×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

access list issues

Unanswered Question
Nov 7th, 2005
User Badges:

I am running a 3005 behind a router with a T1 WIC. My syslog box is showing traffic being denied by the acl, although I thought I had it setup to allow any traffic to 66.89.100.69. The external of the 3005 is 66.89.100.69 which is being natted to 10.236.47.230




Below is my config.

!

interface Loopback0

ip address 66.89.110.65 255.255.255.248

!

interface Ethernet0/0

no ip address

!

interface Ethernet0/0.10

encapsulation dot1Q 10

ip address 10.236.47.253 255.255.240.0

ip nat inside

!

interface Ethernet0/0.20

encapsulation dot1Q 20

ip address 10.236.63.240 255.255.240.0

ip nat inside

!

interface Serial0/0

bandwidth 1544

ip address 67.106.46.14 255.255.255.252

ip access-group sdm_s0/0_in in

ip nat outside

encapsulation ppp

service-module t1 timeslots 1-24

!

interface Ethernet0/1

ip address 10.0.3.240 255.255.255.0 secondary

ip address 10.0.9.240 255.255.255.0

ip nat inside

shutdown

!

ip nat inside source static 10.236.47.230 66.89.100.69

ip nat inside source static 10.236.48.10 66.89.110.67

!

ip access-list extended sdm_s0/0_in

permit tcp any eq 5080 host 10.0.1.75 log

permit tcp any eq 5080 host 66.89.110.67 log

permit tcp any eq 1099 host 66.89.110.67 log

permit tcp any eq 1099 host 10.0.1.75 log

permit ip host 161.165.202.24 any log

permit ip host 161.165.202.26 any log

permit ip host 161.165.202.28 any log

permit ip host 161.165.202.25 any log

permit ip host 161.165.202.27 any log

permit ip host 161.165.202.29 any log

permit tcp any host 10.236.47.230 log

permit ip any host 10.236.47.230 log

permit udp any host 10.236.47.230 log

permit ip any host 66.89.100.69 log

permit tcp any host 66.89.100.69 log

permit udp any host 66.89.100.69 log

deny ip any any log

deny tcp any any log

logging facility auth

logging source-interface Ethernet0/0.10

logging 10.252.1.31

access-list 1 permit any

!



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Mon, 11/07/2005 - 13:16
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Adam


It certainly looks to me like the access list should permit traffic to the address since there are permit ip any host that include both its inside and outside format.


The good news is that the deny statements include the log option. So there should be log messages which show information about what is denied. If you would post some of these log messages we might be able to find what is causing them to be denied.


HTH


Rick

Actions

This Discussion