Help Understanding Cisco ACLs for 861 Router
Posted on 2011-03-09
So, what I want to do is have this on the edge... it'll be plugged right into the internet. I'm guessing this probably isn't the most solid idea, but realistically if it's rejecting every inbound connection, how dangerous can it be?
I have a satellite building, which is directly connected via a site-to-site wireless link. This link, however, is very slow (50mbit on a very good day).
We purchased an ADSL connection, and I would like to have the router route all traffic not destined for my internal network (192.168.10.0/24 and 10.0.0.0/8) out to the internet through this ADSL connection. This should dramatically improve quality of service.
What I obviously do NOT want, however, is the internet to get its traffic routed into my network. That might be bad.
My router is plugged into the network on interface FA1, and plugged into the ADSL on FA4. For safety reasons, at this point, fa4 is shutdown, however when testing I no shutdown it to bring it back up.
description Uplink to Network
switchport mode trunk
description Uplink to ISP
ip address xxx.xxx.xxx.xxx 255.255.255.248
ip access-group 105 in
Extended IP access list 105
10 deny ip any any (2200 matches)
And now for the problem.
With no access-list on FA4, I am correctly able to ping a public IP address (220.127.116.11 for my testing purposes) from my SSH session on the router... and the internet can reach my router.
With the access-list in place, I am no longer able to ping the public IP address, but the internet is also not able to reach my router.
I'm obviously missing something.
I tried applying the access-group out, as well as prepending the following lines to the top of the ACL:
access-list 105 permit ip 10.0.0.0 0.255.255.255 any
access-list 105 permit ip 192.168.0.0 0.0.255.255 any
Anyone able to help me understand?