02-03-2008 02:18 PM - edited 03-05-2019 08:54 PM
can your access-list limit user from accessing the web? what symptoms would be encountered.
02-03-2008 03:00 PM
Thomas
I am not sure that I really understand your question. On the surface it seems a really easy question: yes you can create an access list that will prevent users from accessing the web (you would deny tcp eq www (for http) and perhaps deny tcp eq 443 (for https)). The symptoms would be that users would not be able to access any web sites. The browser would probably display an error message about not able to display this page.
I wonder if there is something else to this question or some different context? Perhaps you can clarify if I have not understood it correctly?
HTH
Rick
02-03-2008 07:36 PM
my problem is the users are unable to access the web. i get successful pings when i ping from the IOS but user are unable to access outside the network. Would this indicate a access-list issue?
02-03-2008 07:43 PM
Thomas
Based on the fairly vague description that you have provided so far there are several things which might cause the symptoms that you are experiencing. It might be an access list issue, it might be an address translation issue, it might be a DNS issue.
The easiest way to figure out what is the problem is for you to provide some details:
- what is the topology like - what networks or subnets are on the inside? what network is on the outside? Are you routing to the outside with a dynamic routing protocol or with static routes?
- it would be very helpful if you would post the configuration of the router.
HTH
Rick
02-03-2008 08:49 PM
here is the config unsure if access-list would allow users on the 192.168.1.0 topology.
hostname AirCentral
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
ip cef
!
!
ip domain name yourdomain.com
isdn switch-type basic-net3
!
username central privilege 15 secret 5 $1$oRl3$M3oZjctCM/6lG0WgScAY20
!
!
!
interface FastEthernet0/0
ip address 10.10.10.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface BRI0/0/0
description connected to internet
bandwidth 64000
no ip address
encapsulation ppp
shutdown
dialer pool-member 1
isdn switch-type basic-net3
isdn point-to-point-setup
!
interface BRI0/1/0
description connected to internet
bandwidth 64000
no ip address
encapsulation ppp
shutdown
dialer pool-member 1
isdn switch-type basic-net3
isdn point-to-point-setup
!
interface BRI0/2/0
description connected to internet
bandwidth 64000
no ip address
encapsulation ppp
shutdown
dialer pool-member 1
isdn switch-type basic-net3
isdn point-to-point-setup
!
interface BRI0/3/0
description connected to internet
bandwidth 64000
no ip address
encapsulation ppp
shutdown
dialer pool-member 1
isdn switch-type basic-net3
isdn point-to-point-setup
!
interface FastEthernet1/0
shutdown
!
interface FastEthernet1/1
shutdown
!
interface FastEthernet1/2
shutdown
!
interface FastEthernet1/3
shutdown
!
interface FastEthernet1/4
shutdown
!
interface FastEthernet1/5
shutdown
!
interface FastEthernet1/6
shutdown
!
interface FastEthernet1/7
shutdown
!
interface FastEthernet1/8
shutdown
!
interface FastEthernet1/9
shutdown
!
interface FastEthernet1/10
shutdown
!
interface FastEthernet1/11
shutdown
!
interface FastEthernet1/12
shutdown
!
interface FastEthernet1/13
shutdown
!
interface FastEthernet1/14
shutdown
!
interface FastEthernet1/15
shutdown
!
interface Vlan1
no ip address
!
interface Dialer1
description connected to internet
bandwidth 256000
ip address negotiated
ip nat outside
encapsulation ppp
no ip split-horizon
dialer pool 1
dialer idle-timeout 180
dialer string "28"
dialer hold-queue 10
dialer load-threshold 10 outbound
dialer max-call 4
dialer-group 1
no cdp enable
ppp pap sent-username xxxxxxx password 0 xxxxxxx
ppp multilink
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip http server
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
02-03-2008 11:02 PM
Hi
I think u r missing some commands.
dialer-list 1 protocol ip permit
ip nat inside source list 1 interface Dialer1 overload
access-list 1 permit 10.10.10.0 0.0.0.255
Thanks
Mahmood
02-04-2008 04:12 AM
Thomas
I believe that Mahmood has identified a critical issue which is that you had configured ip nat inside and ip nat outside on interfaces but had not configured the ip nat inside source command to do address translation. Failure in address translation is one of the very common issues when users are not able to access Internet resources as I had suggested in my previous post.
In addition to that issue I note that there are 4 BRI interfaces and that they are all shut down. This would also prevent Internet access for users. Since you post seems to say that you were able to ping from the router I suspect that at some point they were not shut down. But in terms of the config posted that would certainly be an issue.
I also note that the dialer interface has some configuration that supports pap authentication. But there is no command to authenticate on the dialer. Depending on how your provider has set things up it may or may not be an issue.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide