Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ACL

All,

we currently running on 2611 router and I've just setup an access-list that only allow Internet, FTP, SMTP, POP3 would able to go out. But every time I apply the access-list to the inside interface then our internet is not working. Thanks in advance

This are the configuration I done.

access-list 102 permit tcp any any eq www

access-list 102 permit udp any any eq 53

access-list 102 permit tcp any any eq telnet

access-list 102 permit tcp any any eq ftp

access-list 102 permit tcp any any eq smtp

access-list 102 permit tcp any any eq pop3

access-list 102 deny ip any any

Interface Ethernet 0/1

ip access-group 102 in

3 REPLIES
Silver

Re: ACL

I strongly recommend to apply this access-list as outbound to the outside interface (serial, DSL, ...) and no access-list to eth interface.

New Member

Re: ACL

I also agree that this would be applied at the outgoing interface as a access-group out ACL. If you do this, your other traffic internal wouldnt be denied. Of course this depends on how your setup looks.

With internet, do you mean "big-scary Internet" or your internal network?

How is your setup with router and interfaces?

Dont forget to also permit ftp-data, port 20 in your ACL.

Hope this helps abit;

New Member

Re: ACL

Without knowing the particulars of your Internet access, such as location and use of Proxy Server, etc., I would suggest that you change the last line of your access list to deny ip any any log. With the logging turned on for the access list, you can see what traffic is being blocked by the implicit deny you have added to the end of your permissions.

87
Views
0
Helpful
3
Replies
CreatePlease to create content