Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
443
Views
0
Helpful
3
Replies

7206 Access-list problem

nickpowers
Level 1
Level 1

‎09-19-2005 11:48 AM - edited ‎02-20-2020 09:28 PM

I'm performing a NAT translation on a Linksys router that is attached to fa1/0 on my 7206. I want to only allow HTTP,SSL and DNS traffic out of fa1/0 from the Linksys. I have put in place an ACL to allow this traffic flow but it seems to skip over the acls I put in place and only hits the permit ip any any. If I try to use the address of the Linksys router in my ACL's it doesn't work. If I try: any any eq www that doesn't work either. So I assume Cisco ACLs are not liking how the address is translated by the Linksys router. Any thoughts?? Below is the acl in question:

10 permit tcp any host ###.###.###.### eq domain

20 permit udp any host ###.###.###.### eq domain

30 permit tcp any any eq www

40 permit tcp any any eq 443

50 permit ip host ###.###.###.### any

60 deny ip any any (7 matches)

Here is the port config fa1/0:

interface FastEthernet1/0

ip address ###.###.###.### 255.255.255.252

ip access-group inet-edge-wireless out

no ip redirects

no ip unreachables

no ip proxy-arp

duplex full

speed 100

Thanks

Labels:
0 Helpful
3 Replies 3

dgahm
Level 8
Level 8

‎09-19-2005 04:50 PM

Perhaps the ACL needs to be applied inbound, or else reverse the source and destination ports. Your ACL statements will match packets from the client to the server. If you want to match from the server to the client they need to look like this:

30 permit tcp any eq www any

0 Helpful

ciscocsoc
Level 4
Level 4
In response to dgahm

‎09-20-2005 04:39 AM

The interface definition looks OK.

Can you add log to the last element of the ACL and then post the log output? This should show the src/dst IP addresses and the ports.

I am assuming that the ###.###.###.### in the DNS rules is the address of your remote DNS server.

Kind Regards

Cathy

0 Helpful

nickpowers
Level 1
Level 1
In response to ciscocsoc

‎09-20-2005 12:35 PM

I figured it out. Out vs In....its all a matter of perspective. I was assigning it outbound and it needed to be assigned inbound. I assumed data flowing from my internal network to the port was outbound but apparently not (according to Cisco's ACL rules). Perspective, perspective!!!! Thanks for the help!

Nick

0 Helpful
Customers Also Viewed These Support Documents