09-18-2006 03:37 AM - edited 03-05-2019 12:03 PM
I have the following ACL
ip access-list extended InternetIn
permit tcp any any range 10000 20000
permit udp any any range 10000 20000
permit udp any any eq 5060
permit tcp any any eq 5060
permit tcp any any eq domain
permit tcp any any eq ftp
permit tcp any any eq ftp-data
permit tcp any any eq pop3
permit tcp any any eq smtp
permit tcp any any eq telnet
permit tcp any any eq www
permit udp any any eq 80
permit tcp any any eq 8080
permit udp any any eq 8080
permit tcp any any eq 22
permit tcp any any eq 60000
permit udp any any eq bootpc
permit udp any any eq bootps
permit udp any any eq domain
permit udp any any eq nameserver
permit icmp any any
With the following router setup:
interface FastEthernet0/1
description Internet
ip address 83.148.130.x 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
interface Dot11Radio0/2/0
no ip address
!
ssid ComtekVoip
vlan 1
authentication open
guest-mode
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio0/2/0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description Phone Network
no ip address
ip virtual-reassembly
bridge-group 1
!
interface BVI1
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
Without the ACL applied to fa0/1 inbound , I can browse the internet fine.
However when i do apply it webpages stop working. I believed the only port I needed to allow in the ACL was port 80 for tcp. I added the other few port 80's and 8080's trying to get it working. Is there anything i'm missing or should my setup work?
I think that the ACL is blocking something with the implicit deny all. But what?
Thanks for looking.
Solved! Go to Solution.
09-18-2006 03:47 AM
You say you are applying the acl in inbound direction, i.e. access-group InternetIn in.
However, fa0/1 is your outbound interface which means that the order of source & dest is wrong. Try to apply the acl to int BVI1 in inbound direction or outbound on fa0/1.
Regards,
Leo
09-18-2006 03:47 AM
You say you are applying the acl in inbound direction, i.e. access-group InternetIn in.
However, fa0/1 is your outbound interface which means that the order of source & dest is wrong. Try to apply the acl to int BVI1 in inbound direction or outbound on fa0/1.
Regards,
Leo
09-18-2006 04:41 AM
Thanks Leo,
I think I was forgetting the first lessons on ACLs with extended lists being close to source, and standard ACLs close to destination.
I think i was trying to use the extended ACL as a kind of firewall.
I would have thought that the extended ACL would work where i initially placed it, even if it wasnt best practise.
Thanks again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide