ACL problem with webpages

Answered Question
Sep 18th, 2006
User Badges:

I have the following ACL


ip access-list extended InternetIn

permit tcp any any range 10000 20000

permit udp any any range 10000 20000

permit udp any any eq 5060

permit tcp any any eq 5060

permit tcp any any eq domain

permit tcp any any eq ftp

permit tcp any any eq ftp-data

permit tcp any any eq pop3

permit tcp any any eq smtp

permit tcp any any eq telnet

permit tcp any any eq www

permit udp any any eq 80

permit tcp any any eq 8080

permit udp any any eq 8080

permit tcp any any eq 22

permit tcp any any eq 60000


permit udp any any eq bootpc

permit udp any any eq bootps

permit udp any any eq domain

permit udp any any eq nameserver

permit icmp any any


With the following router setup:


interface FastEthernet0/1

description Internet

ip address 83.148.130.x 255.255.255.248

ip nat outside

ip virtual-reassembly

duplex auto

speed auto


interface Dot11Radio0/2/0

no ip address

!

ssid ComtekVoip

vlan 1

authentication open

guest-mode

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

!

interface Dot11Radio0/2/0.1

encapsulation dot1Q 1 native

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Vlan1

description Phone Network

no ip address

ip virtual-reassembly

bridge-group 1

!

interface BVI1

ip address 192.168.20.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!


Without the ACL applied to fa0/1 inbound , I can browse the internet fine.


However when i do apply it webpages stop working. I believed the only port I needed to allow in the ACL was port 80 for tcp. I added the other few port 80's and 8080's trying to get it working. Is there anything i'm missing or should my setup work?


I think that the ACL is blocking something with the implicit deny all. But what?


Thanks for looking.

Correct Answer by lgijssel about 10 years 11 months ago

You say you are applying the acl in inbound direction, i.e. access-group InternetIn in.

However, fa0/1 is your outbound interface which means that the order of source & dest is wrong. Try to apply the acl to int BVI1 in inbound direction or outbound on fa0/1.


Regards,

Leo

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
lgijssel Mon, 09/18/2006 - 03:47
User Badges:
  • Red, 2250 points or more

You say you are applying the acl in inbound direction, i.e. access-group InternetIn in.

However, fa0/1 is your outbound interface which means that the order of source & dest is wrong. Try to apply the acl to int BVI1 in inbound direction or outbound on fa0/1.


Regards,

Leo

d.bigerstaff Mon, 09/18/2006 - 04:41
User Badges:

Thanks Leo,


I think I was forgetting the first lessons on ACLs with extended lists being close to source, and standard ACLs close to destination.


I think i was trying to use the extended ACL as a kind of firewall.


I would have thought that the extended ACL would work where i initially placed it, even if it wasnt best practise.


Thanks again.

Actions

This Discussion