Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Access-list help

Not sure if this should be here or WAN forum.. please advise..

Equip: 1760 VPN/K9 with Ethernet WIC

Goal is to allow access to only a web server behind router (port 80) yet allow any machine behind the router access to the internet

Problem is that as soon as I apply the access list to int e0/0 the machines behind the router cant get to anything outside the router

Using access lists:

access-list 101 permit tcp any host 172.31.2.2 eq 80

access-list 101 permit tcp any any established

access-list 101 permit udp any any eq 53

access-list 101 permit udp any any eq 123

any ideas??

thanks

Ricardo Clements

4 REPLIES
New Member

Re: Access-list help

Add:

access-list 101 deny ip any any log

to the end of the ACL. Try connecting to the internet then examine the log to see what is being denied. Should help identify the problem.

New Member

Re: Access-list help

Very helpful. thx

Do you know how to get the logs from the console to a file?

Running Linux RH 8.0 boxes.

Also it seems like things were working ok until the log rate limit was exceeded, then connectivity to the internet (through the router) became blocked.... I was able to get a couple of pages back... then all connections were refused

ricardo

New Member

Re: Access-list help

Try to use correct acl in- and out statements when you apply the acl in the if-configuration.

Bronze

Re: Access-list help

Ricardo,

I am assuming that your access-group is either on the outbound for the ethernet interface, or on the inbound of the interface that faces the Internet. If so, the third line of your ACL should be changed to "access-list 101 permit udp any eq 53 any" in order to allow DNS replies to reach users on the LAN.

HTH

Mark

106
Views
3
Helpful
4
Replies
CreatePlease to create content