Sorry for the delay. I'm trying to use ACL's on a 1721. I didn't get a chance to try what you suggest. Thanks for the help.

Tony

I tried what you suggest. And I'm pretty sure that's what I tried before. But still now luck. I am still blocked from using the internet from the 10.81 network. That's the location that I'm at. When you say "outsdie interface", your refering to the Serial interface...correct?

Tony

Assuming you have /24 for your networks:

access-list 100 permit ip 10.81.0.0 0.0.0.255 10.12.1.0 0.0.0.255

access-list 100 permit tcp 10.81.0.0 0.0.0.255 any eq www

access-list 100 deny any any ---> OPTIONAL (for viewing)

(Remember that there's an implicit DENY at the end of the ACL)

You can apply the ACL on the router's interface where your

10.81.0.0 network is located. For example:

interface Ethernet0

ip access-group 100 in

The ACL above allows ONLY the following:

- Any traffic from 10.81.0.0/24 (Source) to 10.12.1.0/24 (Destination)

- Web traffic from 10.81.0.0/24 (Source) to any destination

(With the assumption that Web traffic will be provided by different network)

Hope this info helps.

I'm getting closer.... This helped. But here is what I'm getting now. On the 10.12 network users use client software that use telnet (to a unix server). This was still not working. Also telnet wasn't working from the 10.81 side. WWW traffic was working find. Thanks for all the help...

Tony

Can you paste a copy of your access list. The Access-list permit IP statement between those two networks should allow all IP traffic including telnet.

So the problem you now have is the telnet access.

For isolation purposes, you could verify if it is

working without the ACLs, then re-apply the ACL to

make sure that it is causing the problem.

(It would be better to remove all ACLs first, if

it possible.)

You mentioned that telnet isn't working from the

10.81.0.0 side. Are there any other device between

the 10.81.0.0 and the 10.12.1.0 networks?

If there are, you can check if there are existing policies

or filters.

Just to let you know, everything is working fine without the ACL's in the config. Telnet is not working from the 10.12 network. There is a firewall between the 2 networks that is working fine without any ACL's in there. The config I used was exactly the one that you gave me. The other user mentioned that the Access-list permit IP statement between those two networks should allow all IP traffic including telnet.

That is true for the one access-list with the permit ip statement. Is there any other devices that may be filtering the traffice besides the PIX? Also, is there a line blocking telnet traffic higher up in the access-list? When a PIX processes the access list, if it makes a match it drops the packet without processing the rest of the access-list. Placement of the access-list lines if very important.

Just to clear things up. There is no PIX involved here. They have a firewall at there end. I beleive it's Raptor. I don't think there is any other access list involved. Without any ACL at my end (10.81), things work fine from the 10.12 network.

Can you paste a copy of the access-list? If removing the access-list resolves the problem, there should be something in the access-list that is causing the telnet to fail.

interface FastEthernet0

ip access-group 100 in

access-list 100 permit ip 10.81.0.0 0.0.0.255 10.12.1.0 0.0.0.255

access-list 100 permit tcp 10.81.0.0 0.0.0.255 any eq www

That should allow telnet from 10.81.0.0 to 10.12.1.0. If this is the only access-list, then telnet should work, but try this access list, just to see what happens.

access-list 100 permit ip 10.81.0.0 0.0.0.255 10.12.1.0 0.0.0.255

access-list 100 permit ip 10.12.1.0 0.0.0.255 10.81.0.0 0.0.0.255

access-list 100 permit tcp 10.81.0.0 0.0.0.255 any eq www

It should have to have both directions in the access-list, but I want to see if it changes anything.