ACL restrictions in Router

amrendraks · ‎06-23-2007

Hi everyone,

I have given my router config below,

My case is :

as per ACL defined, I am able to communicate with the host/network, but my router is not able to communicate to another side client although the ACL allows the range of IP where router falls,

May I know from you all what is remaining in my configuration.

side A : 192.168.10.x/16 ( fa/0/0)

Side B : 192.168.20.x/16 ( fa/0/0 )

rotuer are on : 172.16.10.x/24

and routing the packets for communicating the hosts/LAN.

Thanks .

Router Config :

Building configuration...

Current configuration : 1888 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname SL

!

boot-start-marker

boot-end-marker

!

no logging console

enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXX

!

aaa new-model

!

aaa session-id common

!

resource policy

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

ip cef

!

no ip dhcp use vrf connected

!

multilink virtual-template 1

!

username amar password 7 XXXXXXXXXXX

username sl password 7 XXXXXXXXXXX

!

interface FastEthernet0/0

ip address 192.168.10.6 255.255.0.0

ip access-group 101 in

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface Serial0/0/0

bandwidth 2048

no ip address

encapsulation ppp

pulse-time 3

ppp multilink

!

interface Serial0/1/0

bandwidth 2048

no ip address

encapsulation ppp

pulse-time 3

ppp multilink

!

interface Serial0/1/1

bandwidth 2048

no ip address

encapsulation ppp

pulse-time 3

ppp multilink

!

interface Virtual-Template1

ip address 172.16.10.1 255.255.255.0

ppp multilink

!

ip classless

ip route 192.168.20.0 255.255.255.0 172.16.10.2

ip route 192.168.60.0 255.255.255.0 172.16.10.2

!

ip http server

!

access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 101 permit ip host 192.168.10.1 192.168.60.0 0.0.0.255

access-list 101 permit ip host 192.168.10.3 192.168.60.0 0.0.0.255

access-list 101 permit ip host 192.168.10.4 192.168.60.0 0.0.0.255

access-list 101 permit ip host 192.168.10.8 192.168.60.0 0.0.0.255

access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 101 permit ip 192.168.10.0 0.0.0.255 172.16.10.0 0.0.0.255

!

control-plane

!

banner motd ^CINE "Welcome to SHUSHANT ^C

!

line con 0

line aux 0

line vty 0 4

password 7 XXXXXXXXXXX

!

warm-reboot

end

mahmoodmkl · ‎06-23-2007

Hi

i dnot think that u need this long list of access-list.only the first and the last statement are enough.

Do u have any access-list placed at the other end.Remember the implicit deny statement at the end of the access-list.

The other end router config would provide more information.

Thanks

Mahmood

mleeman · ‎06-23-2007

If you are trying to ping or telnet from the router. Your router will use the IP of the outbound interface. In this case 172.16.10.1. You will need this IP range in your config.

mleeman · ‎06-23-2007

If you are trying to ping or telnet from the router. Your router will use the IP of the outbound interface. In this case 172.16.10.1. You will need this IP range in your ACL.

amrendraks · ‎06-23-2007

Thanks for your prompt reply, but see

from both side allowed LANs/Hosts are able to do all the operations, means routers are allowing the packets, but router itself is not able to ping clients of either side but they do for routers each other, is my implication.

mleeman · ‎06-23-2007

The router will use the exiting interface IP as the source. If you do this, it will use the FA0/0 as the source.

Router A#ping

Protocol [ip]:

Target IP address: 192.168.20.X (client IP)

!--- The address to ping.

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 192.168.10.6

Richard Burts · ‎06-24-2007

Amrendra

I can not understand clearly what is working (if anything) and what is not working. Can you clarify whether the router in 192.168.10.x can access the router in 192.168.20.x and whether the router in 192.168.10.x can access clients in 192.168.20.x? Also whether clients in 192.168.10.x can access the router in 192.168.20.x and can access clients in 192.168.20.x?

Based on what I think I understand about the symptoms my first guess would be that there might be a problem with configuration of default gateway on the end stations (it could be on either side or on both sides that there is a problem). Can you verify that the end stations have the correct default gateway configured?

Can you also verify that the multilink is working ok?

HTH

Rick

HTH

Rick