Cisco 1841 Bridge Mode ACLs

Posted on 2013-12-16
Last Modified: 2013-12-19
Hello Experts - I am attempting to use a Cisco 1841 router in bridged mode.  I'd like to use its ACL features to limit access to a set of predefined IP address ranges.  I have a 50mb FIOS line plugged into the FE0/0 port and a D-Link 605L home router plugged into the 1841's FE0/1 port, pass through is working fine.  I then setup a series of extended access control lists with the ranges of the hosts I want people to be able to access:  

access-list 110 permit ip x.x.x.x any

Unfortunately this doesn't seem to be working as I still have access to things like VPN which should be blocked.  I'm setting this up after entering confg t but I am not under a particular interface and am wondering if (and how) the ACL needs to be applied to the bridge group I created.  My assumption is that the router would block requests to anything other than the hosts I defined in the ACLs but I don't know if that is correct.  I'd appreciate any general advice on things I could be doing wrong or if the concept of what I'm trying to do is sound, thanks!
Question by:First Last
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2

Expert Comment

by:Ramakrishna Prabhu
ID: 39721989
Can you post your current config please?

Author Comment

by:First Last
ID: 39721996
Sure, here we go:

Current configuration : 4858 bytes
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname HOSTNAME
boot system flash:c1841-entbase-mz.124-8d.bin
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 40096 debugging
enable password 7 XXXXXXXXXXXXXX
aaa new-model
aaa authentication login local_auth local
aaa session-id common
clock timezone EST -5
clock summer-time EST recurring
no ip source-route
no ip gratuitous-arps
ip cef
no ip bootp server
no ip domain lookup
ip domain name XXXX
login block-for 32767 attempts 5 within 60
crypto pki trustpoint TP-self-signed-1127056236
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1127056236
 revocation-check none
 rsakeypair TP-self-signed-1127056236
crypto pki certificate chain TP-self-signed-1127056236
 certificate self-signed 01
  30820247 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31313237 30353632 3336301E 170D3133 31323136 31343136
  32315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31323730
  35363233 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100B230 116ADDF5 F18C1420 83CF7310 3DD16713 3D40927F 1DCA788A DA91AA27
  E5ABCD2A 55FEAEF1 CAEEF264 490BC6A0 2FEB0F94 7D0C80E9 E0E13163 5491E2F2
  49E9925B 1D9CAE9F 448C5EB0 D03AB094 365F1286 87F1C9C6 2D0B1373 3E82C42D
  69EC5650 AF657256 6C36C8A0 AC870464 7DFCE66A E356635B 14550551 1A4BDD15
  FFA30203 010001A3 6F306D30 0F060355 1D130101 FF040530 030101FF 301A0603
  551D1104 13301182 0F457769 6E675F41 5050532E 41505053 301F0603 551D2304
  18301680 149D66E5 2C5420A9 D930D8DD BCCF3D3D 4B2E61F3 BD301D06 03551D0E
  04160414 9D66E52C 5420A9D9 30D8DDBC CF3D3D4B 2E61F3BD 300D0609 2A864886
  F70D0101 04050003 81810080 86AB9D46 386A77EC BEE819F9 741D3DB4 B18B4931
  E39B20BC 2810D090 8F27628C 5157C0E3 E5CF160B 823C0D46 81016932 157EF6D3
  13372624 27047BCC 93EA38BF 2C0F60B0 977CB8A6 F1EBE7F8 B65904D2 4A90BCD6
  83A83E4B 85837CBA 60792A1E 24767B0F 3302CB57 6E79D519 97238BF8 C1CFE9C5
  0698CD33 CED4F041 B25966
ip tcp intercept list autosec_tcp_intercept_list
ip tcp intercept connection-timeout 3600
ip tcp intercept watch-timeout 15
ip tcp intercept max-incomplete low 450
ip tcp intercept max-incomplete high 550
ip tcp intercept drop-mode random
bridge irb
interface FastEthernet0/0
 description FIOS in
 no ip address
 no ip proxy-arp
 speed auto
 no mop enabled
 bridge-group 1
interface FastEthernet0/1
 description Wireless in
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 duplex auto
 speed auto
 no mop enabled
 bridge-group 1
interface Serial0/0/0
 description XXXXXXX
 no ip address
 ip verify unicast source reachable-via rx allow-default 100
 no ip redirects
 no ip unreachables
 no ip proxy-arp
interface BVI1
 ip address
no ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
no logging trap
access-list 110 remark Allow Google
access-list 110 permit ip any
access-list 110 permit ip any
access-list 130 permit ip any
access-list 140 permit ip any
access-list 150 permit ip any
access-list 160 permit ip any
access-list 170 permit ip any
access-list 180 permit ip any
snmp-server location XXXXXXXX
snmp-server host XXXXXXXXX
no cdp run
bridge 1 protocol ieee
bridge 1 route ip
banner login ^C
This is a private Network.
Access beyond this point is for authorized personnel only.
Unauthorized access will be prosecuted to the full extent of the law.
We thank you for respecting our privacy.^C
line con 0
 exec-timeout 5 0
 login authentication local_auth
 transport output telnet
line aux 0
 exec-timeout 15 0
 login authentication local_auth
 transport output telnet
line vty 0 4
 access-class 23 in
 privilege level 15
 login authentication local_auth
 transport input ssh
scheduler allocate 20000 1000
ntp clock-period 17178226
ntp update-calendar
ntp server XXX.XXX.XXX.XXX source Serial0/0/0 prefer
LVL 46

Accepted Solution

Craig Beck earned 500 total points
ID: 39722697
You need to attach the ACL to an interface, however you're bridging here so it may not work on the 1841.

Basically you're trying to apply a layer-3 ACL to a layer-2 bridge.  Traditionally this would only work with MAC-based ACLs so you probably can't do what you want to do.

Author Comment

by:First Last
ID: 39723808
Ouch, didn't realize the 1841 can't do that but it explains why I couldn't find commands to bind the ACLs to the bridge group.  I can't do MAC based ACLs because the general public will be connecting and I won't have them ahead of time.  Thanks for the info!

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ASA 5506 blocks telnet 11 37
Question about Buffalo NAS devices 4 54
Changing the default VLAN on a Cisco switch? 9 71
Multicast IGMP Join Group 8 22
For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question