12-13-2006 12:53 AM - edited 03-05-2019 01:19 PM
Hi Everyone
I am attempting to create what I thought would be a simple ACL to block local IP addresses . When I apply the ACL to my Dialer1 interface, I loose all connection to the internet.
Any help would be greatly appreciated. Please note that I am a cisco newbie.
Config with access list applied (and no internet access) is below:
version 12.2
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime localtime
service password-encryption
!
hostname cygnus_core
!
logging buffered 4096 debugging
enable secret 5 PASSSWORD
!
memory-size iomem 15
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
!
ip telnet source-interface FastEthernet0
ip domain-name internode.on.net
ip name-server 192.x.x.2
ip name-server 192.x.x.3
!
ip audit notify log
ip audit po max-events 100
vpdn enable
!
!
!
!
!
interface ATM0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
no fair-queue
hold-queue 224 in
!
interface ATM0.1 point-to-point
no ip mroute-cache
pvc 8/35
protocol ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
ip address 10.0.0.1 255.255.255.0
ip nat inside
no ip mroute-cache
speed auto
!
interface Dialer0
no ip address
!
interface Dialer1
ip address negotiated
ip access-group 101 in
ip mtu 1492
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname USERNAME
ppp chap password 7 PASSWORD
!
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 10.0.0.10 22 interface Dialer1 22
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.0.0.0 255.255.255.0 FastEthernet0
no ip http server
ip pim bidir-enable
!
!
logging 10.0.0.15
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 99 permit 10.0.0.0 0.255.255.255
access-list 101 deny ip 10.0.0.0 0.0.0.255 any log
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
dialer-list 1 protocol ip permit
!
snmp-server community cygnus RO
banner login ^C
****************************
* This is a private system *
* Any unautherised attempt *
* to gain access will be *
* prosecuted to the full *
* extent of the law. *
* *
* YOUR IP ADDRESS HAS BEEN *
* LOGGED ! ! ! *
****************************
^C
!
line con 0
line aux 0
line vty 0 4
access-class 99 in
password 7 PASSWORD
login
!
end
Solved! Go to Solution.
12-13-2006 02:05 AM
JORDAN
note that the ACL 101 contains here only deny statements, plus the hidden deny all that it resides at the end of each ACL, this is much enough to block all the traffic, so you need to add at least one permit statement.
HTH
please do rate if it does
12-13-2006 01:05 AM
Hi
Do revert back what exactly you would like to do here.
Since you are using NAT your local network wont be exposed to outside world.
regds
12-13-2006 01:20 AM
what is the local IP address you want to restrict from accessing internet.
Instead of applying ACL on dialer 1 interface, apply ACL on the Fa0 interface which is connected to your LAN.
hope it helps .... rate if it helps ...
12-13-2006 02:05 AM
JORDAN
note that the ACL 101 contains here only deny statements, plus the hidden deny all that it resides at the end of each ACL, this is much enough to block all the traffic, so you need to add at least one permit statement.
HTH
please do rate if it does
12-13-2006 03:05 AM
Hello
The ACL is applied on the Dialer1 interface which is the outbound interface (towards the internet) , looking from the 'inside' of the network.
Even if you added a permit statement, it will help internet access but won't help much as I see your intention is to block the 10.x,172.x, and 192.x networks.
As one of the posts suggested, please use the ACL in the same inbound direction but on the Fast Eth0/0 interface with a permit statement at the end.
HTH.
Please let us all know if it helped and how it went.
Cheers
Arav
12-13-2006 05:12 AM
12-13-2006 05:12 AM
12-13-2006 05:14 AM
12-13-2006 05:16 AM
12-13-2006 05:31 AM
12-13-2006 05:59 PM
I applied the ACL to the fast0 interface, then lost all connectivity with the router.
I tried putting a permit all command in the ACL (applied to the dialer1 interface) as bellow. Is this what you guys meant?
access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
access-list 101 permit ip any any
12-13-2006 08:40 PM
Hi
Make sure that you are allowing your local network and blocking the rest.
The ACL which you have defined there blocks your local network too.
You can redefine the same by allowing only your local network and blocking all..
access-list 101 permit ip 10.0.0.0 0.0.0.255 any
regds
12-13-2006 10:14 PM
That got it working. Thanks for you help guys!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: