IOS extended ACL issue - all traffic stops once applied

globotech
globotech used Ask the Experts™
on
Hello,
I recently configured an 7206 router as my company's core router, which means it interconnects our LAN, 2 DMZs and the internet. Everything's working fine, as long as I have only applied a standard access list on the overload command.

I have created 3 extended ones,  I have trouble applying them on any interface though. Once the lists are applied, all traffic dies.

I'm new to this and, obviously, I could use some help, If anyone could advise on where and with which direction (in, out) to apply the lists so that they work OR if anyone could point out what i've done wrong, please respond :)

I've attached the configuration and replaced IP octets with w x y and z for a bit of security.

Thanks in advance!
Using 2603 out of w95096 bytes
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname GloboCoreRouter
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$OFr2$0.7AEB/5c4g2VK4.z/.h91
!
no aaa new-model
ip subnet-zero
ip cef
!
!
!
!
ip name-server x.y.1.232
!
!
!
!
!
!
!
!
!
!
!
!
!
!
controller E1 5/0
!
controller E1 5/1
!
controller E1 5/2
!
controller E1 5/3
!
controller E1 5/4
!
controller E1 5/5
!
controller E1 5/6
!
controller E1 5/7
!
!
!
!
interface GigabitEthernet0/1
 description INTERNAL/LAN NETWORK
 ip address x.y.1.2 255.255.252.0
 ip nat inside
 duplex auto
 speed auto
 media-type rj45
 negotiation auto
!
interface FastEthernet0/2
 description MANAGEMENT
 ip address x.y.9.2 255.255.255.0 secondary
 ip address x.y.9.3 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 description HQ DMZ 1
 ip address z.z.z.1 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
 media-type rj45
 negotiation auto
!
interface GigabitEthernet0/3
 description HQ DMZ 2
 ip address z.w.z.1 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
 media-type rj45
 negotiation auto
!
interface FastEthernet6/0
 ip address <public ip> 255.255.255.252
 ip nat outside
 duplex full
!
interface FastEthernet6/1
 no ip address
 shutdown
 duplex half
!
ip classless
ip route 0.0.0.0 0.0.0.0 <gateway ip>
ip route z.z0.1.0 255.255.255.0 x.y.1.1
ip route z.w0.1.0 255.255.255.0 x.y.1.1
ip route 184.73.90.248 255.255.255.255 x.y.1.1
no ip http server
!
ip nat inside source list 1 interface FastEthernet6/0 overload
ip nat inside source static tcp x.y.1.91 80 interface 

FastEthernet6/0 80
ip nat inside source static udp x.y.1.z4 53 interface 

FastEthernet6/0 53
ip nat inside source static tcp x.y.1.z4 53 interface 

FastEthernet6/0 53
ip nat inside source static tcp x.y.1.z5 25 interface 

FastEthernet6/0 25
ip nat inside source static tcp z.z.z.2 3389 interface 

FastEthernet6/0 60000
!
logging alarm informational
access-list 1 permit x.y.9.1
access-list 1 permit x.y.0.0 0.0.3.255
access-list 1 permit z.z.z.0 0.0.0.255
access-list 1 permit z.w.z.0 0.0.0.255
access-list 101 permit tcp any any eq www
access-list 102 permit tcp any any established
access-list 103 deny   tcp any host 87.230.73.24 eq www
access-list 103 permit tcp any any
snmp-server community public RO 1
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 access-class 1 in
 password <password>
 login
!
!
end

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Instructor
Top Expert 2015
Commented:
If you're using private IP addresses, it's not huge security hole to post the inside addresses since they're, you know, private and inside.

What is your goal with these ACL's that you're trying?

For example, with 101, the only thing you'd be able to do (assuming it's applied outbound on an outside interface) is opening web pages that only use port 80. But you won't be able to resolve domain names. Are you doing DNS lookups internally?

 

Author

Commented:
my goal was to restrict internet use to browsing. You're right about the dns thing, my local dns server had this router as a gateway (which was a huge mistake of course) and that's why it didn't work.

There you go, easy points :) !

And about the private ip thing, well I just thought I had nothing to lose so why not replace them!
Don JohnstonInstructor
Top Expert 2015

Commented:
ACL programming can be a real art. It's easy to end up blocking some other traffic that you didn't think about. If I had a nickel for every time I blocked a routing protocol... :-)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial