ACL from old router to new

Unanswered Question
Feb 28th, 2006
User Badges:

HI, I had a 2551 router with the following acl and now the new 1841 does not seem to take the established acl. I am trying to block things coming in, but allow anyone to go out.

access-list 101 permit icmp any any

access-list 101 permit udp any eq domain any

access-list 101 permit tcp any eq domain any

access-list 101 permit tcp any any established

access-list 101 permit tcp any eq smtp any

access-list 101 permit tcp any eq 443 any

access-list 101 permit tcp any eq 995 any

access-list 101 permit tcp any eq pop3 any

access-list 101 permit tcp any eq www any

access-list 101 permit tcp any eq ftp any

access-list 101 permit tcp any eq ftp-data any

deny ip any any

This is applied to my internet interface to block incoming from the internet. I need a simple acl to allow all internal users access out to the internet without having to worry about making acl's for their use of ftp, nntp, aim and such.

Is this possible or do I need to make one for every protocol?

If I don't have the established in, users cannot download ftp and such. If I have it in they can, but it also allows others stuff.

Thanks,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
pkhatri Wed, 03/01/2006 - 02:09
User Badges:
  • Purple, 4500 points or more

Hi,


I tried the above on my 1841 and it works perfectly. The only problem I see is you last line, which does not have the full 'access-list 101' command (which you don't really need because of the implicit deny at the end of the ACL)


Try the following:

access-list 101 permit icmp any any

access-list 101 permit udp any eq domain any

access-list 101 permit tcp any eq domain any

access-list 101 permit tcp any any established

access-list 101 permit tcp any eq smtp any

access-list 101 permit tcp any eq 443 any

access-list 101 permit tcp any eq 995 any

access-list 101 permit tcp any eq pop3 any

access-list 101 permit tcp any eq www any

access-list 101 permit tcp any eq ftp any

access-list 101 permit tcp any eq ftp-data any

access-list 101 deny ip any any


Hope that helps - pls rate the post if it does.

Paresh

Actions

This Discussion