Good day everyone,
I'm rather stuck configuring ACLs in our environment. Allow me to explain in detail:
Our organisation is divided into 4 virtual LANs:
192.168.0.0/23 (This is our live network, all our employees are using this network)
192.168.4.0/24 (This vLAN is used for testing purposes)
192.168.5.0/24 (This vLAN is used for demonstrational purposes)
192.168.6.0/24 (This vLAN is used by external parties)
Right now I'm trying to configure ACLs for the 192.168.5.0/24 network. This network contains a domain controller (192.168.5.10) which needs access to the domain controller/internet router in our live environment (the address for this domain controller is 192.168.0.210) in order to get internet working on this vLAN. The exact problem is: Whenever I disable all the ACLs, everything works like a charm, but whenever I implement the ACLs, internet access seems to stop functioning. I'll write down the contents of the ACLs for you. ACL 150 is applied to the outbound interface of the gateway (gateway=192.168.5.1, which is a 2811), and ACL 151 is applied to the inbound interface:
Extended IP access list 150
10 permit ip 192.168.0.0 0.0.1.255 192.168.5.0 0.0.0.255
Extended IP access list 151
10 permit tcp 192.168.5.0 0.0.0.255 192.168.0.0 0.0.1.255 established
20 permit tcp host 192.168.5.10 host 192.168.0.210 eq domain
30 permit tcp host 192.168.5.10 host 192.168.0.210 eq www
40 permit icmp 192.168.5.0 0.0.0.255 192.168.0.0 0.0.1.255 echo-reply
I can seem to ping the DC in the live environment ok, and I can even resolve IP addresses, but somehow I just can't seem to connect to them. I even tried using the "permit ip host 192.168.5.10 any", but I still haven't got it to work. Could someone please provide me with some assistance? It'd be greatly appreciated. Thank you very much in advance.
Perhaps an interesting note, when executing a tracert command when the ACLs are applied, the requests time out after they reach the DC (it seems to get blocked after that).
It will be blocked because your outbound acl only allows source addresses from 192.168.0.0/23 back in. As for internet access this is the same problem if you are not using a proxy server with a 192.168.0.x address ie. all the source addresses coming back into the 192.168.5.x vlan will be blocked by your outbound acl ie. acl 150.