Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access List Problems

Hi Everyone

I am attempting to create what I thought would be a simple ACL to block local IP addresses . When I apply the ACL to my Dialer1 interface, I loose all connection to the internet.

Any help would be greatly appreciated. Please note that I am a cisco newbie.

Config with access list applied (and no internet access) is below:

version 12.2

no service pad

service timestamps debug datetime msec localtime

service timestamps log datetime localtime

service password-encryption

!

hostname cygnus_core

!

logging buffered 4096 debugging

enable secret 5 PASSSWORD

!

memory-size iomem 15

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

!

!

ip telnet source-interface FastEthernet0

ip domain-name internode.on.net

ip name-server 192.x.x.2

ip name-server 192.x.x.3

!

ip audit notify log

ip audit po max-events 100

vpdn enable

!

!

!

!

!

interface ATM0

no ip address

no ip mroute-cache

no atm ilmi-keepalive

dsl operating-mode auto

no fair-queue

hold-queue 224 in

!

interface ATM0.1 point-to-point

no ip mroute-cache

pvc 8/35

protocol ppp dialer

dialer pool-member 1

!

!

interface FastEthernet0

ip address 10.0.0.1 255.255.255.0

ip nat inside

no ip mroute-cache

speed auto

!

interface Dialer0

no ip address

!

interface Dialer1

ip address negotiated

ip access-group 101 in

ip mtu 1492

ip nat outside

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap callin

ppp chap hostname USERNAME

ppp chap password 7 PASSWORD

!

ip nat inside source list 1 interface Dialer1 overload

ip nat inside source static tcp 10.0.0.10 22 interface Dialer1 22

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 10.0.0.0 255.255.255.0 FastEthernet0

no ip http server

ip pim bidir-enable

!

!

logging 10.0.0.15

access-list 1 permit 10.0.0.0 0.255.255.255

access-list 99 permit 10.0.0.0 0.255.255.255

access-list 101 deny ip 10.0.0.0 0.0.0.255 any log

access-list 101 deny ip 172.16.0.0 0.15.255.255 any log

access-list 101 deny ip 192.168.0.0 0.0.255.255 any log

dialer-list 1 protocol ip permit

!

snmp-server community cygnus RO

banner login ^C

****************************

* This is a private system *

* Any unautherised attempt *

* to gain access will be *

* prosecuted to the full *

* extent of the law. *

* *

* YOUR IP ADDRESS HAS BEEN *

* LOGGED ! ! ! *

****************************

^C

!

line con 0

line aux 0

line vty 0 4

access-class 99 in

password 7 PASSWORD

login

!

end

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: Access List Problems

JORDAN

note that the ACL 101 contains here only deny statements, plus the hidden deny all that it resides at the end of each ACL, this is much enough to block all the traffic, so you need to add at least one permit statement.

HTH

please do rate if it does

12 REPLIES

Re: Access List Problems

Hi

Do revert back what exactly you would like to do here.

Since you are using NAT your local network wont be exposed to outside world.

regds

Re: Access List Problems

what is the local IP address you want to restrict from accessing internet.

Instead of applying ACL on dialer 1 interface, apply ACL on the Fa0 interface which is connected to your LAN.

hope it helps .... rate if it helps ...

Bronze

Re: Access List Problems

JORDAN

note that the ACL 101 contains here only deny statements, plus the hidden deny all that it resides at the end of each ACL, this is much enough to block all the traffic, so you need to add at least one permit statement.

HTH

please do rate if it does

New Member

Re: Access List Problems

Hello

The ACL is applied on the Dialer1 interface which is the outbound interface (towards the internet) , looking from the 'inside' of the network.

Even if you added a permit statement, it will help internet access but won't help much as I see your intention is to block the 10.x,172.x, and 192.x networks.

As one of the posts suggested, please use the ACL in the same inbound direction but on the Fast Eth0/0 interface with a permit statement at the end.

HTH.

Please let us all know if it helped and how it went.

Cheers

Arav

Anonymous
N/A

Re: Access List Problems

Anonymous
N/A

Re: Access List Problems

Anonymous
N/A

Re: Access List Problems

Anonymous
N/A

Re: Access List Problems

Anonymous
N/A

Re: Access List Problems

New Member

Re: Access List Problems

I applied the ACL to the fast0 interface, then lost all connectivity with the router.

I tried putting a permit all command in the ACL (applied to the dialer1 interface) as bellow. Is this what you guys meant?

access-list 101 deny ip 10.0.0.0 0.255.255.255 any log

access-list 101 deny ip 172.16.0.0 0.15.255.255 any log

access-list 101 deny ip 192.168.0.0 0.0.255.255 any log

access-list 101 permit ip any any

Re: Access List Problems

Hi

Make sure that you are allowing your local network and blocking the rest.

The ACL which you have defined there blocks your local network too.

You can redefine the same by allowing only your local network and blocking all..

access-list 101 permit ip 10.0.0.0 0.0.0.255 any

regds

New Member

Re: Access List Problems

That got it working. Thanks for you help guys!

205
Views
4
Helpful
12
Replies
CreatePlease login to create content