globotech
asked on
IOS extended ACL issue - all traffic stops once applied
Hello,
I recently configured an 7206 router as my company's core router, which means it interconnects our LAN, 2 DMZs and the internet. Everything's working fine, as long as I have only applied a standard access list on the overload command.
I have created 3 extended ones, I have trouble applying them on any interface though. Once the lists are applied, all traffic dies.
I'm new to this and, obviously, I could use some help, If anyone could advise on where and with which direction (in, out) to apply the lists so that they work OR if anyone could point out what i've done wrong, please respond :)
I've attached the configuration and replaced IP octets with w x y and z for a bit of security.
Thanks in advance!
I recently configured an 7206 router as my company's core router, which means it interconnects our LAN, 2 DMZs and the internet. Everything's working fine, as long as I have only applied a standard access list on the overload command.
I have created 3 extended ones, I have trouble applying them on any interface though. Once the lists are applied, all traffic dies.
I'm new to this and, obviously, I could use some help, If anyone could advise on where and with which direction (in, out) to apply the lists so that they work OR if anyone could point out what i've done wrong, please respond :)
I've attached the configuration and replaced IP octets with w x y and z for a bit of security.
Thanks in advance!
Using 2603 out of w95096 bytes
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname GloboCoreRouter
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$OFr2$0.7AEB/5c4g2VK4.z/.h91
!
no aaa new-model
ip subnet-zero
ip cef
!
!
!
!
ip name-server x.y.1.232
!
!
!
!
!
!
!
!
!
!
!
!
!
!
controller E1 5/0
!
controller E1 5/1
!
controller E1 5/2
!
controller E1 5/3
!
controller E1 5/4
!
controller E1 5/5
!
controller E1 5/6
!
controller E1 5/7
!
!
!
!
interface GigabitEthernet0/1
description INTERNAL/LAN NETWORK
ip address x.y.1.2 255.255.252.0
ip nat inside
duplex auto
speed auto
media-type rj45
negotiation auto
!
interface FastEthernet0/2
description MANAGEMENT
ip address x.y.9.2 255.255.255.0 secondary
ip address x.y.9.3 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/2
description HQ DMZ 1
ip address z.z.z.1 255.255.255.0
ip nat inside
duplex auto
speed auto
media-type rj45
negotiation auto
!
interface GigabitEthernet0/3
description HQ DMZ 2
ip address z.w.z.1 255.255.255.0
ip nat inside
duplex auto
speed auto
media-type rj45
negotiation auto
!
interface FastEthernet6/0
ip address <public ip> 255.255.255.252
ip nat outside
duplex full
!
interface FastEthernet6/1
no ip address
shutdown
duplex half
!
ip classless
ip route 0.0.0.0 0.0.0.0 <gateway ip>
ip route z.z0.1.0 255.255.255.0 x.y.1.1
ip route z.w0.1.0 255.255.255.0 x.y.1.1
ip route 184.73.90.248 255.255.255.255 x.y.1.1
no ip http server
!
ip nat inside source list 1 interface FastEthernet6/0 overload
ip nat inside source static tcp x.y.1.91 80 interface
FastEthernet6/0 80
ip nat inside source static udp x.y.1.z4 53 interface
FastEthernet6/0 53
ip nat inside source static tcp x.y.1.z4 53 interface
FastEthernet6/0 53
ip nat inside source static tcp x.y.1.z5 25 interface
FastEthernet6/0 25
ip nat inside source static tcp z.z.z.2 3389 interface
FastEthernet6/0 60000
!
logging alarm informational
access-list 1 permit x.y.9.1
access-list 1 permit x.y.0.0 0.0.3.255
access-list 1 permit z.z.z.0 0.0.0.255
access-list 1 permit z.w.z.0 0.0.0.255
access-list 101 permit tcp any any eq www
access-list 102 permit tcp any any established
access-list 103 deny tcp any host 87.230.73.24 eq www
access-list 103 permit tcp any any
snmp-server community public RO 1
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class 1 in
password <password>
login
!
!
end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ACL programming can be a real art. It's easy to end up blocking some other traffic that you didn't think about. If I had a nickel for every time I blocked a routing protocol... :-)
ASKER
There you go, easy points :) !
And about the private ip thing, well I just thought I had nothing to lose so why not replace them!