01-30-2003 11:20 AM - edited 03-02-2019 04:41 AM
Hello,
Here is my situation. I have an internal network of 10.81.0.X. I have an external location of 10.12.1.X. I want to only allow access into my 10.81 network for 10.12.1.X, but still allow Web traffice from my internal network to pass. I'm not a pro with ACL. I tried a few things but didn't have any luck. Any help would be greatly appreciated.
Tony
01-30-2003 11:34 AM
Tony,
What are you implementing acls on? 6500? 7200?
I would probably start with
ip access-list ext wwwblok
permit ip any any established
permit ip 10.81.0.x (i-mask) 10.12.1.x (i-mask)
permit ip 10.12.1.x (i-mask) 10.81.0.x (i-mask)
permit ip 10.81.0.x (i-mask) any any eq 80
i-mask = inverted mask
subnet mask = class c (255.255.255.0)
imask = 0.0.0.255
lemme know how this turns out
-Bo
02-03-2003 08:56 AM
Sorry for the delay. I'm trying to use ACL's on a 1721. I didn't get a chance to try what you suggest. Thanks for the help.
Tony
01-30-2003 11:35 AM
What do you have now? The access list is one way through the interface, so it should not effect both incoming and outgoing traffic. The following will allow the traffic between the two sites.
access-list 100 permit ip 10.12.1.0 0.0.0.255 10.81.0.0 0.0.0.255
The following command needs to be added to the outside interface.
ip access-group 100 in
02-03-2003 10:08 AM
I tried what you suggest. And I'm pretty sure that's what I tried before. But still now luck. I am still blocked from using the internet from the 10.81 network. That's the location that I'm at. When you say "outsdie interface", your refering to the Serial interface...correct?
Tony
02-03-2003 04:27 PM
Assuming you have /24 for your networks:
access-list 100 permit ip 10.81.0.0 0.0.0.255 10.12.1.0 0.0.0.255
access-list 100 permit tcp 10.81.0.0 0.0.0.255 any eq www
access-list 100 deny any any ---> OPTIONAL (for viewing)
(Remember that there's an implicit DENY at the end of the ACL)
You can apply the ACL on the router's interface where your
10.81.0.0 network is located. For example:
interface Ethernet0
ip access-group 100 in
The ACL above allows ONLY the following:
- Any traffic from 10.81.0.0/24 (Source) to 10.12.1.0/24 (Destination)
- Web traffic from 10.81.0.0/24 (Source) to any destination
(With the assumption that Web traffic will be provided by different network)
Hope this info helps.
02-04-2003 01:10 PM
I'm getting closer.... This helped. But here is what I'm getting now. On the 10.12 network users use client software that use telnet (to a unix server). This was still not working. Also telnet wasn't working from the 10.81 side. WWW traffic was working find. Thanks for all the help...
Tony
02-04-2003 01:18 PM
Can you paste a copy of your access list. The Access-list permit IP statement between those two networks should allow all IP traffic including telnet.
02-04-2003 04:56 PM
So the problem you now have is the telnet access.
For isolation purposes, you could verify if it is
working without the ACLs, then re-apply the ACL to
make sure that it is causing the problem.
(It would be better to remove all ACLs first, if
it possible.)
You mentioned that telnet isn't working from the
10.81.0.0 side. Are there any other device between
the 10.81.0.0 and the 10.12.1.0 networks?
If there are, you can check if there are existing policies
or filters.
02-05-2003 06:34 AM
Just to let you know, everything is working fine without the ACL's in the config. Telnet is not working from the 10.12 network. There is a firewall between the 2 networks that is working fine without any ACL's in there. The config I used was exactly the one that you gave me. The other user mentioned that the Access-list permit IP statement between those two networks should allow all IP traffic including telnet.
02-05-2003 06:39 AM
That is true for the one access-list with the permit ip statement. Is there any other devices that may be filtering the traffice besides the PIX? Also, is there a line blocking telnet traffic higher up in the access-list? When a PIX processes the access list, if it makes a match it drops the packet without processing the rest of the access-list. Placement of the access-list lines if very important.
02-05-2003 07:47 AM
Just to clear things up. There is no PIX involved here. They have a firewall at there end. I beleive it's Raptor. I don't think there is any other access list involved. Without any ACL at my end (10.81), things work fine from the 10.12 network.
02-05-2003 08:14 AM
Can you paste a copy of the access-list? If removing the access-list resolves the problem, there should be something in the access-list that is causing the telnet to fail.
02-05-2003 08:54 AM
interface FastEthernet0
ip access-group 100 in
access-list 100 permit ip 10.81.0.0 0.0.0.255 10.12.1.0 0.0.0.255
access-list 100 permit tcp 10.81.0.0 0.0.0.255 any eq www
02-05-2003 10:17 AM
That should allow telnet from 10.81.0.0 to 10.12.1.0. If this is the only access-list, then telnet should work, but try this access list, just to see what happens.
access-list 100 permit ip 10.81.0.0 0.0.0.255 10.12.1.0 0.0.0.255
access-list 100 permit ip 10.12.1.0 0.0.0.255 10.81.0.0 0.0.0.255
access-list 100 permit tcp 10.81.0.0 0.0.0.255 any eq www
It should have to have both directions in the access-list, but I want to see if it changes anything.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide