Solved

Use Access lists on mpls network, but now can't access internet

Posted on 2008-06-11
10
507 Views
Last Modified: 2012-05-05
Ok Here it goes....

I found a network on our mpls link that isn't ours in our routing tables.  So I am trying to put access lists on the switches at all our locations.  However, when I apply the access lists all the internal networks can talk, but nothing can go out to the internet.  I thought that I could put a rule to allow any traffic out but the switch will only allow you to apply an access group in.  Besides that I don't know if cisco keeps track of sessions.  ie.  if a packet is allowed out, is it allow to receive the ack if theres no rule to specifically allow that ip?

Ok so heres what I have setup.

access-list 1 permit 10.10.0.0 0.0.255.255
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 1 permit 172.16.0.0 0.0.255.255

I have tried applying the group on all ports of the switches and just the vlans.  

It can traverse the mpls but won't allow you to go out to the internet.  

I tried making a rule to allow any traffic and apply it to an interface out but there is no out command.  

On the 3750s' I'm running 12.2(40)SE and on the 2960s' I'm running 12.2(25)see3.  

Is there some kind of command you need to remember sessions or something?
0
Comment
Question by:Culbert
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
10 Comments
 
LVL 5

Expert Comment

by:Melaleuca
ID: 21760201
I believe the command you are looking for is this tcp established.
access-list 101 permit tcp any any established
0
 

Author Comment

by:Culbert
ID: 21760281
So in this case I would have to make my access list look like this?

access-list 101 permit ip 10.10.0.0 0.0.255.255 any
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
access-list 101 permit ip 172.16.0.0 0.0.255.255 any
access-list 101 permit tcp any any established

And this would be applied to all ports or a vlan in?
0
 
LVL 5

Expert Comment

by:Melaleuca
ID: 21760400
that depends on how your topology is setup you could add this to the trunk link between your switch and the router or you can place it on the router or on the vlan if your 3750 is routing. I'm not sure what you are trying to accomplish with this, but if you found a route that shouldn't be coming from the MPLS i would talk to your provider because they could be injecting the wrong routes into your MPLS-VRF.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 

Author Comment

by:Culbert
ID: 21760528
I've already contacted bell about this route and they are looking into it.  But more then likely this is going to take awhile for them to actually do.  In the mean time I just don't want them roaming around in our network with no restrictions.  I will apply this access list tonight to the vlan in.  

access-list 101 permit ip 10.10.0.0 0.0.255.255 any
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
access-list 101 permit ip 172.16.0.0 0.0.255.255 any
access-list 101 permit tcp any any established
0
 
LVL 7

Expert Comment

by:logic2
ID: 21760699
man if you are putting this ACL in the in direction then you are permiiting access only from Intranet ip addresses and not Internet ones !!! so incoming internet traffic would be dropped
can you tell me the following

1- how do you access the internet usually (directly via the MPLS or via a proxy server)
2- how is this strange route known (do a sh ip route x.x.x.x)

depending on the protocol used to know this router we can prevent it (usually it would be bgp so it would be a piece of cake)
however some companies inject some routes to customer routers to allow them to have remote access to your router if they manage it which i dont think is the case but just maybe they are injecting it, anyway best to block it






0
 

Author Comment

by:Culbert
ID: 21761021
1. Our remote offices are going through the mpls to our main office where the internet connection is located and directly out.  
2. The strange route is coming in via the Service Provider mpls router.

We are running eigrp over the mpls.  
0
 
LVL 7

Accepted Solution

by:
logic2 earned 500 total points
ID: 21763724
ok here is the plan

1- remove those access lists as it will be blocking incoming internet traffic
2- i understand that the strange route is coming via eigrp from the SP, in that case add an input distribute list to the eigrp config to deny this route as an example i'd assume that the route is 172.25.3.4/24

Router(config)#access-list 50 deny 172.25.3.4 0.0.0.255
Router(config)#access-list 50 permit any

Router(config)#router eigrp 1
Router(config-router)#distribute-list 50 in
0
 

Author Comment

by:Culbert
ID: 21764621

Isn't there a way to do this while keeping the default deny?
0
 

Author Closing Comment

by:Culbert
ID: 31466152
Thanks for your help.  Its working
0
 
LVL 7

Expert Comment

by:logic2
ID: 21772084
what do u mean by the default deny ?
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question