I have been trying to set up an Access Control List on a Cisco 1841 router. I can see that a basic ACL isnt exactly rocket science, but this just doesn't seem to work. By "doesn't work" I mean that as soon as I apply the ACL to an interface, i immediately lose all IP connectivity to the 192.168.240.0 network. Please see http://www.geocities.com/muzikan/basicdiagram.gif for a view of the basic network structure. I need to set up the router at 10.1.1.3 so that it will only permit traffic to enter from the 192.168.242.0 subnet. I have tried to account for both the internal and external interfaces of the source network. All subnet masks are /24. The access control list entries look as follows:
access-list 1 permit 192.168.242.0 0.0.0.255
access-list 1 permit 10.1.1.0 0.0.0.255
Surely there is something ridiculously easy I am overlooking here.
Try the following ACL:
access-list 101 permit ip 192.168.242.0 0.0.0.255 any
access-list 101 permit ip 10.1.1.0 0.0.0.255 any
And apply on the interface facing those networks:
ip access-group 101 in
Hey guys, thanks a lot for the fast replies. I will try these suggestions after business hours today (5:00 CST)and leave a follow up with the results. I have tried using the access-list 101 entry but I don't think i specified "all". I havent tried applying to the external interface because its a remote site and if it doesn't work i'm locked out of it. Ill run over there tonght and try all options.
I havent tried applying to the external interface because its a remote site and if it doesn't work i'm locked out of it.
Are there other networks traversing this external interface?
If so, those networks will be blocked unless you add them to the permit list.
If the external facing interface is connected to the internet, then do apply the ACL there.
From your post, it seems the connection was a private point-to-point session between 2 locations.
If you can, please draw a diagram of your topology and post it here. We can determine where is the best location to place the ACL.
I don't know if this works or not, but I see that you have a permit list. Shouldn't you also have a deny list? where you can basically say deny all except the ones you permit?
The router in question has external interface of 10.1.1.3 and internal int of 192.168.240.3. I only want to apply the ACL as an ingress filter on this router. It doesnt really matter to me which interface has the ACL applied, except that if I apply to the external interface I will lose connectivity to the router from my site. Does this clear it up at all? Thanks!
I only want to apply the ACL as an ingress filter on this router.
Ideally, you want to place the ACL closest to the source network.
If the packets are coming from the outside, you need to place the ACL in the external interface.
The ACL must have the subnets you want to allow in the source field and the destination will be your network, in this case you can use 'any' keyword.
The direction of the access-group must be 'in' as the packet are coming into the router.