01-29-2009 03:13 PM - edited 03-06-2019 03:45 AM
I have been trying to set up an Access Control List on a Cisco 1841 router. I can see that a basic ACL isnt exactly rocket science, but this just doesn't seem to work. By "doesn't work" I mean that as soon as I apply the ACL to an interface, i immediately lose all IP connectivity to the 192.168.240.0 network. Please see http://www.geocities.com/muzikan/basicdiagram.gif for a view of the basic network structure. I need to set up the router at 10.1.1.3 so that it will only permit traffic to enter from the 192.168.242.0 subnet. I have tried to account for both the internal and external interfaces of the source network. All subnet masks are /24. The access control list entries look as follows:
access-list 1 permit 192.168.242.0 0.0.0.255
access-list 1 permit 10.1.1.0 0.0.0.255
Surely there is something ridiculously easy I am overlooking here.
TIA,
Scott
01-29-2009 03:48 PM
Scott,
The ACL would be better suited if applied outbound on the 10.1.1.1 interface.
HTH,
Mark
01-29-2009 08:13 PM
Try the following ACL:
access-list 101 permit ip 192.168.242.0 0.0.0.255 any
access-list 101 permit ip 10.1.1.0 0.0.0.255 any
And apply on the interface facing those networks:
ip access-group 101 in
HTH,
__
Edison.
01-30-2009 06:41 AM
Hey guys, thanks a lot for the fast replies. I will try these suggestions after business hours today (5:00 CST)and leave a follow up with the results. I have tried using the access-list 101 entry but I don't think i specified "all". I havent tried applying to the external interface because its a remote site and if it doesn't work i'm locked out of it. Ill run over there tonght and try all options.
Scott
01-30-2009 06:58 AM
I havent tried applying to the external interface because its a remote site and if it doesn't work i'm locked out of it.
Are there other networks traversing this external interface?
If so, those networks will be blocked unless you add them to the permit list.
If the external facing interface is connected to the internet, then do apply the ACL there.
From your post, it seems the connection was a private point-to-point session between 2 locations.
If you can, please draw a diagram of your topology and post it here. We can determine where is the best location to place the ACL.
HTH,
__
Edison.
01-30-2009 07:05 AM
I don't know if this works or not, but I see that you have a permit list. Shouldn't you also have a deny list? where you can basically say deny all except the ones you permit?
Greetings
Che
01-30-2009 07:14 AM
Hi Che,
Unless I am mistaken, the deny list is implied at the bottom of the ACL. Please correct me if I am wrong. Thanks.
01-30-2009 07:19 AM
the deny list is implied at the bottom of the ACL. Please correct me if I am wrong. Thanks.
You are correct.
01-30-2009 07:13 AM
Hi Edison,
The router in question has external interface of 10.1.1.3 and internal int of 192.168.240.3. I only want to apply the ACL as an ingress filter on this router. It doesnt really matter to me which interface has the ACL applied, except that if I apply to the external interface I will lose connectivity to the router from my site. Does this clear it up at all? Thanks!
01-30-2009 07:22 AM
I only want to apply the ACL as an ingress filter on this router.
Ideally, you want to place the ACL closest to the source network.
If the packets are coming from the outside, you need to place the ACL in the external interface.
The ACL must have the subnets you want to allow in the source field and the destination will be your network, in this case you can use 'any' keyword.
The direction of the access-group must be 'in' as the packet are coming into the router.
HTH,
__
Edison.
01-30-2009 07:30 AM
Ok, seems like I understand. I should be trying to apply the ACL to interface FA0/0 (10.1.1.3) instead of to interface FA0/0/0 (192.168.240.3). Could this be why the ACL is locking out all traffic regardless of the permit list?
01-30-2009 07:35 AM
Could this be why the ACL is locking out all traffic regardless of the permit list?
Without seeing the network topology and/or traffic flow, very hard to answer that.
HTH,
__
Edison.
Please rate helpful posts
01-30-2009 07:38 AM
Understood. I posted a link to gif showing the very basic topo structure in my first post, were you able to get to that? Perhaps it didnt show enough detail. In any case I will take your suggestions to heart and try this a couple of different ways after biz hours today and follow up with a response/rating, etc. Much appreciate the advice you have given.
01-30-2009 08:08 AM
I posted a link to gif showing the very basic topo structure in my first post, were you able to get to that?
Oops, missed that :)
Yes, 10.1.1.3 it is...
01-31-2009 06:30 AM
Hi
can you try the following Configuration :
#access-list 1 permit 192.168.242.0 0.0.0.255
#access-list 1 permit 10.1.1.0 0.0.0.255
#access-list 1 deny any log
logging buffered
and generate your trffic , then take a look at the log file
#sh logging
you will see the traffic blocked and you can correct the ACL. :)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: