cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
884
Views
0
Helpful
6
Replies

ACL ACL ACL Error

tareqrebhi
Level 1
Level 1

Dears,

when i put these acl lists on my internet router the internet disconnect:

access-list 100 permit udp any host 55.55.55.1 range 9000 9999

access-list 100 permit tcp any host 55.55.55.1 range sip 5090

interface GigabitEthernet0/1

description International-Link

ip address 62.x.x.5 255.255.255.248

ip access-group 100 in

duplex full

speed 100

where is the problem?

6 Replies 6

Richard Burts
Hall of Fame
Hall of Fame

tareq

The problem is that you have denied most access through the gig0/1 interface. The outside is only permitted to access a single host on just a few UDP ports.

Remember that at the end of every access list is an implied deny any any. So anything that is not permitted is denied. So your access list has 2 permit statements and anything that is not UDP to host 55.55.55.1 is denied.

If you can give us a statement of what you want the access list to do (what it should permit and what it should deny) we might be able to help you write a better access list.

HTH

Rick

HTH

Rick

kerek
Level 4
Level 4

Hi,

The problem is there is an implicit deny at the end of the access-list. So you have to add the access-list 100 permit ip any any at the end to permit all traffic out of the previously denied.

Hope it helps, rate if does

Krisztian

goverdhan_in
Level 1
Level 1

Hai....it is a simple problem...

just add to end of your access-list 100 as:

access-list 100 permit ip any any

then u will be connected to internet

Goverdhan

I believe that there is an issue of logic in your suggestion. If the permit ip any any is added to the access list then everything is permitted, and nothing is denied. If nothing is denied and everything is permitted then why are we using an access list on the interface. It would be much more simple to remove the access list entirely.

I believe that we need to clarify what the requirements are: what traffic should go through and what traffic should be denied. Once we have this clarification then we can construct an access list that will achieve the desired result.

HTH

Rick

HTH

Rick

tareqrebhi
Level 1
Level 1

hello,

my goal is : my company is VoIP provider now we need to install ASA 5510 for security please see attached file.

please remember that i have DNS server at subnet 55.55.2.0 and my main devices at 55.55.3.0 i need as possible to only pass the required packets....this my first ACL configuration:

access-list 100 extended permit udp any host 55.55.3.5 range 9000 9999

access-list 100 extended permit tcp any host 55.55.3.5 range 5060 5090

access-list 100 extended permit udp any host 55.55.3.5 range 5060 5090

access-list 100 extended permit udp any host 55.55.3.5 range 2427 2457

access-list 100 extended permit tcp any host 55.55.3.5 range 2427 2457

access-list 100 extended permit tcp any host 55.55.3.5 range 3100 3130

access-list 100 extended permit udp any host 55.55.3.5 range 3100 3130

access-list 100 extended permit tcp any host 55.55.3.5 eq 1500

access-list 100 extended permit tcp any host 55.55.3.5 eq 2099

access-list 100 extended permit udp any host 55.55.3.5 range 2100 2129

access-list 100 extended permit udp any host 55.55.3.5 eq domain

access-list 100 extended permit tcp any host 55.55.3.5 eq domain

access-list 100 extended permit udp any host 55.55.3.5 eq tftp

access-list 100 extended permit tcp any host 55.55.3.5 eq ssh

access-list 100 extended permit udp any eq domain host 55.55.3.5 gt 1024

access-list 100 extended deny ip any host 55.55.3.5 log

access-list 100 extended permit icmp any any

===================================

====================================

access-list 101 extended permit udp host 55.55.3.5 any range 9000 9999

access-list 101 extended permit tcp host 55.55.3.5 any range 5060 5090

access-list 101 extended permit udp host 55.55.3.5 any range 5060 5090

access-list 101 extended permit udp host 55.55.3.5 any range 2427 2457

access-list 101 extended permit tcp host 55.55.3.5 any range 2427 2457

access-list 101 extended permit tcp host 55.55.3.5 any range 3100 3130

access-list 101 extended permit udp host 55.55.3.5 any range 3100 3130

access-list 101 extended permit tcp host 55.55.3.5 any eq 1500

access-list 101 extended permit tcp host 55.55.3.5 any eq 2099

access-list 101 extended permit udp host 55.55.3.5 any range 2100 2129

access-list 101 extended permit udp host 55.55.3.5 any eq domain

access-list 101 extended permit tcp host 55.55.3.5 any eq domain

access-list 101 extended permit udp host 55.55.3.5 any eq tftp

access-list 101 extended permit tcp host 55.55.3.5 any eq ssh

access-list 101 extended permit udp host 55.55.3.5 eq domain any gt 1024

access-list 101 extended permit icmp any any

access-list 101 extended permit ip any any

--------------------------

access-group 101 in interface inside

access-group 100 in interface outside

please any help for this design

tareq

I have looked at your diagram and I have these comments about your access lists.

- access-list 100 has quite a few permits for a specific host 55.55.3.5. I do not see that host in your drawing (it may not be important that this host is not in the drawing). I do not see any permit (except for permit icmp) for the hosts that are in the drawing (Radius server and Softswitch) I think the lack of permits for these hosts or any other addresses in the subnet is a problem.

- access-list 101 has quite a few permits for a specific host 55.55.3.5 and then a permit ip any any. Nothing is denied. So why have an access list with anything more than permit ip any any?

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: