Cisco access-list help

Hi !


I'm trying to block all traffic except http & DNS. This should be applied to the VLAN2 interface.

I created the following access-list :

1811W#show ip access-list 109
Extended IP access list 109
    10 permit tcp any any eq www (119 matches)
    20 permit tcp any any eq 443
    30 permit udp any any eq 443
    40 permit udp any host 208.67.222.222 eq domain
    50 permit udp any host 208.67.220.220 eq domain
    60 deny tcp any any


And Applied it to the vlan :

interface Vlan2
 description PUBLIC
 no ip address
 ip access-group 109 out
 bridge-group 2

interface BVI2
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly


For a reason that I can't point, this is not working. I also try to apply the access-list on the BVI interface which is working but I get no traffic at all in that situation, everything is blocked. I would appreciate a little help please.

Thank you !

-M
Rubicon2009Asked:
Who is Participating?
 
GuruChiuConnect With a Mentor Commented:
In that case, the only changes you need to make:

 interface Vlan2
no ip access-group 109 out

interface BVI2
 ip access-group 109 in
0
 
GuruChiuCommented:
Normally we control traffic by incoming ACL, e.g.

ip access-list extended PubIn
 permit tcp any any established
 permit tcp any eq www any
 permit tcp any eq 443 any
 permit udp any host 208.67.222.222 eq domain
 permit udp any host 208.67.222.220 eq domain
 deny ip any any
interface BVI2
 ip access-group PubIn in
0
 
Darrell PorterEnterprise Business Process ArchitectCommented:
What is it you're trying to accomplish?
The ANY ANY rules are excessive.  I presume you want inbound HTTP and HTTPS traffic to hit an internal web server.
What type of device is it you're configuring?  ASA, router, WAP?
Do you have NATs in place?  If so, what do those look like?
0
Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

 
GuruChiuCommented:
I read your posting again and there is some problem with your configuration. Which one is your external interface (the one connect to internet)? Is it BVI2? It doesn't make sense as BVI2 have ip nat inside.
0
 
Rubicon2009Author Commented:
This router is a 1811w, there is 2 ssid configured on the router.

one ssid is named "PRIVATE" which is on interface VLAN1 using BVI1 the orther is named "PUBLIC" which is on interface VLAN2 using BVI2.

The internet is on FA0.

What I'm trying to do here is to apply an access list on the PUBLIC network so pepoles can use this connexion to only browse the web (no msn, no torrent, no smtp, no nothing except www & dns)

0
 
Rubicon2009Author Commented:
@GuruChiu : This your solution is working perfectly !
But can ou explain why it's "IN" instead of "OUT" because I designed the access-list thinking it would be originally OUT ???
0
 
GuruChiuConnect With a Mentor Commented:
The commands are in the router perpective. The router is looking at packets coming IN.
0
 
WissamConnect With a Mentor Senior Network EngineerCommented:
The acl should be applied to the interface with Layer 3 configurations.
since you are allowing specific traffic from your network to go to internet (http & DNS)
apply the acl to the interface where you see it is configured with your internal lan ip address along the ip nat inside
0
 
shubhanshu_jaiswalCommented:
The Access list will work in OUT direction if you make it reflexive.
0
 
WissamSenior Network EngineerCommented:
from the below you can verify the direction the questioner refer to

40 permit udp any host 208.67.222.222 eq domain
50 permit udp any host 208.67.220.220 eq domain

he is talking about any on his lan towards the real ip (internet host ip) 208.67.220.220
thus i would apply this on the inside interface in direction

0
 
kevinhsiehConnect With a Mentor Commented:
You should drop line 30 permit udp any any eq 443. SSL only runs over TCP 443, never UDP. Add line 55 deny ip any any and drop line 60.

Now, with this access list in place icmp ping will be broken, and where is DHCP being handled? This ACL will block DHCP requests from hitting the router.
0
 
Rubicon2009Author Commented:
Thank everyone for helping me with this issue !

Now if I want to apply a crypto map ton my private lan, should I place it on the VLAN, on the BVI, or "A crypto map can only be applyed ont the WAN interface" ???
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.