Solved: Allow Access Through Router - Cisco Community

1245

Views

0

Helpful

20

Replies

Hello -

I want to allow access to two systems behind a router and have achieved part of that, but for some reason, the additional ip scopes added don't have access using access-list 101. Can someone please look at my config and let me know what I may be missing? Thanks

6 KB

1 Accepted Solution

Accepted Solutions

Christopher

Sorry about the confusion. As Victor says we are just messing around but i can see how it might have been taken out of context. No offence intended from either of us.

"Allow any IP to telnet to int F0/0 (195.85.24.4)

Allow TS from the 195.85.x.x subnet specified in the ACL access to the two systems 10.13.3.2 and 10.13.10.5

deny all other access"

Yes your acl will do this altho i'm assuming 10.13.3.2 is a typo as your acl references 10.13.2.3 ?

Jon

View solution in original post

20 Replies 20

Christopher

Your access-list -

access-list 101 permit tcp any host 195.85.24.4 eq telnet

access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 deny ip 195.85.0.0 0.0.255.255 10.0.0.0 0.255.255.255

access-list 101 permit ip any any

access-list 101 permit tcp 195.85.119.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.120.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.121.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.122.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.123.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.124.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.119.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.120.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.121.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.122.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.123.0 0.0.0.255 host 10.13.10.5 eq 3389

the 4th line says -

access-list 101 deny ip 195.85.0.0 0.0.255.255 10.0.0.0 0.255.255.255

so the permits for the 195.85.x subnets after this line will never be hit because the deny is line is hit first. You need to reorder your access-list to

access-list 101 permit tcp any host 195.85.24.4 eq telnet

access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 deny ip 195.85.0.0 0.0.255.255 10.0.0.0 0.255.255.255

access-list 101 permit tcp 195.85.119.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.120.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.121.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.122.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.123.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.124.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.119.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.120.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.121.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.122.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.123.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.124.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 deny ip 195.85.0.0 0.0.255.255 10.0.0.0 0.255.255.255

access-list 101 permit ip any any

Jon

Hello Jon -

I have added that order but when I add to the config it still shows the same order as I have above?

ip access-list extended CRFementerNAT

deny ip 10.13.0.0 0.0.255.255 any

permit ip 10.0.0.0 0.255.255.255 any

remark allow new Genencor / Danisco IP range

permit ip 195.85.0.0 0.0.255.255 any

access-list 101 permit tcp any host 195.85.24.4 eq telnet

access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 deny ip 195.85.0.0 0.0.255.255 10.0.0.0 0.255.255.255

access-list 101 permit ip any any

access-list 101 permit tcp 195.85.119.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.120.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.121.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.122.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.123.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.124.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.119.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.120.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.121.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.122.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.123.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.124.0 0.0.0.255 host 10.13.10.5 eq 3389

no cdp run

Did you remove the access-list ie.

no access-list 101

and then cut and paste the new one back in ?

Jon

Jon -

I am remote from the router and using telnet, if I do this I lose connection to the router.

Okay, remove the acl from the interface ie.

int s0/0

no ip access-group 101 in

then do as previously suggested and reapply. Just make sure you get the line right that allows you remote access.

Jon

Jon -

Disregard last post. I did do that. I will test and let you know if this resolves the issue. Thanks

No problem. Please note there is a typo in my previous post -

access-list 101 permit tcp any host 195.85.24.4 eq telnet

access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 deny ip 195.85.0.0 0.0.255.255 10.0.0.0 0.255.255.255

access-list 101 permit tcp 195.85.119.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.120.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.121.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.122.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.123.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.124.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.119.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.120.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.121.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.122.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.123.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.124.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 deny ip 195.85.0.0 0.0.255.255 10.0.0.0 0.255.255.255

access-list 101 permit ip any any

should read

access-list 101 permit tcp any host 195.85.24.4 eq telnet

access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.119.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.120.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.121.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.122.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.123.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.124.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.119.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.120.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.121.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.122.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.123.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.124.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 deny ip 195.85.0.0 0.0.255.255 10.0.0.0 0.255.255.255

access-list 101 permit ip any any

ie. the "access-list 101 deny ip 195.85.0.0 0.0.255.255 10.0.0.0 0.255.255.255" line should only appear second line from end and not as the 4th line as well.

Apologies for that.

Jon

What kind of cockamamie access list is that? You deny all traffic coming from the entire class B network of 195.85.0.0 and heading to the entire class A network of 10.0.0.0, but then you try to allow traffic with the same source and destination right after that. And whats with the "permit ip any any" statement in the middle of the access list?

[Excuse the cross post, Jon.]

Please help me understand how I can allow what I have listed in the ACL and deny everything else? Thanks

Hi Victor

"[Excuse the cross post, Jon.]"

No problem. I think the idea of the acl is to permit certain traffic between 195.85.x.x and 10.13.x.x and then deny all other traffic between 195.85.x.x and 10.13.x.x but then also allow any other traffic from different source addresses and potentially different destination addresses.

You know i wasn't going to write this but knowing what a good sense of humour you have -

apologies if the above was too excruciating in it's detail :-)

Jon

OK I have modified my ACL to make it little easier to manage. Please let me know if this will work for what I want to accomplish? Thanks

access-list 101 permit tcp any host 195.85.24.4 eq telnet

access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.119.0 0.0.3.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.123.0 0.0.1.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.119.0 0.0.3.255 host 10.13.10.5 eq 3389

access-list 101 permit tcp 195.85.123.0 0.0.1.255 host 10.13.10.5 eq 3389

access-list 101 deny any any

Christopher

You haven't actually told us what you want to accomplish :-). But what this access-list does is to

1) allow any IP address to access 195.84.24.4 using telnet

2) then allow terminal services (3389) from a number of 195.85.x.x subnets to particular hosts in the 10.13.x.x range

3) deny all other access

Jon

Jon -

This is what I want to accomplish the ACL.

Allow any IP to telnet to int F0/0 (195.85.24.4)

Allow TS from the 195.85.x.x subnet specified in the ACL access to the two systems 10.13.3.2 and 10.13.10.5

deny all other access

With the ACL will this work?

Youre a regular riot, Alice. :-)

Review Cisco Networking products for a $25 gift card