ACL restrictions in Router

Unanswered Question
Jun 23rd, 2007
User Badges:

Hi everyone,


I have given my router config below,

My case is :

as per ACL defined, I am able to communicate with the host/network, but my router is not able to communicate to another side client although the ACL allows the range of IP where router falls,

May I know from you all what is remaining in my configuration.


side A : 192.168.10.x/16 ( fa/0/0)

Side B : 192.168.20.x/16 ( fa/0/0 )


rotuer are on : 172.16.10.x/24

and routing the packets for communicating the hosts/LAN.


Thanks .


Router Config :
















Building configuration...


Current configuration : 1888 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname SL

!

boot-start-marker

boot-end-marker

!

no logging console

enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXX

!

aaa new-model

!

!

!

aaa session-id common

!

resource policy

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

ip cef

!

!

no ip dhcp use vrf connected

!

!

multilink virtual-template 1

!

username amar password 7 XXXXXXXXXXX

username sl password 7 XXXXXXXXXXX

!

!

!

interface FastEthernet0/0

ip address 192.168.10.6 255.255.0.0

ip access-group 101 in

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface Serial0/0/0

bandwidth 2048

no ip address

encapsulation ppp

pulse-time 3

ppp multilink

!

interface Serial0/1/0

bandwidth 2048

no ip address

encapsulation ppp

pulse-time 3

ppp multilink

!

interface Serial0/1/1

bandwidth 2048

no ip address

encapsulation ppp

pulse-time 3

ppp multilink

!

interface Virtual-Template1

ip address 172.16.10.1 255.255.255.0

ppp multilink

!

ip classless

ip route 192.168.20.0 255.255.255.0 172.16.10.2

ip route 192.168.60.0 255.255.255.0 172.16.10.2

!

ip http server

!

access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 101 permit ip host 192.168.10.1 192.168.60.0 0.0.0.255

access-list 101 permit ip host 192.168.10.3 192.168.60.0 0.0.0.255

access-list 101 permit ip host 192.168.10.4 192.168.60.0 0.0.0.255

access-list 101 permit ip host 192.168.10.8 192.168.60.0 0.0.0.255

access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 101 permit ip 192.168.10.0 0.0.0.255 172.16.10.0 0.0.0.255

!

control-plane

!

banner motd ^CINE "Welcome to SHUSHANT ^C

!

line con 0

line aux 0

line vty 0 4

password 7 XXXXXXXXXXX

!

warm-reboot

end


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mahmoodmkl Sat, 06/23/2007 - 04:49
User Badges:
  • Gold, 750 points or more

Hi


i dnot think that u need this long list of access-list.only the first and the last statement are enough.


Do u have any access-list placed at the other end.Remember the implicit deny statement at the end of the access-list.

The other end router config would provide more information.


Thanks

Mahmood


mleeman Sat, 06/23/2007 - 05:41
User Badges:

If you are trying to ping or telnet from the router. Your router will use the IP of the outbound interface. In this case 172.16.10.1. You will need this IP range in your config.

mleeman Sat, 06/23/2007 - 05:42
User Badges:

If you are trying to ping or telnet from the router. Your router will use the IP of the outbound interface. In this case 172.16.10.1. You will need this IP range in your ACL.

amrendraks Sat, 06/23/2007 - 05:48
User Badges:

Thanks for your prompt reply, but see


from both side allowed LANs/Hosts are able to do all the operations, means routers are allowing the packets, but router itself is not able to ping clients of either side but they do for routers each other, is my implication.

mleeman Sat, 06/23/2007 - 06:00
User Badges:

The router will use the exiting interface IP as the source. If you do this, it will use the FA0/0 as the source.


Router A#ping

Protocol [ip]:

Target IP address: 192.168.20.X (client IP)


!--- The address to ping.


Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 192.168.10.6

Richard Burts Sun, 06/24/2007 - 04:11
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Amrendra


I can not understand clearly what is working (if anything) and what is not working. Can you clarify whether the router in 192.168.10.x can access the router in 192.168.20.x and whether the router in 192.168.10.x can access clients in 192.168.20.x? Also whether clients in 192.168.10.x can access the router in 192.168.20.x and can access clients in 192.168.20.x?


Based on what I think I understand about the symptoms my first guess would be that there might be a problem with configuration of default gateway on the end stations (it could be on either side or on both sides that there is a problem). Can you verify that the end stations have the correct default gateway configured?


Can you also verify that the multilink is working ok?


HTH


Rick

Actions

This Discussion