08-03-2006 05:53 AM - edited 03-03-2019 01:32 PM
I have configured Cisco 805 router as Internet gateway and it works fine without any access-lists. With following access-lists there is no Internet connection:
access-list 101 permit tcp any 192.168.1.0 0.0.0.255 established
access-list 101 deny ip any any
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 deny ip any any
serial0.1
ip access-group 101 in
ip access-group 101 out
What is wrong with my access lists?
08-03-2006 06:03 AM
Hi,
Where do you implement the NAT, it can happen that the destination address of your packets are not your private IP as you think.
Please change the destination address to your public IP address range and I hope it will work well.
I think you wanted wrote this:
serial0.1
ip access-group 101 in
ip access-group 102 out
bye
FCS
Please rate me if I helped.
08-03-2006 06:17 AM
Hi
Why do you want to impose above access-lists?
Regards
JD
08-03-2006 06:27 AM
Hi,
To improve the security of your router set an ACL to the vty lines instead of the Serial interface. And set SSH instead of telnet if you can. If somebody want to attack your device the destination IP will the same as you will set in the ACL -> so every attackers will be allowed to reach your net.
bye
FCS
Please rate me if I helped.
08-03-2006 06:55 AM
I am not sure if the original post has a typo mistake or whether it is really the config. It has this:
access-list 101 permit tcp any 192.168.1.0 0.0.0.255 established
access-list 101 deny ip any any
serial0.1
ip access-group 101 in
ip access-group 101 out
This has the same access list applied in and out. The only traffic which would satisfy this is traffic going to 192.168.1.0 outside and going to 192.168.1.0 inside and which is established. Nothing satisfies these conditions. So all traffic gets denied.
I suspect that the intention was to apply 101 inbound and to apply 102 outbound.
HTH
Rick
08-03-2006 06:30 PM
Hi,
the access-lists applied this way (the same one in and out) will block everything.
The ACL 102 if applied out seems to work for your internal network 192.168.1.0/24, but if you also try to protect your network from the internet and apply an inboud ACL,this should do:
access-list 101 permit tcp any any established !only inside originated TCP traffic
access-list 101 permit udp any any eq 53 !DNS
!access-list 101 deny ip any any !you don't need to put the deny statement, it's there by default
M.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide