cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
764
Views
0
Helpful
1
Replies

Access list help on Cisco 877 DSL router

whiteford
Level 1
Level 1

Hi,

I have a guest ADSL line at work for people needing full access to the internet. It's on a Cisco 877 and the config is below. Thing is I need to provide 3389 to a PC on the guest network, however when I apply "ip access-list 101 in" to dialer 1, the internet doesn't work.

I need users to access anything they want, but allow 1.2.3.4 to access 10.0.0.108 on 3389.

When I aneable access 101 on the dialre I get lots of deny errors on ports 53 for DNS and 80 for http.

ADSL#sh run

Building configuration...

Current configuration : 2753 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ADSL

!

boot-start-marker

boot-end-marker

!

logging buffered 8192 notifications

enable password 7 *

!

no aaa new-model

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 10.0.0.1 10.0.0.10

!

ip dhcp pool client

import all

network 10.0.0.0 255.255.255.0

default-router 10.0.0.2

lease 0 2

!

!

no ip cef

ip domain name guestdomain.com

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

!

!

username * password 7 *

!

!

ip tftp source-interface Ethernet0

ip ssh version 2

!

!

!

!

interface Ethernet0

ip address 10.0.0.2 255.255.255.0

no ip unreachables

ip nat inside

ip virtual-reassembly

hold-queue 100 out

!

interface Ethernet2

no ip address

shutdown

hold-queue 100 out

!

interface ATM0

no ip address

no ip unreachables

no ip mroute-cache

atm vc-per-vp 64

no atm ilmi-keepalive

dsl operating-mode auto

cdp enable

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

!

interface FastEthernet1

duplex auto

speed auto

!

interface FastEthernet2

duplex auto

speed auto

!

interface FastEthernet3

duplex auto

speed auto

!

interface FastEthernet4

duplex auto

speed auto

!

interface Dialer1

ip address negotiated

no ip unreachables

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname *

ppp chap password 7 *

ppp pap sent-username * password 7 *

ppp ipcp dns request

ppp ipcp wins request

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1

!

no ip http server

no ip http secure-server

!

ip nat inside source list 102 interface Dialer1 overload

ip nat inside source static tcp 10.0.0.108 3389 interface Dialer1 3389

!

logging trap notifications

logging facility local4

logging source-interface Ethernet0

access-list 50 permit 1.2.3.4

access-list 101 permit tcp host 1.2.3.4 any eq 3389 log

access-list 101 permit udp host 194.74.65.69 eq domain any

access-list 101 permit udp host 194.72.9.34 eq domain any

access-list 101 deny ip any any log

access-list 102 permit ip 10.0.0.0 0.0.0.255 any

dialer-list 1 protocol ip permit

!

!

!

control-plane

!

banner login ^C Authorised access only! Disconnect IMMEDIATELY if you are not an authorised user! ^C

!

line con 0

no modem enable

transport output telnet

line aux 0

transport output telnet

line vty 0 4

access-class 50 in

exec-timeout 5 0

login local

transport input telnet ssh

transport output all

!

scheduler max-task-time 5000

end

ADSL#

1 Accepted Solution

Accepted Solutions

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Andy,

your acl 101 should be reviewed:

first of all it is applied inbound to the nat outside interface:

dialer1 is the L3 interface to the internet

so to allow web surfing you need to add previous the last line :

access-list 101 permit tcp any eq 80 any

because the well-known port is on the server side

for DNS to work

access-list 101 permit udp any eq 53 any

for the same reason but this is already present for two specific servers

Try to change the ACL as I suggested above and make a try

Hope to help

Giuseppe

View solution in original post

1 Reply 1

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Andy,

your acl 101 should be reviewed:

first of all it is applied inbound to the nat outside interface:

dialer1 is the L3 interface to the internet

so to allow web surfing you need to add previous the last line :

access-list 101 permit tcp any eq 80 any

because the well-known port is on the server side

for DNS to work

access-list 101 permit udp any eq 53 any

for the same reason but this is already present for two specific servers

Try to change the ACL as I suggested above and make a try

Hope to help

Giuseppe

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco