 255.255.255.252
 ip nat outside
 no ip route-cache
 no ip mroute-cache
 frame-relay interface-dlci 24 IETF
 crypto map nolan
!
ip nat translation timeout 300
ip nat translation tcp-timeout 360
ip nat inside source list 106 interface Serial0/0.2 overload
ip nat inside source static tcp  10.95.1.2 6453 211.73.30.186 6453 extendable
ip nat inside source static tcp  10.95.1.1 6453 211.73.30.187 6453 extendable
ip nat inside source static tcp  10.95.1.254 23 211.73.30.188 23 extendable
ip nat outside source static  10.88.125.79 10.0.0.0
ip classless
ip route 0.0.0.0 0.0.0.0 210.148.50.189
ip http server
ip pim bidir-enable
!
access-list 106 deny   ip  10.95.0.0 0.0.255.255  10.88.0.0 0.0.255.255
access-list 106 deny   ip  10.95.0.0 0.0.255.255 172.16.5.0 0.0.0.255
access-list 106 permit ip  10.95.0.0 0.0.255.255 any
access-list 135 permit ip  10.95.0.0 0.0.255.255  10.88.0.0 0.0.255.255
access-list 135 permit ip  10.95.0.0 0.0.255.255 172.16.5.0 0.0.0.255
access-list 135 deny   ip  10.95.0.0 0.0.255.255 any
access-list 168 deny   ip  10.95.0.0 0.0.255.255  10.88.0.0 0.0.255.255
access-list 168 permit ip  10.95.0.0 0.0.255.255 any
route-map nonat permit 10
 match ip address 168
!
!
snmp-server community liufkkeu RW
snmp-server community oidifjoickjiif RW
snmp-server enable traps tty
!
dial-peer cor custom
!
line con 0
line aux 0
line vty 0 4
 password
 login
line vty 5
 password
 login
!
end

0
Comment
Question by:gateguard
  • 2
  • 2
4 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 9645235
Applying access lists would drop your Internet traffic which probably isn't what you want to happen.  Sounds like you want to guarantee bandwidth for your VPN traffic.  Have you looked into priority-queing or traffic shaping?

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/qos_c/qcpart2/qcpq.htm
0
 

Author Comment

by:gateguard
ID: 9646013
I used these commands (because I want remote desktop and telnet to have high priority, ftp low priority, and default medium):

priority-list 4 protocol ip low tcp 20
priority-list 4 protocol ip low tcp 21
priority-list 4 protocol ip high tcp 23
priority-list 4 protocol ip high tcp 3389
priority-list 4 protocol ip medium
priority-list 4 default medium

interface serial 0/0
priority-group 4

But it won't let me put the priority-group 4 on interface serial 0/0.2.

Why?
0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 500 total points
ID: 9649563
Add the priority-group to your subinterfaces.

interface serial 0.1
priority-group 4

interface serial 0.2
priority-group 4

That should apply it to both interfaces.
0
 

Author Comment

by:gateguard
ID: 9660426
I switched to priority-lists by protocol and it seems to be working.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now