Why wont this basic ACL work?

Unanswered Question
Jan 29th, 2009
User Badges:

I have been trying to set up an Access Control List on a Cisco 1841 router. I can see that a basic ACL isnt exactly rocket science, but this just doesn't seem to work. By "doesn't work" I mean that as soon as I apply the ACL to an interface, i immediately lose all IP connectivity to the 192.168.240.0 network. Please see http://www.geocities.com/muzikan/basicdiagram.gif for a view of the basic network structure. I need to set up the router at 10.1.1.3 so that it will only permit traffic to enter from the 192.168.242.0 subnet. I have tried to account for both the internal and external interfaces of the source network. All subnet masks are /24. The access control list entries look as follows:

access-list 1 permit 192.168.242.0 0.0.0.255

access-list 1 permit 10.1.1.0 0.0.0.255



Surely there is something ridiculously easy I am overlooking here.


TIA,

Scott


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Mark Yeates Thu, 01/29/2009 - 15:48
User Badges:
  • Gold, 750 points or more

Scott,


The ACL would be better suited if applied outbound on the 10.1.1.1 interface.


HTH,

Mark

Edison Ortiz Thu, 01/29/2009 - 20:13
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Try the following ACL:


access-list 101 permit ip 192.168.242.0 0.0.0.255 any

access-list 101 permit ip 10.1.1.0 0.0.0.255 any


And apply on the interface facing those networks:


ip access-group 101 in


HTH,


__


Edison.



scottford Fri, 01/30/2009 - 06:41
User Badges:

Hey guys, thanks a lot for the fast replies. I will try these suggestions after business hours today (5:00 CST)and leave a follow up with the results. I have tried using the access-list 101 entry but I don't think i specified "all". I havent tried applying to the external interface because its a remote site and if it doesn't work i'm locked out of it. Ill run over there tonght and try all options.


Scott

Edison Ortiz Fri, 01/30/2009 - 06:58
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

I havent tried applying to the external interface because its a remote site and if it doesn't work i'm locked out of it.


Are there other networks traversing this external interface?


If so, those networks will be blocked unless you add them to the permit list.


If the external facing interface is connected to the internet, then do apply the ACL there.


From your post, it seems the connection was a private point-to-point session between 2 locations.


If you can, please draw a diagram of your topology and post it here. We can determine where is the best location to place the ACL.


HTH,


__


Edison.

MrCheHMqm Fri, 01/30/2009 - 07:05
User Badges:

I don't know if this works or not, but I see that you have a permit list. Shouldn't you also have a deny list? where you can basically say deny all except the ones you permit?



Greetings

Che

scottford Fri, 01/30/2009 - 07:14
User Badges:

Hi Che,


Unless I am mistaken, the deny list is implied at the bottom of the ACL. Please correct me if I am wrong. Thanks.

Edison Ortiz Fri, 01/30/2009 - 07:19
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

the deny list is implied at the bottom of the ACL. Please correct me if I am wrong. Thanks.


You are correct.

scottford Fri, 01/30/2009 - 07:13
User Badges:

Hi Edison,


The router in question has external interface of 10.1.1.3 and internal int of 192.168.240.3. I only want to apply the ACL as an ingress filter on this router. It doesnt really matter to me which interface has the ACL applied, except that if I apply to the external interface I will lose connectivity to the router from my site. Does this clear it up at all? Thanks!

Edison Ortiz Fri, 01/30/2009 - 07:22
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

I only want to apply the ACL as an ingress filter on this router.


Ideally, you want to place the ACL closest to the source network.


If the packets are coming from the outside, you need to place the ACL in the external interface.


The ACL must have the subnets you want to allow in the source field and the destination will be your network, in this case you can use 'any' keyword.


The direction of the access-group must be 'in' as the packet are coming into the router.


HTH,


__


Edison.

scottford Fri, 01/30/2009 - 07:30
User Badges:

Ok, seems like I understand. I should be trying to apply the ACL to interface FA0/0 (10.1.1.3) instead of to interface FA0/0/0 (192.168.240.3). Could this be why the ACL is locking out all traffic regardless of the permit list?

Edison Ortiz Fri, 01/30/2009 - 07:35
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Could this be why the ACL is locking out all traffic regardless of the permit list?


Without seeing the network topology and/or traffic flow, very hard to answer that.


HTH,


__


Edison.


Please rate helpful posts


scottford Fri, 01/30/2009 - 07:38
User Badges:

Understood. I posted a link to gif showing the very basic topo structure in my first post, were you able to get to that? Perhaps it didnt show enough detail. In any case I will take your suggestions to heart and try this a couple of different ways after biz hours today and follow up with a response/rating, etc. Much appreciate the advice you have given.

Edison Ortiz Fri, 01/30/2009 - 08:08
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

I posted a link to gif showing the very basic topo structure in my first post, were you able to get to that?


Oops, missed that :)


Yes, 10.1.1.3 it is...



enghmq007 Sat, 01/31/2009 - 06:30
User Badges:


Hi


 can you try the following Configuration :


 #access-list 1 permit 192.168.242.0 0.0.0.255

#access-list 1 permit 10.1.1.0 0.0.0.255

#access-list 1 deny any log


logging buffered


and generate your trffic , then take a look at the log file


#sh logging


you will see the traffic blocked and you can correct the ACL. :)

Actions

This Discussion