×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Cisco 805 access-lists

Unanswered Question
Aug 3rd, 2006
User Badges:

I have configured Cisco 805 router as Internet gateway and it works fine without any access-lists. With following access-lists there is no Internet connection:


access-list 101 permit tcp any 192.168.1.0 0.0.0.255 established

access-list 101 deny ip any any

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

access-list 102 deny ip any any


serial0.1

ip access-group 101 in

ip access-group 101 out


What is wrong with my access lists?




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
farkascsgy Thu, 08/03/2006 - 06:03
User Badges:
  • Silver, 250 points or more

Hi,


Where do you implement the NAT, it can happen that the destination address of your packets are not your private IP as you think.

Please change the destination address to your public IP address range and I hope it will work well.


I think you wanted wrote this:

serial0.1

ip access-group 101 in

ip access-group 102 out



bye

FCS


Please rate me if I helped.

desai.jaideep Thu, 08/03/2006 - 06:17
User Badges:
  • Gold, 750 points or more

Hi


Why do you want to impose above access-lists?



Regards


JD

farkascsgy Thu, 08/03/2006 - 06:27
User Badges:
  • Silver, 250 points or more

Hi,


To improve the security of your router set an ACL to the vty lines instead of the Serial interface. And set SSH instead of telnet if you can. If somebody want to attack your device the destination IP will the same as you will set in the ACL -> so every attackers will be allowed to reach your net.


bye

FCS


Please rate me if I helped.

Richard Burts Thu, 08/03/2006 - 06:55
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

I am not sure if the original post has a typo mistake or whether it is really the config. It has this:

access-list 101 permit tcp any 192.168.1.0 0.0.0.255 established

access-list 101 deny ip any any

serial0.1

ip access-group 101 in

ip access-group 101 out


This has the same access list applied in and out. The only traffic which would satisfy this is traffic going to 192.168.1.0 outside and going to 192.168.1.0 inside and which is established. Nothing satisfies these conditions. So all traffic gets denied.


I suspect that the intention was to apply 101 inbound and to apply 102 outbound.


HTH


Rick

mjagos Thu, 08/03/2006 - 18:30
User Badges:

Hi,


the access-lists applied this way (the same one in and out) will block everything.


The ACL 102 if applied out seems to work for your internal network 192.168.1.0/24, but if you also try to protect your network from the internet and apply an inboud ACL,this should do:



access-list 101 permit tcp any any established !only inside originated TCP traffic

access-list 101 permit udp any any eq 53 !DNS

!access-list 101 deny ip any any !you don't need to put the deny statement, it's there by default


M.


Actions

This Discussion