• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 434
  • Last Modified:

ACL Problem on Cisco 1720 Router

---------------------------------------------------------------------------------------------
* Please assist with ACL configuration. I need to permit only the following networks in on Serial Interface:
200.1.2.0  255.255.255.0
201.3.2.0 255.255.255.0

* Deny all other Incoming traffic on Serial except for established connections (WWW / HTTPS)

* Permit all LAN traffic out to internet

----------------------------------------------------------------------------------------------
With my current configuration, I successfully Deny all incoming traffic on serial except for the networks listed above but the problem is that:
**Outbound traffic (WWW, HTTPS, ICMP, ETC) is also denied, therefore LAN can not access internet.***

--------------------------------------------------------------------------------------------
Here's my config:

Building configuration...

Current configuration : 1030 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Texarkana
!
logging queue-limit 100
aaa new-model
enable secret XXXXX

username XXXXX password 0 XXXXXX
memory-size iomem 25
ip subnet-zero
ip domain-name Texarkana.com
ip name-server 166.102.165.11
ip name-server 166.102.165.13
ip name-server 4.2.2.2
!
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
!
interface FastEthernet0
 ip address 70.170.14.169 255.255.255.248
 speed auto
!
interface Serial0
 no ip address
 ip access-group 101 in
 ip access-group 102 out
 encapsulation frame-relay IETF
 no ip mroute-cache
 service-module t1 timeslots 1-6
 frame-relay lmi-type cisco
!
interface Serial0.16 point-to-point
 ip address 70.170.14.178 255.255.255.252
 ip access-group 101 in
 ip access-group 102 out
 frame-relay interface-dlci 16
!
ip classless
ip route 0.0.0.0 0.0.0.0 70.170.14.177
no ip http server
!
access-list 101 permit tcp 200.1.2.0 0.0.0.255 any eq 22
access-list 101 permit tcp 201.3.2.0 0.0.0.255 any eq 22
access-list 101 permit udp 200.1.2.0 0.0.0.255 any
access-list 101 permit udp 201.3.2.0 0.0.0.255 any
access-list 101 permit ip 200.1.2.0  0.0.0.255 any
access-list 101 permit ip 201.3.2.0 0.0.0.255 any
access-list 101 permit tcp any any established
access-list 101 permit tcp any any established
!
access-list 102 permit tcp any any eq 80  
access-list 102 permit tcp any any eq 443  
access-list 102 permit udp any any eq 53  
access-list 102 permit icmp any any echo-reply
access-list 102 permit tcp any any established
access-list 102 permit udp any any established
access-list 102 permit ip any any established
access-list 102 permit tcp any any
access-list 102 permit udp any any  
access-list 102 permit ip any any

!
line con 0
 password XXXX
line aux 0
line vty 0 4
 password XXXX
 transport input telnet ssh
!
end
0
josenetwork
Asked:
josenetwork
  • 2
  • 2
1 Solution
 
lrmooreCommented:
Don't use both in and out acls. Keep acl 101 in and remove acl 102 out from the interfaces.
Don't apply to both interfaces, just the sub-if.
Add this to 101. you're not allowing DNS responses:
 access-list 101 permit udp any eq domain any

Your acl 102 has virtually no restrictions, so it is useless, so it is not necessary.
If you want to control outbound, then create an acl to apply "in" on the LAN interface.
0
 
josenetworkAuthor Commented:
Thank you, I have:
-Removed ACL 102
-Removed IP Access-Group 101 and 102 from Serial 0
-Removed IP Access-Group 102 from Sub-if

Added  access-list 101 permit udp any eq domain any


Result: Still no outbound connection (LAN to Internet)
0
 
lrmooreCommented:
Add icmp support to acl 101 for troubleshooting.
access-list 101 permit icmp any any

Now can you ping the next-hop gateway from the router console?
router#ping 70.170.14.177

If yes, can you ping anything beyond that?
router#ping 198.6.1.2   <== uunet dns server

If yes, can you do an extended ping from the router, using the LAN ip address as a source?
If no, then you may need to get with the ISP and make sure you have the proper IP address schema. We don't usually see the serial link and LAN interface both subnets of the same major subnet. The ISP has to route your LAN subnet specifically to your WAN IP address....
 
0
 
josenetworkAuthor Commented:
Fixed! (Adding access-list 101 permit icmp any any) did it.

I can now ping and trace route out to the internet!

My problem was that i was using ICMP and Trace Route to troubleshoot outbound connection problem rather than actually using a web browser from LAN since Im administering the router remotely.

Thank you so much, what a dumb mistake on my part!




0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now