[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

expand access-lists to control incoming traffic?

Posted on 2003-10-29
4
Medium Priority
?
245 Views
Last Modified: 2013-11-29
Right now I have access-lists on a 2600 router that control outgoing traffic.  

I tried to configure priority on access-lists to guarantee that my VPN traffic isn't swamped when internet downloads are being done, but it didn't work.

I think the problem was, that my access lists only apply to my outgoing traffic.

How can I best add access controls to the incoming traffic, by writing new access-lists or by adding entries to my existing access lists?

My configuration (edited):

version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname llnq
!
boot system flash c2600
enable secret  
enable password
!
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 14
 hash md5
 authentication pre-share
crypto isakmp key letmein! address 203.196.40.253
!
!
crypto ipsec transform-set llnq esp-des esp-md5-hmac
!
crypto map nolan 14 ipsec-isakmp
 set peer 203.196.40.253
 set transform-set llnq
 match address 123
!
call rsvp-sync
!
!
interface FastEthernet0/0
 ip address  10.95.1.254 255.255.0.0
 ip accounting output-packets
 ip nat inside
 duplex auto
 speed auto
!
interface FastEthernet0/0.1
 no ip redirects
 shutdown
!
interface FastEthernet0/0.2
 encapsulation isl 106
 ip address 211.73.30.190 255.255.255.248
 no ip redirects
!
interface Serial0/0
 no ip address
 encapsulation frame-relay
 no ip route-cache
 no ip mroute-cache
 no fair-queue
 frame-relay lmi-type ansi
 crypto map nolan
!
interface Serial0/0.1 point-to-point
 ip address 210.105.121.242 255.255.255.252
 no ip route-cache
 no ip mroute-cache
 shutdown
 frame-relay interface-dlci 23 IETF
 crypto map nolan
!
interface Serial0/0.2 point-to-point
 description LINE via SEATTLE (25-666983)
 ip address 210.148.50.190 255.255.255.252
 ip nat outside
 no ip route-cache
 no ip mroute-cache
 frame-relay interface-dlci 24 IETF
 crypto map nolan
!
ip nat translation timeout 300
ip nat translation tcp-timeout 360
ip nat inside source list 106 interface Serial0/0.2 overload
ip nat inside source static tcp  10.95.1.2 6453 211.73.30.186 6453 extendable
ip nat inside source static tcp  10.95.1.1 6453 211.73.30.187 6453 extendable
ip nat inside source static tcp  10.95.1.254 23 211.73.30.188 23 extendable
ip nat outside source static  10.88.125.79 10.0.0.0
ip classless
ip route 0.0.0.0 0.0.0.0 210.148.50.189
ip http server
ip pim bidir-enable
!
access-list 106 deny   ip  10.95.0.0 0.0.255.255  10.88.0.0 0.0.255.255
access-list 106 deny   ip  10.95.0.0 0.0.255.255 172.16.5.0 0.0.0.255
access-list 106 permit ip  10.95.0.0 0.0.255.255 any
access-list 135 permit ip  10.95.0.0 0.0.255.255  10.88.0.0 0.0.255.255
access-list 135 permit ip  10.95.0.0 0.0.255.255 172.16.5.0 0.0.0.255
access-list 135 deny   ip  10.95.0.0 0.0.255.255 any
access-list 168 deny   ip  10.95.0.0 0.0.255.255  10.88.0.0 0.0.255.255
access-list 168 permit ip  10.95.0.0 0.0.255.255 any
route-map nonat permit 10
 match ip address 168
!
!
snmp-server community liufkkeu RW
snmp-server community oidifjoickjiif RW
snmp-server enable traps tty
!
dial-peer cor custom
!
line con 0
line aux 0
line vty 0 4
 password
 login
line vty 5
 password
 login
!
end

0
Comment
Question by:gateguard
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 2000 total points
ID: 9645235
Applying access lists would drop your Internet traffic which probably isn't what you want to happen.  Sounds like you want to guarantee bandwidth for your VPN traffic.  Have you looked into priority-queing or traffic shaping?

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/qos_c/qcpart2/qcpq.htm
0
 

Author Comment

by:gateguard
ID: 9646013
I used these commands (because I want remote desktop and telnet to have high priority, ftp low priority, and default medium):

priority-list 4 protocol ip low tcp 20
priority-list 4 protocol ip low tcp 21
priority-list 4 protocol ip high tcp 23
priority-list 4 protocol ip high tcp 3389
priority-list 4 protocol ip medium
priority-list 4 default medium

interface serial 0/0
priority-group 4

But it won't let me put the priority-group 4 on interface serial 0/0.2.

Why?
0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 2000 total points
ID: 9649563
Add the priority-group to your subinterfaces.

interface serial 0.1
priority-group 4

interface serial 0.2
priority-group 4

That should apply it to both interfaces.
0
 

Author Comment

by:gateguard
ID: 9660426
I switched to priority-lists by protocol and it seems to be working.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question