Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Cisco Support Community site will be in read only mode on Dec14, 2017 from 12:01am PST to 11:30am for standard maintenance. Sorry for the inconvenience.

New Member

2 Interface IOS Firewall

Hello - I have a 3640 that is segmenting 2 internal lans. There are 2 fastethernet ports on the box. I cant ping one network from the other and vice versa. Even with all icmp access allowed in both directions. I can ping as far as the router on both sides though. The router can ping all clients on either side.

When I do a sh ip route , it shows both networks directly connected although it doesnt show 2 subnets subnetted. Also with various debug commands I see that packets are being droppped. Errors are no ip route, no source udp port, ip address is our interface, there is even an error saying wrong cable type.

Here is a copy of the config.

!

service timestamps debug uptime

service timestamps log uptime

service password-encryption

no service tcp-small-servers

no service udp-small-servers

!

hostname 3640GW

!

enable

!

ip source-route

no ip name-server

!

ip subnet-zero

no ip domain-lookup

ip routing

!

!

no ip inspect audit-trail

ip inspect tcp synwait-time 30

ip inspect tcp finwait-time 5

ip inspect tcp idle-time 3600

ip inspect udp idle-time 30

ip inspect dns-timeout 5

ip inspect one-minute low 900

ip inspect one-minute high 1100

ip inspect max-incomplete low 900

ip inspect max-incomplete high 1100

ip inspect tcp max-incomplete host 50 block-time 0

!

interface fa 0/0

no shutdown

description connected to wireless

ip address 192.208.127.199 255.255.255.0

ip access-group 101 in

keepalive 10

!

interface fa 0/1

no shutdown

description connected to CORP

ip address 192.208.126.199 255.255.255.0

ip access-group 100 in

keepalive 10

!

! Access Control List 100

!

no access-list 100

access-list 100 deny ip 192.208.127.0 0.0.0.255 any

access-list 100 permit udp any eq rip any eq rip

access-list 100 permit icmp any 192.208.127.0 0.0.0.255

!

! Access Control List 101

!

no access-list 101

access-list 101 deny ip 192.208.126.0 0.0.0.255 any

access-list 101 permit udp any eq rip any eq rip

access-list 101 permit icmp any 192.208.126.0 0.0.0.255

!

router rip

version 2

network 192.208.127.0

network 192.208.126.0

no auto-summary

!

!

ip classless

no ip http server

!

Any help is appreciated.

Gavin.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: 2 Interface IOS Firewall

What exactly are you trying to allow here? In an ACL, "ip" includes "icmp", so the first line in your ACL's 100 and 101 are denying the ICMP packets. The next two lines probably aren't doing anything since both UDP/RIP and ICMP are, as I mentioned, included in the "deny IP" on the first line.

In fact, your lst line in each ACL is saying allow packets into the interface with a destination IP address of the other interface, this will never happen.

Actually, the more I look at this, it looks like you have the wrong ACL applied to each interface. If you apply ACL 100 to fa0/0 and 101 to fa0/1 then this'll probably do what you it to do.

2 REPLIES
Cisco Employee

Re: 2 Interface IOS Firewall

What exactly are you trying to allow here? In an ACL, "ip" includes "icmp", so the first line in your ACL's 100 and 101 are denying the ICMP packets. The next two lines probably aren't doing anything since both UDP/RIP and ICMP are, as I mentioned, included in the "deny IP" on the first line.

In fact, your lst line in each ACL is saying allow packets into the interface with a destination IP address of the other interface, this will never happen.

Actually, the more I look at this, it looks like you have the wrong ACL applied to each interface. If you apply ACL 100 to fa0/0 and 101 to fa0/1 then this'll probably do what you it to do.

New Member

Re: 2 Interface IOS Firewall

Hi - Just read this now. Had to install the router on site yesterday. You were right about the acl's. I had just put them in to test basic routing and connectivity. There was also one other problem, a bad port on the switch that I had used in the test lab.

Thanks for your reply. I appreciate your response.

Thanks and regards,

Gavin.

92
Views
0
Helpful
2
Replies
CreatePlease to create content