• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 732
  • Last Modified:

cisco 1720 ACL's

I'm trying to config my Cisco 1720 to allow traffic through on the interfaces, this is a test setup for me.  in the end i wil be taking the examples and applying them to the Serial0 T1 line later.  I've been trying different acl's to allow traffic to and from both interfaces.  as you can see i am trying to get 192.168.1.0 network to talk with 192.168.3.0 network.   i have one machine on the new 192.168.3.0 network trying to ping in to 192.168.1.0.  

when the computer (192.168.3.10) pings 192.168.1.60, it returns 'Reply from 192.168.3.250: destination net unreachable"

please advise as to how i correclty setup the ACL's.



Using 995 out of 29688 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
logging rate-limit console 10 except errors
!
memory-size iomem 20
ip subnet-zero
!
!
no ip finger
no ip domain-lookup
!
ip audit notify log
ip audit po max-events 100
no ip dhcp-client network-discovery
!
!
!
!
!
interface Ethernet0
 ip address 192.168.3.250 255.255.255.0
 ip access-group 102 in
 ip access-group 102 out
 half-duplex
!
interface FastEthernet0
 ip address 192.168.1.251 255.255.255.0
 ip access-group 102 in
 ip access-group 102 out
 speed auto
!
interface Serial0
 no ip address
 shutdown
!
router rip
 version 2
 network 192.168.1.0
!
router rip
 version 2
 network 192.168.1.0
 no auto-summary
!
no ip classless
ip route 192.168.0.0 255.255.255.0 192.168.0.0
ip http server
!
access-list 101 permit ip any any
access-list 102 permit ip 0.0.0.0 255.255.255.0 any
!
!
!
line con 0
 transport input none
line aux 0
line vty 0 4
!
no scheduler allocate
end

thanks!
0
dosle
Asked:
dosle
  • 6
  • 5
  • 2
2 Solutions
 
lrmooreCommented:
You have a fundamental problem with your acl

access-list 102 permit ip 0.0.0.0 255.255.255.0 any
                                   ^^^^

You're only allowing IP hosts 0.0.0.1 - 0.0.0.254 in or out of the interface. Makes no sense to me..

Access-lists use wildcard masks, not subnet masks. If you want to permit "anything/everything"

  access-list 101 permit ip any any

But then, what's the point of the acl?
Acl 101 permits anything, acl 102 permits nothing.
You have only 102 applied in both directions to both interfaces

Basic rules of access-lists
1 - they are processed top down till first match
2 - they use wildcard masks, not subnet masks
3 - be cognizant of the implicit "deny all" at the end of every access list
4 - you can only apply one acl "in" and one acl "out" on any interface
5 - extended access-lists are in form of permit|deny <source> <destination>
6 - keeping in mind #5, make sure you put it on the proper interface, in the proper direction. Seldom if ever will one acl fit both directions on all interfaces as you have it in your example
7 - when you edit an acl, remove it from the interface, delete entirely, recreate entirely..

Try this:
  no access-list 101
  no access-list 102
  access-list 101 permit 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
  access-list 102 permit 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
!
interface Ethernet0
 ip address 192.168.3.250 255.255.255.0
 no ip access-group 102 in
 no ip access-group 102 out
 ip access-group 101 in
!
interface FastEthernet0
 ip address 192.168.1.251 255.255.255.0
 ip access-group 102 in
 no ip access-group 102 out
!


0
 
dosleAuthor Commented:
lrmoore, i removed the acls from the ethernets, then completely removed them.  when i enter your line it gives me an error.

Router(config)#access-list 101 permit 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 permit 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
                                     ^  
% Invalid input detected at '^' marker.

the 'carrot' is pointing at the '.' in between '192.168'
0
 
lrmooreCommented:
D'oh! forgot the "ip"

Router(config)#access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
                                                       ^
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
dosleAuthor Commented:
alright, heres the latest incarnation of the conf.  i am still unable to get things to talk to each other.

