Access list help on Cisco 877 DSL router

Answered Question
Sep 23rd, 2008

Hi,

I have a guest ADSL line at work for people needing full access to the internet. It's on a Cisco 877 and the config is below. Thing is I need to provide 3389 to a PC on the guest network, however when I apply "ip access-list 101 in" to dialer 1, the internet doesn't work.

I need users to access anything they want, but allow 1.2.3.4 to access 10.0.0.108 on 3389.

When I aneable access 101 on the dialre I get lots of deny errors on ports 53 for DNS and 80 for http.

ADSL#sh run

Building configuration...

Current configuration : 2753 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ADSL

!

boot-start-marker

boot-end-marker

!

logging buffered 8192 notifications

enable password 7 *

!

no aaa new-model

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 10.0.0.1 10.0.0.10

!

ip dhcp pool client

import all

network 10.0.0.0 255.255.255.0

default-router 10.0.0.2

lease 0 2

!

!

no ip cef

ip domain name guestdomain.com

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

!

!

username * password 7 *

!

!

ip tftp source-interface Ethernet0

ip ssh version 2

!

!

!

!

interface Ethernet0

ip address 10.0.0.2 255.255.255.0

no ip unreachables

ip nat inside

ip virtual-reassembly

hold-queue 100 out

!

interface Ethernet2

no ip address

shutdown

hold-queue 100 out

!

interface ATM0

no ip address

no ip unreachables

no ip mroute-cache

atm vc-per-vp 64

no atm ilmi-keepalive

dsl operating-mode auto

cdp enable

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

!

interface FastEthernet1

duplex auto

speed auto

!

interface FastEthernet2

duplex auto

speed auto

!

interface FastEthernet3

duplex auto

speed auto

!

interface FastEthernet4

duplex auto

speed auto

!

interface Dialer1

ip address negotiated

no ip unreachables

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname *

ppp chap password 7 *

ppp pap sent-username * password 7 *

ppp ipcp dns request

ppp ipcp wins request

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1

!

no ip http server

no ip http secure-server

!

ip nat inside source list 102 interface Dialer1 overload

ip nat inside source static tcp 10.0.0.108 3389 interface Dialer1 3389

!

logging trap notifications

logging facility local4

logging source-interface Ethernet0

access-list 50 permit 1.2.3.4

access-list 101 permit tcp host 1.2.3.4 any eq 3389 log

access-list 101 permit udp host 194.74.65.69 eq domain any

access-list 101 permit udp host 194.72.9.34 eq domain any

access-list 101 deny ip any any log

access-list 102 permit ip 10.0.0.0 0.0.0.255 any

dialer-list 1 protocol ip permit

!

!

!

control-plane

!

banner login ^C Authorised access only! Disconnect IMMEDIATELY if you are not an authorised user! ^C

!

line con 0

no modem enable

transport output telnet

line aux 0

transport output telnet

line vty 0 4

access-class 50 in

exec-timeout 5 0

login local

transport input telnet ssh

transport output all

!

scheduler max-task-time 5000

end

ADSL#

I have this problem too.
0 votes
Correct Answer by Giuseppe Larosa about 8 years 2 months ago

Hello Andy,

your acl 101 should be reviewed:

first of all it is applied inbound to the nat outside interface:

dialer1 is the L3 interface to the internet

so to allow web surfing you need to add previous the last line :

access-list 101 permit tcp any eq 80 any

because the well-known port is on the server side

for DNS to work

access-list 101 permit udp any eq 53 any

for the same reason but this is already present for two specific servers

Try to change the ACL as I suggested above and make a try

Hope to help

Giuseppe

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Correct Answer
Giuseppe Larosa Tue, 09/23/2008 - 09:14

Hello Andy,

your acl 101 should be reviewed:

first of all it is applied inbound to the nat outside interface:

dialer1 is the L3 interface to the internet

so to allow web surfing you need to add previous the last line :

access-list 101 permit tcp any eq 80 any

because the well-known port is on the server side

for DNS to work

access-list 101 permit udp any eq 53 any

for the same reason but this is already present for two specific servers

Try to change the ACL as I suggested above and make a try

Hope to help

Giuseppe

Actions

This Discussion