Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Access-list help needed

I provide dial-up access to users in the field through a 2811 router on my network. I need to create an access-list that severely limits access to my LAN but still allows them to get to my firewall and out to the world to access the Internet.

I have 4 internal networks they should not be able to access:

192.168.200.0/21

192.168.16.0/21

192.168.100.0/24

10.10.0.0/16

One internal network they should be able to access:

192.168.0.0/24

This is the current access-list I have in place (it is applied to my f0/0 LAN interface of the router outbound) but it is not working correctly:

permit tcp 192.168.216.0 0.0.0.225 host 192.168.200.210

permit tcp 192.168.216.0 0.0.0.255 192.168.0.0 0.0.0.255

permit tcp 192.168.216.0 0.0.0.255 host 192.168.200.21 eq 53

permit udp 192.168.216.0 0.0.0.255 host 192.168.200.21 eq 53

permit tcp 192.168.216.0 0.0.0.255 host 192.168.200.7 eq 53

permit udp 192.168.216.0 0.0.0.255 host 192.168.200.7 eq 53

permit icmp any any echo-reply

deny tcp 192.168.216.0 0.0.0.255 192.168.200.0 0.0.7.255

deny tcp 192.168.216.0 0.0.0.255 192.168.16.0 0.0.7.255

deny tcp 192.168.216.0 0.0.0.255 192.168.100.0 0.0.0.255

deny tcp 192.168.216.0 0.0.0.255 10.10.0.0 0.0.255.255

permit ip any any

I am not able to access websites that I have in the 192.168.0.0/24 network, but I can hit websites on the internet. The dial-in users are using my internal DNS servers and when I do an NSLookup for websites in my 192.168.0.0/24 subnet it comes back with the correct IP address so I know it can see it but it can't get there.

Any help is appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions
Community Member

Re: Access-list help needed

Hi qbakies11,

I do not know your network setup but I think if you add a ACL permitting all network to your server on tcp port 80. And place this at the top of the acl list. E>g

Ip permit tcp any host 192.168.0.X(ip address of the web server) EQ 80.

Do rate the solution if it works

1 REPLY
Community Member

Re: Access-list help needed

Hi qbakies11,

I do not know your network setup but I think if you add a ACL permitting all network to your server on tcp port 80. And place this at the top of the acl list. E>g

Ip permit tcp any host 192.168.0.X(ip address of the web server) EQ 80.

Do rate the solution if it works

118
Views
0
Helpful
1
Replies
CreatePlease to create content