Using 890 out of 29688 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
logging rate-limit console 10 except errors
!
memory-size iomem 20
ip subnet-zero
!
!
no ip finger
no ip domain-lookup
!
ip audit notify log
ip audit po max-events 100
no ip dhcp-client network-discovery
!
!
!
!
!
interface Ethernet0
 ip address 192.168.3.250 255.255.255.0
 ip access-group 101 in
 half-duplex
!
interface FastEthernet0
 ip address 192.168.1.251 255.255.255.0
 ip access-group 102 in
 speed auto
!
interface Serial0
 no ip address
 shutdown
!
no ip classless
ip http server
!
access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
!
!
!
line con 0
 transport input none
line aux 0
line vty 0 4
!
no scheduler allocate
end



mw
0
 
lrmooreCommented:
Did you make sure that the "local" router interface is the default gateway for the PC's?

Can you post result of "sho ip int brief"

Make sure routing is enabled:
   ip routing

You need ip classless;

>no ip classless
should be
  ip classless

0
 
dosleAuthor Commented:
sho ip int brief
Interface                  IP-Address      OK? Method Status                Prot
ocol
Ethernet0                  192.168.3.250   YES manual up                    up

FastEthernet0              192.168.1.251   YES manual up                    up

Serial0                    unassigned

i also added in 'ip routing' and 'ip classless'.

the two pcs are setup as follows: 192.168.3.10 and 192.168.3.2, default gateway 192.168.3.250.  

the physical setup is
192.168.1.* network switch --in to-->10/100ethernet cisco1720 --out from 10BT Ethernet in to--> netgear10/100 switch --to--> 192.168.3.2 & 192.168.3.10

I'm going to try a different switch on the 192.168.1.*

0
 
lrmooreCommented:
And the PC's on the 192.168.1.x subnet are pointing to the 192.168.1.251 as their default gateway?
0
 
Vladan_MOBTELCommented:
Could you remove access-lists and then try pinging? Please, post the out put.

It looks as if the router does not know ahere are the networks (although they are directly connected to it).

Could you post output for - sh ip route ?

Could you turn on debug ip icmp and then try pinginig all interfaces on your router from net 192.168.1/24 and post the output from the console or issue term mon command to get it on your telnet connection (vty)?

Thanks
0
 
dosleAuthor Commented:
lrmoore, the one test pc on 192.168.1.* is using the 192.168.1.251 as gateway.  when192.168.1.249 pings 192.168.3.6 it goes through fine.  when 192.168.3.6 pings 192.168.1.249 it does not go through though..  

here is there settings to help distinguish:
----------------------
ip 192.168.1.249
gw 192.168.1.251
============
ip 192.168.3.6
gw 192.168.3.250
----------------------

Vladan_MOBTEL,
i didn't try removing the ACL's yet.  I enabled debugging ip icmp and had 192.168.3.6 ping 192.168.3.250, only then did the router console display
"Router#
21:48:34: ICMP: dst (192.168.3.250) administratively prohibited unreachable sent
 to 192.168.3.6
21:48:35: ICMP: dst (192.168.3.250) administratively prohibited unreachable sent
 to 192.168.3.6
21:48:36: ICMP: dst (192.168.3.250) administratively prohibited unreachable sent
 to 192.168.3.6
21:48:37: ICMP: dst (192.168.3.250) administratively prohibited unreachable sent
 to 192.168.3.6"

and here is sh ip route
"Router#sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

C    192.168.1.0/24 is directly connected, FastEthernet0
C    192.168.3.0/24 is directly connected, Ethernet0
Router#"

thank you all
0
 
lrmooreCommented:
>when192.168.1.249 pings 192.168.3.6 it goes through fine.  when 192.168.3.6 pings 192.168.1.249 it does not go through though..  

If you can ping the other side, but they can't ping you it is 100% sure that it is because you have a firewall of some kind running on PC 192.168.1.249.
0
 
dosleAuthor Commented:
ah yes, the 192.168.1.249 machine is a fresh pc and i neglected to check that darn windows firewall was enabled.  

thanks to you both i will split the points as i learned alot about routing with this.
0
 
Vladan_MOBTELCommented:
Debug output usually says that you have an accesslist somewhere between these two machines, which is preventing the traffic, and your access-lists do not permit that, you can ping the other side PC but you were trying to ping the router. You have to add another line to accesslist 101:

access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.3.0 0.0.0.255


Could you post output for - sh access-list while you are pinging, so we can see if the counters are growing
0
 
dosleAuthor Commented:
yes when i am pining the 1.249 machine from 3.6 the counters are growing. thanks
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 6
  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now