IoT business is booming, with manufacturers connecting any and every “thing” to the Internet. But as pressure grows to release new products faster and faster, we’re all left to wonder: is security a priority? Join our webinar on June 29th for the answer.
Course Of The Month
2 days, 10 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Use Access lists on mpls network, but now can't access internet
Posted on 2008-06-11
Ok Here it goes....
I found a network on our mpls link that isn't ours in our routing tables. So I am trying to put access lists on the switches at all our locations. However, when I apply the access lists all the internal networks can talk, but nothing can go out to the internet. I thought that I could put a rule to allow any traffic out but the switch will only allow you to apply an access group in. Besides that I don't know if cisco keeps track of sessions. ie. if a packet is allowed out, is it allow to receive the ack if theres no rule to specifically allow that ip?
Ok so heres what I have setup.
access-list 1 permit 10.10.0.0 0.0.255.255
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 1 permit 172.16.0.0 0.0.255.255
I have tried applying the group on all ports of the switches and just the vlans.
It can traverse the mpls but won't allow you to go out to the internet.
I tried making a rule to allow any traffic and apply it to an interface out but there is no out command.
On the 3750s' I'm running 12.2(40)SE and on the 2960s' I'm running 12.2(25)see3.
Is there some kind of command you need to remember sessions or something?
I found a network on our mpls link that isn't ours in our routing tables. So I am trying to put access lists on the switches at all our locations. However, when I apply the access lists all the internal networks can talk, but nothing can go out to the internet. I thought that I could put a rule to allow any traffic out but the switch will only allow you to apply an access group in. Besides that I don't know if cisco keeps track of sessions. ie. if a packet is allowed out, is it allow to receive the ack if theres no rule to specifically allow that ip?
Ok so heres what I have setup.
access-list 1 permit 10.10.0.0 0.0.255.255
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 1 permit 172.16.0.0 0.0.255.255
I have tried applying the group on all ports of the switches and just the vlans.
It can traverse the mpls but won't allow you to go out to the internet.
I tried making a rule to allow any traffic and apply it to an interface out but there is no out command.
On the 3750s' I'm running 12.2(40)SE and on the 2960s' I'm running 12.2(25)see3.
Is there some kind of command you need to remember sessions or something?
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
2-
2
4 Comments
Active 6 days ago
OK, first you would need to put an allow any statement in as there is an implicit deny at the bottom of every access list.
Second to block the other networks you would need to put the deny at the TOP of the ACL. It would be more efficient to put it like this:
access-list 1 deny ip [unknown network]
access-list 1 permit ip any any
That will let your networks talk to each other and to the internet. The deny statement will be read and processed for the traffic you don't want and will drop it before it gets to the permit stage.
The "in" part of the command means into the interface, not the network. If you were to put that ACL into your edge interfaces you should be fine.
Second to block the other networks you would need to put the deny at the TOP of the ACL. It would be more efficient to put it like this:
access-list 1 deny ip [unknown network]
access-list 1 permit ip any any
That will let your networks talk to each other and to the internet. The deny statement will be read and processed for the traffic you don't want and will drop it before it gets to the permit stage.
The "in" part of the command means into the interface, not the network. If you were to put that ACL into your edge interfaces you should be fine.
I can see that this would work but if I start putting deny statements in then if another new network happens to pop up and I don't know about it the default would be to allow all traffic. Isn't there a way to do this with a default deny rather then default permit?
Active 6 days ago
No. You need a default to allow any as you do not know to which addresses you will be sending internet traffic. The closest you could probably be come would be:
permit YOUR networks
deny 10.x
deny 192.x
deny 172.x (basically put in deny rules for all PRIVATE subnets)
permit any (to allow access to the internet)
permit YOUR networks
deny 10.x
deny 192.x
deny 172.x (basically put in deny rules for all PRIVATE subnets)
permit any (to allow access to the internet)
Featured Post
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses
Course of the Month2 days, 10 hours left to enroll
695 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.