Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Access list Cisco Router 2811

Posted on 2006-10-26
5
Medium Priority
?
597 Views
Last Modified: 2013-11-29
Hi all
I am tryiing to establish a vpn connection.  I have mapped an internal ip address to an external ip address already on my router like this:
ip nat inside source static 10.10.11.1 64.XXX.XX.124
Please help me with the access list commands to enable gre and port 1723 on this external address:

The version of ios is
*********
 Version 12.3(14)T7, RELEASE SOFTWARE (fc2)
***************

To make things easier here is my access-list example.  There is no explicit deny statement at the end, also each line has a number what is it by the way?.  Will it work if I simply put in the new lines?  whats the best way to edit to allow port 1723 and gre to one of my external IPs:

Name_2811#show access-list 101
Extended IP access list 101
    10 deny ip 10.0.0.0 0.255.255.255 any (946 matches)
    20 permit icmp any any echo (163424 matches)
    30 permit icmp any any unreachable (44506 matches)
    40 permit icmp any any traceroute
    50 permit icmp any any echo-reply
    60 permit icmp any any ttl-exceeded (3309 matches)
    70 permit icmp any any time-exceeded
    80 permit icmp any any source-quench (15 matches)
    90 permit icmp any any packet-too-big
    100 permit ip any host 64.xxx.xx.xxx (68050984 matches)
    110 permit ip any host 64.xxx.xx.xxx (164980 matches)
    120 permit tcp any host 64.xxx.xx.xxx eq www (13860 matches)
    130 permit tcp any host 64.xxx.xx.xxx eq www (269199 matches)
    140 permit tcp any host 64.xxx.xx.xxx eq www (279144 matches)
    150 permit tcp any host 64.xxx.xx.xxx eq www (517 matches)
    160 permit tcp any host 64.xxx.xx.xxx eq www (330 matches)
    170 permit tcp any host 64.xxx.xx.xxx eq 82
    180 permit tcp any host 64.xxx.xx.xxx eq 5336
    190 permit tcp any host 64.xxx.xx.xxx eq 5336
    200 permit tcp any host 64.xxx.xx.xxx eq smtp (2917953 matches)
    210 permit tcp any host 64.xxx.xx.xxx eq smtp (384706 matches)
    220 permit tcp any host 64.xxx.xx.xxx eq pop3 (29127 matches)
    230 permit tcp any host 64.xxx.xx.xxx eq pop3 (3 matches)
    240 permit tcp any host 64.xxx.xx.xxx eq 443 (107 matches)
    250 permit esp any host 64.xxx.xx.xxx
    260 permit esp any host 64.xxx.xx.xxx
    270 permit ahp any host 64.xxx.xx.xxx
    280 permit ahp any host 64.xxx.xx.xxx
    290 permit udp any host 64.xxx.xx.xxx eq isakmp
    300 permit udp any host 64.xxx.xx.xxx eq isakmp (46 matches)
    310 permit gre any host 64.xxx.xx.xxx (127905 matches)
    320 permit tcp any host 64.xxx.xx.xxx eq 1723 (2952 matches)
    330 permit tcp any host 64.xxx.xx.xxx eq 8098
    340 permit tcp any host 64.xxx.xx.xxx eq 8099
    350 permit tcp any host 64.xxx.xx.xxx eq 8080 (130588 matches)
    360 permit tcp any host 64.xxx.xx.xxx eq 8383
    370 permit tcp any host 64.xxx.xx.xxx eq 8181
    380 permit tcp any host 64.xxx.xx.xxx eq 19815
    390 permit tcp any host 64.xxx.xx.xxx eq 8093
    400 permit tcp any host 64.xxx.xx.xxx eq ftp (69 matches)
    410 permit tcp host 64.xxx.xx.xxx any eq 123
    420 permit tcp host 64.xxx.xx.xxx any eq 123
    430 permit tcp host 64.xxx.xx.xxx host 64.xxx.xx.xxx eq telnet
    440 permit tcp host 64.xxx.xx.xxx host 64.xxx.xx.xxx eq telnet
    450 permit udp host 64.xxx.xx.xxx eq domain host 64.xxx.xx.xxx
    460 permit udp host 64.xxx.xx.xxx eq domain host 64.xxx.xx.xxx

Help plz
0
Comment
Question by:amanzoor
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 17815618
It looks like you already have it or is this another host?

310 permit gre any host 64.xxx.xx.xxx (127905 matches)
320 permit tcp any host 64.xxx.xx.xxx eq 1723 (2952 matches)

If you need to add additional lines for a new host:

access-list 101 permit gre any host 64.xxx.xx.124
access-list 101 permit tcp any host 64.xxx.xx.124 eq 1723

By the way, the numbers are the sequence number so you can insert lines.  Access-lists are searched top down so if you have a deny somewhere, you can insert a permit above it.  The new lines will be added to the bottom of the list by default with a sequence number of 470 and 480 (increments by 10).
0
 
LVL 4

Author Comment

by:amanzoor
ID: 17816287
Thanks JFrederick29
Yes thats another host.  
This is what I did
Name_2811(config)#ip a
Name_2811(config)#ip access
Name_2811(config)#ip access-list ex
Name_2811(config)#ip access-list extended 101
Name_2811(config-ext-nacl)#470 permit gre any host 64.xxx.xx.xxx
Name_2811(config-ext-nacl)#480 permit tcp any host 62.xxx.xx.xxx eq 1723

When I check sh access-list 101 it shows me these lines added at the bottom.  I just want to confirm is it all that I have to do?  My access-list has no deny at hte bottom should I worry about it?
Also please tell me how to remove lines (one line at a time) from the access list.  Help plz
0
 
LVL 4

Author Comment

by:amanzoor
ID: 17816293
Correction please read
Name_2811(config-ext-nacl)#480 permit tcp any host 62.xxx.xx.xxx eq 1723
as
Name_2811(config-ext-nacl)#480 permit tcp any host 64.xxx.xx.xxx eq 1723

0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 2000 total points
ID: 17816330
Yes, that's all you need to add.

>>My access-list has no deny at hte bottom should I worry about it?
The access-list has an implicit "hidden" deny all at the end of the list by default so no, no need to worry about it.

>>Also please tell me how to remove lines (one line at a time) from the access list.

You can do the following:

Name_2811(config)#ip access-list extended 101
Name_2811(config-ext-nacl)#no <line number>

or

Name_2811(config)#ip access-list extended 101
Name_2811(config-ext-nacl)#no <entry>

For example:

Name_2811(config)#ip access-list extended 101
Name_2811(config-ext-nacl)#no 470    <---this will remove the line "470 permit gre any host 64.xxx.xx.xxx" from the access-list.

or

Name_2811(config)#ip access-list extended 101
Name_2811(config-ext-nacl)#no permit gre any host 64.xxx.xx.xxx    <---this does the same thing and removes line 470.
0
 
LVL 4

Author Comment

by:amanzoor
ID: 17816640
Thanks JFrederick29:
I really appreciate it.
AM
0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question