Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access List is not working properly

Hi there,

My company has a Novell BorderManger (Firewall) to protect our users. On the Firewall/Proxy, we have set up NAT as well. Now I wanted to setup ACL on the router, but once i have activated the ACL, all the internet connections are down. The ACL is activated on the Serial WAN interface ONLY.

I wanted the ACL to allow only certain tcp ports 80,443,911,1590...etc to go out only, other than that... all will not be allow. Please advice ? Below is the ACL.

access-group 101 in

access-group 120 out

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 permit tcp any any eq domain

access-list 101 permit udp any any eq domain

access-list 101 permit udp any any gt 1024

access-list 101 permit tcp any any established

access-list 101 deny icmp any any echo log

access-list 101 deny icmp any any redirect log

access-list 101 deny icmp any any packet-too-big log

access-list 101 permit icmp any any

access-list 101 permit ip any any log

access-list 101 deny ip any host 255.255.255.255

access-list 120 deny ip any host 255.255.255.255

access-list 120 deny ip 192.168.0.0 0.0.255.255 any

access-list 120 deny ip 172.16.0.0 0.15.255.255 any

access-list 120 permit ip host 202.186.250.153 any

access-list 120 permit ip host 202.186.250.154 any

access-list 120 deny tcp any any eq 12345 log

access-list 120 permit icmp any any

access-list 120 permit tcp host 202.186.250.131 eq www any

access-list 120 permit tcp host 202.186.250.131 eq 443 any

access-list 120 permit tcp host 202.186.250.131 eq 23 any

access-list 120 permit tcp host 202.186.250.131 eq 53 any

access-list 120 permit tcp host 202.186.250.131 eq 21 any

access-list 120 permit tcp host 202.186.250.131 eq 911 any

access-list 120 permit tcp host 202.186.250.131 eq 5190 any

access-list 120 permit tcp host 202.186.250.131 eq 1000 any

access-list 120 permit tcp host 202.186.250.131 eq 5000 any

access-list 120 permit ip host 202.186.250.154 any

access-list 120 permit ip host 202.186.250.153 any

access-list 120 deny ip host 202.186.250.131 any

Note : ip 202.186.250.131 is the Firewall/Proxy server

Thanks & Regards

Terence

2 REPLIES
New Member

Re: Access List is not working properly

It looks like your access-list 120 is permitting traffic from your proxy server when the SOURCE ports are those you've identified. But for your Internet access to work properly, you'll need to permit these ports as the DESTINATION. When an internal host tries to browse a Web page, for example, the source port is a (sort of) random number, and the destination port is TCP 80. So if you modify those ACL lines to read 'access-list 120 permit tcp host 202.186.250.131 any eq [port_#]', things should work fine.

New Member

Re: Access List is not working properly

Hi Ross,

Thanks for your advice, i will try it over the weekend.

Really appreciated !

Merry Christmas and Happy New Year to you.

Regards

Terence

154
Views
0
Helpful
2
Replies
CreatePlease login to create content