access list for web access

avionics · ‎02-03-2008

can your access-list limit user from accessing the web? what symptoms would be encountered.

Richard Burts · ‎02-03-2008

Thomas

I am not sure that I really understand your question. On the surface it seems a really easy question: yes you can create an access list that will prevent users from accessing the web (you would deny tcp eq www (for http) and perhaps deny tcp eq 443 (for https)). The symptoms would be that users would not be able to access any web sites. The browser would probably display an error message about not able to display this page.

I wonder if there is something else to this question or some different context? Perhaps you can clarify if I have not understood it correctly?

HTH

Rick

HTH

Rick

avionics · ‎02-03-2008

my problem is the users are unable to access the web. i get successful pings when i ping from the IOS but user are unable to access outside the network. Would this indicate a access-list issue?

Richard Burts · ‎02-03-2008

Thomas

Based on the fairly vague description that you have provided so far there are several things which might cause the symptoms that you are experiencing. It might be an access list issue, it might be an address translation issue, it might be a DNS issue.

The easiest way to figure out what is the problem is for you to provide some details:

- what is the topology like - what networks or subnets are on the inside? what network is on the outside? Are you routing to the outside with a dynamic routing protocol or with static routes?

- it would be very helpful if you would post the configuration of the router.

HTH

Rick

HTH

Rick

avionics · ‎02-03-2008

here is the config unsure if access-list would allow users on the 192.168.1.0 topology.

hostname AirCentral

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

no aaa new-model

!

resource policy

!

ip subnet-zero

!

ip cef

!

ip domain name yourdomain.com

isdn switch-type basic-net3

!

username central privilege 15 secret 5 $1$oRl3$M3oZjctCM/6lG0WgScAY20

!

interface FastEthernet0/0

ip address 10.10.10.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 192.168.1.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!

interface BRI0/0/0

description connected to internet

bandwidth 64000

no ip address

encapsulation ppp

shutdown

dialer pool-member 1

isdn switch-type basic-net3

isdn point-to-point-setup

!

interface BRI0/1/0

description connected to internet

bandwidth 64000

no ip address

encapsulation ppp

shutdown

dialer pool-member 1

isdn switch-type basic-net3

isdn point-to-point-setup

!

interface BRI0/2/0

description connected to internet

bandwidth 64000

no ip address

encapsulation ppp

shutdown

dialer pool-member 1

isdn switch-type basic-net3

isdn point-to-point-setup

!

interface BRI0/3/0

description connected to internet

bandwidth 64000

no ip address

encapsulation ppp

shutdown

dialer pool-member 1

isdn switch-type basic-net3

isdn point-to-point-setup

!

interface FastEthernet1/0

shutdown

!

interface FastEthernet1/1

shutdown

!

interface FastEthernet1/2

shutdown

!

interface FastEthernet1/3

shutdown

!

interface FastEthernet1/4

shutdown

!

interface FastEthernet1/5

shutdown

!

interface FastEthernet1/6

shutdown

!

interface FastEthernet1/7

shutdown

!

interface FastEthernet1/8

shutdown

!

interface FastEthernet1/9

shutdown

!

interface FastEthernet1/10

shutdown

!

interface FastEthernet1/11

shutdown

!

interface FastEthernet1/12

shutdown

!

interface FastEthernet1/13

shutdown

!

interface FastEthernet1/14

shutdown

!

interface FastEthernet1/15

shutdown

!

interface Vlan1

no ip address

!

interface Dialer1

description connected to internet

bandwidth 256000

ip address negotiated

ip nat outside

encapsulation ppp

no ip split-horizon

dialer pool 1

dialer idle-timeout 180

dialer string "28"

dialer hold-queue 10

dialer load-threshold 10 outbound

dialer max-call 4

dialer-group 1

no cdp enable

ppp pap sent-username xxxxxxx password 0 xxxxxxx

ppp multilink

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

!

ip http server

!

access-list 1 permit 192.168.1.0 0.0.0.255

!

mahmoodmkl · ‎02-03-2008

Hi

I think u r missing some commands.

dialer-list 1 protocol ip permit

ip nat inside source list 1 interface Dialer1 overload

access-list 1 permit 10.10.10.0 0.0.0.255

Thanks

Mahmood

Richard Burts · ‎02-04-2008

Thomas

I believe that Mahmood has identified a critical issue which is that you had configured ip nat inside and ip nat outside on interfaces but had not configured the ip nat inside source command to do address translation. Failure in address translation is one of the very common issues when users are not able to access Internet resources as I had suggested in my previous post.

In addition to that issue I note that there are 4 BRI interfaces and that they are all shut down. This would also prevent Internet access for users. Since you post seems to say that you were able to ping from the router I suspect that at some point they were not shut down. But in terms of the config posted that would certainly be an issue.

I also note that the dialer interface has some configuration that supports pap authentication. But there is no command to authenticate on the dialer. Depending on how your provider has set things up it may or may not be an issue.

HTH

Rick

HTH

Rick