Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Why wont this basic ACL work?

I have been trying to set up an Access Control List on a Cisco 1841 router. I can see that a basic ACL isnt exactly rocket science, but this just doesn't seem to work. By "doesn't work" I mean that as soon as I apply the ACL to an interface, i immediately lose all IP connectivity to the 192.168.240.0 network. Please see http://www.geocities.com/muzikan/basicdiagram.gif for a view of the basic network structure. I need to set up the router at 10.1.1.3 so that it will only permit traffic to enter from the 192.168.242.0 subnet. I have tried to account for both the internal and external interfaces of the source network. All subnet masks are /24. The access control list entries look as follows:

access-list 1 permit 192.168.242.0 0.0.0.255

access-list 1 permit 10.1.1.0 0.0.0.255

Surely there is something ridiculously easy I am overlooking here.

TIA,

Scott

  • LAN Switching and Routing
14 REPLIES

Re: Why wont this basic ACL work?

Scott,

The ACL would be better suited if applied outbound on the 10.1.1.1 interface.

HTH,

Mark

Hall of Fame Super Bronze

Re: Why wont this basic ACL work?

Try the following ACL:

access-list 101 permit ip 192.168.242.0 0.0.0.255 any

access-list 101 permit ip 10.1.1.0 0.0.0.255 any

And apply on the interface facing those networks:

ip access-group 101 in

HTH,

__

Edison.

New Member

Re: Why wont this basic ACL work?

Hey guys, thanks a lot for the fast replies. I will try these suggestions after business hours today (5:00 CST)and leave a follow up with the results. I have tried using the access-list 101 entry but I don't think i specified "all". I havent tried applying to the external interface because its a remote site and if it doesn't work i'm locked out of it. Ill run over there tonght and try all options.

Scott

Hall of Fame Super Bronze

Re: Why wont this basic ACL work?

I havent tried applying to the external interface because its a remote site and if it doesn't work i'm locked out of it.

Are there other networks traversing this external interface?

If so, those networks will be blocked unless you add them to the permit list.

If the external facing interface is connected to the internet, then do apply the ACL there.

From your post, it seems the connection was a private point-to-point session between 2 locations.

If you can, please draw a diagram of your topology and post it here. We can determine where is the best location to place the ACL.

HTH,

__

Edison.

New Member

Re: Why wont this basic ACL work?

I don't know if this works or not, but I see that you have a permit list. Shouldn't you also have a deny list? where you can basically say deny all except the ones you permit?

Greetings

Che

New Member

Re: Why wont this basic ACL work?

Hi Che,

Unless I am mistaken, the deny list is implied at the bottom of the ACL. Please correct me if I am wrong. Thanks.

Hall of Fame Super Bronze

Re: Why wont this basic ACL work?

the deny list is implied at the bottom of the ACL. Please correct me if I am wrong. Thanks.

You are correct.

New Member

Re: Why wont this basic ACL work?

Hi Edison,

The router in question has external interface of 10.1.1.3 and internal int of 192.168.240.3. I only want to apply the ACL as an ingress filter on this router. It doesnt really matter to me which interface has the ACL applied, except that if I apply to the external interface I will lose connectivity to the router from my site. Does this clear it up at all? Thanks!

Hall of Fame Super Bronze

Re: Why wont this basic ACL work?

I only want to apply the ACL as an ingress filter on this router.

Ideally, you want to place the ACL closest to the source network.

If the packets are coming from the outside, you need to place the ACL in the external interface.

The ACL must have the subnets you want to allow in the source field and the destination will be your network, in this case you can use 'any' keyword.

The direction of the access-group must be 'in' as the packet are coming into the router.

HTH,

__

Edison.

181
Views
0
Helpful
14
Replies
This widget could not be displayed.