Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
644
Views
0
Helpful
6
Replies

ACL blocking all traffic going out! HELP

ohif
Level 1
Level 1

‎06-11-2003 10:36 AM - edited ‎03-02-2019 08:04 AM

I am trying to set up a ACL that restricts traffic comming into the network through serial 0. I am using a cisco 1721 router with the IOS firewall feature set. When I implemented the ACL below it blocked all traffic going out. I could not even ping out of the network. I don't see what is wrong with it. Please help me find the flaws because I am lost. And other pointers on the ACL would be appreciated also. The ip's and subnet have been changed.

This is exactly how I typed it in....

configure terminal

access-list 101 permit tcp any any eq established

access-list 101 deny ip 92.92.92.0 0.0.0.45 any

access-list 101 permit tcp any 92.92.92.0 0.0.0.45 eq 1494

access-list 101 permit udp any 92.92.92.0 0.0.0.45 eq domain

access-list 101 permit tcp any 92.92.92.0 0.0.0.45 eq www

access-list 101 permit udp any 92.92.92.0 0.0.0.45 eq 443

access-list 101 permit tcp any 92.92.92.0 0.0.0.45 eq smtp

access-list 101 permit udp any 92.92.92.0 0.0.0.45 eq login

access-list 101 permit tcp any 92.92.92.0 0.0.0.45 eq 10000

access-list 101 permit tcp any 92.92.92.0 0.0.0.45 eq bgp

access-list 101 permit tcp any 92.92.92.5 0.0.0.45 eq 110

access-list 101 permit tcp any 92.92.92.5 0.0.0.45 eq 143

access-list 101 permit tcp any 92.92.92.0 0.0.0.45 eq 22

access-list 101 deny ip any any

end

configure terminal

interface serial 0

ip access-group 101 in

end

Thanks for any help!!!

Labels:
0 Helpful
6 Replies 6

thisisshanky
Level 11
Level 11

‎06-11-2003 10:44 AM

ping wont work because ping uses icmp traffic, if you want to allow ping, then you need to add a line for icmp and permit the traffic. (delete above accesslist and remake it with the new line added - best app to use is notepad and then copy and paste).

Also you need to remove the deny statement (2nd line) because that is not really needed, since there is a "deny ip any any" at the end of the access list. line 3 through 11 wont be used at all, for matching TCP traffic (on the specified ports) because line 2 will deny them.

HTH

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus
0 Helpful

jmia
Level 7
Level 7

‎06-11-2003 11:38 AM

Hi -

Change line 2 as you already have a deny ip any any at the end of ACL also if need icmp then pls contruct a ACL for icmp,

HTH --

0 Helpful

olorunloba
Level 5
Level 5

‎06-11-2003 11:50 AM

When the IOS processes the Access list, it starts from the top to bottom.Once it finds a match, it executes the action and ends the processes there. Hence, you need to move the 2nd line i.e.

access-list 101 deny ip 92.92.92.0 0.0.0.45 any

to the bottom of the access lists. This is because all the other packets that would have matched the permit statements below it are also matched by this line. Hence, the packet will be denied and the other statements will never be evaluated, and hence not permitted.

As a rule try you try to put the more specific statements at the top, and the more general at the bottom.

The last line is also not needed, because of the implicit deny all properties of all access lists. Though this will not affect you.

0 Helpful

ohif
Level 1
Level 1
In response to olorunloba

‎06-11-2003 01:43 PM

I took out line 2 with no resolve.... so that isn't it. I posted this question on anouther forum and I was told to do this.......

ip inspect name MYRULES tcp

ip inspect name MYRULES udp

access-list 101 permit tcp any 92.92.92.0 0.0.0.45 eq 1494

access-list 101 permit udp any 92.92.92.0 0.0.0.45 eq domain

access-list 101 permit tcp any 92.92.92.0 0.0.0.45 eq www

access-list 101 permit udp any 92.92.92.0 0.0.0.45 eq 443

access-list 101 permit tcp any 92.92.92.0 0.0.0.45 eq smtp

access-list 101 permit udp any 92.92.92.0 0.0.0.45 eq login

access-list 101 permit tcp any 92.92.92.0 0.0.0.45 eq 10000

access-list 101 permit tcp any 92.92.92.0 0.0.0.45 eq bgp

access-list 101 permit tcp any 92.92.92.5 0.0.0.45 eq 110

access-list 101 permit tcp any 92.92.92.5 0.0.0.45 eq 143

access-list 101 permit tcp any 92.92.92.0 0.0.0.45 eq 22

access-list 101 deny ip any any

configure terminal

interface serial 0

ip access-group 101 in

ip inspect MYRULES out

end

Does anyone think this might work better?? I hate to keep trying during the work hours and having to reload.

0 Helpful

crgarcia3
Level 1
Level 1
In response to ohif

‎06-11-2003 04:21 PM

Add a log statement to each of the lines - generate traffic and see what is hitting what - if you are looking at connections incoming - my guess from the interternet to perhaps to a DMZ of sorts - what the acl is saying is that all layer 4 connections come in - what about layer 3.

have you tested a couple of lines at a time? Try that by connecting from the outside to one of the specific ports - keep going down the list. Verify the range is correct with you mask.

Not sure why your testing durin production hours though - you may want to remove the access-group on the interface until you have the time to work with the config - less under pressure. Additionaly, you should not have to reloda the router - just unapply and re-apply the access-group - most of the time that works.

good luck.

0 Helpful

vincent-n
Level 3
Level 3
In response to ohif

‎06-11-2003 05:56 PM

Hi there

According to my calculation, the line 92.92.92.0 0.0.0.45 stating that you're permitting only devices that has IP address x.x.x.0-1;4-5;8-9;12-13;32-33;36-37;40-41 and 44-45 where x = 92. Is this what you wanted to do? Could it be the cause of your problem? Make sure that your devices are in the range specified above for only those devices are allowed by the ACL.

0 Helpful
Customers Also Viewed These Support Documents