Hello Collin,

Thanks for the reply! It is indeed correct, one of the previous administrators had migrated the network to the 192.168.0.0 255.255.254.0 range for some extra space. Do you have any ideas why it isn't working?

Thanks again,

Chris

Chris

ACL 150 is applied to the outbound interface of the gateway (gateway=192.168.5.1, which is a 2811), and ACL 151 is applied to the inbound interface:

Could you clarify what you mean by the above. Are the 2 acls applied to the same interface or different interfaces ?

Jon

Hello Jon,

I've quickly made a very simple sketch of the situation. I've marked the point where the ACLs are implemented red. This is the default gateway for the vLAN. Both of the ACLs are applied to the same interface.

Thanks again,

Chris

Chris

That's what is confusing. You wrote -

I can seem to ping the DC in the live environment ok

but your inbound acl does not permit that. It allows echo-reply but not echo-request ie.

Extended IP access list 151
    10 permit tcp 192.168.5.0 0.0.0.255 192.168.0.0 0.0.1.255 established
    20 permit tcp host 192.168.5.10 host 192.168.0.210 eq domain
    30 permit tcp host 192.168.5.10 host 192.168.0.210 eq www
    40 permit icmp 192.168.5.0 0.0.0.255 192.168.0.0 0.0.1.255 echo-reply

if acl 151 is applied inbound then this will affect traffic coming from clients on that vlan. So if you try and ping from a client on that vlan to the DC in production it should fail because of the implicit deny at the end of every acl. So it's definitely confusing.

Are you sure that -

1) acl 151 is applied inbound

2) you can ping the DC from a device on the 192.168.5.x vlan

Jon

Jon,

1) Yes, I'm sure. I just checked the config.

2) Well yes, but I forgot to explain something:

You're absolutely right; I shouldn't be able to ping the DC.

What I forgot to mention was that I (because I didn't get the ACLs to work), added a line to the inbound ACL:

"permit ip host 192.168.5.10 any". I figured that by giving one host unlimited access to our internal domain, no traffic should be blocked (this was just for testing purposes). I just tried it again, but even though it can resolve domain names just fine, I just can't seem to get a ping reply.

Perhaps an interesting note, when executing a tracert command when the ACLs are applied, the requests time out after they reach the DC (it seems to get blocked after that). That would lead me to believe to problem isn't the router. However, when I execute the same command after the ACLs are disabled, it forwards the request just fine to our ISP and I get an echo-reply. Which is weird, because I believe I granted the host unrestricted access to the network.

I'm stumped..

Chris

Jon,

I've adjusted the ACL accordingly, and it seems to work perfectly now. I guess my mistake was assuming that all the internet traffic would be labeled as traffic originating from 192.168.0.0/23, which it's not. I guess I'll be using - as you suggested - a proxy server as a workaround.

At any rate, I'd like to thank you (and the other replies) very much for all the assistance; it's greatly appreciated and you might've saved my hide

Best regards,

Chris