WAN ACL Access Problem

Unanswered Question
Feb 14th, 2008
User Badges:


Another technician and myself are scratching our heads over an issue at one of our remote school sites. We have blocked access to the 189.0 network so they cannot access the web or the rest of the WAN and only access local servers. The 199.0 network is open so they can access anything on the WAN. The problem we are having is WE cannot remote access the 189.0 network from our main school office (Via RDP or Dameware) although we can access the servers which are under / We can only ping the rest of the addresses on the 189.0 network. Can someone please look over this ACL list attached and see what we are missing? Do we have to have an IN and OUT ACL or can we just leave the OUT ACL without an IN?

The 181.0 subnet is the WAN connection back to our office.

Thank You!


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Edison Ortiz Thu, 02/14/2008 - 14:07
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

I'm proposing re-writing the entire ACL.

If you want to block access from 189.0 network to the web and the rest of the WAN, then you do a src 189.0 with dst any and the ACL is out.

However, you also want to RDP and Dameware that subnet from your main school office. You need to have a permit on that ACL before the above deny with src/dst specific networks.

I also see you have some udp 53 being allowed from that subnet's servers. Your ACL would look like this.

access-list 110 permit ip any

access-list 110 permit tcp eq 3389 any

access-list 110 permit udp eq 3389 any

access-list 110 permit tcp eq 6129 any

access-list 110 permit udp host any eq domain

access-list 110 deny ip any

access-list 110 deny ip any

access-list 110 permit ip any any

interface Serial0/0

ip access-group 110 out





This Discussion