Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
302
Views
0
Helpful
5
Replies

Cisco 805 access-lists

aleksa1408
Level 1
Level 1

‎08-03-2006 05:53 AM - edited ‎03-03-2019 01:32 PM

I have configured Cisco 805 router as Internet gateway and it works fine without any access-lists. With following access-lists there is no Internet connection:

access-list 101 permit tcp any 192.168.1.0 0.0.0.255 established

access-list 101 deny ip any any

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

access-list 102 deny ip any any

serial0.1

ip access-group 101 in

ip access-group 101 out

What is wrong with my access lists?

Labels:
0 Helpful
5 Replies 5

farkascsgy
Level 4
Level 4

‎08-03-2006 06:03 AM

Hi,

Where do you implement the NAT, it can happen that the destination address of your packets are not your private IP as you think.

Please change the destination address to your public IP address range and I hope it will work well.

I think you wanted wrote this:

serial0.1

ip access-group 101 in

ip access-group 102 out

bye

FCS

Please rate me if I helped.

0 Helpful

desai.jaideep
Level 5
Level 5

‎08-03-2006 06:17 AM

Hi

Why do you want to impose above access-lists?

Regards

JD

0 Helpful

farkascsgy
Level 4
Level 4
In response to desai.jaideep

‎08-03-2006 06:27 AM

Hi,

To improve the security of your router set an ACL to the vty lines instead of the Serial interface. And set SSH instead of telnet if you can. If somebody want to attack your device the destination IP will the same as you will set in the ACL -> so every attackers will be allowed to reach your net.

bye

FCS

Please rate me if I helped.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to farkascsgy

‎08-03-2006 06:55 AM

I am not sure if the original post has a typo mistake or whether it is really the config. It has this:

access-list 101 permit tcp any 192.168.1.0 0.0.0.255 established

access-list 101 deny ip any any

serial0.1

ip access-group 101 in

ip access-group 101 out

This has the same access list applied in and out. The only traffic which would satisfy this is traffic going to 192.168.1.0 outside and going to 192.168.1.0 inside and which is established. Nothing satisfies these conditions. So all traffic gets denied.

I suspect that the intention was to apply 101 inbound and to apply 102 outbound.

HTH

Rick

HTH

Rick
0 Helpful

mjagos
Level 1
Level 1

‎08-03-2006 06:30 PM

Hi,

the access-lists applied this way (the same one in and out) will block everything.

The ACL 102 if applied out seems to work for your internal network 192.168.1.0/24, but if you also try to protect your network from the internet and apply an inboud ACL,this should do:

access-list 101 permit tcp any any established !only inside originated TCP traffic

access-list 101 permit udp any any eq 53 !DNS

!access-list 101 deny ip any any !you don't need to put the deny statement, it's there by default

M.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card