I've been fighting with a C1700 for many hours and can't seem to figure out where the problem with my access lists lies. Hopefully someone here can please help me out as I'm getting a little desperate!
C1700 with WIC 4ESW
IOS ver 12.3(3.5)T
FE1 192.168.200.0/24 (VLAN200)
FE4 192.168.100.0/24 (VLAN100)
I've got the router and VLAN configuration correct as it works fine until I apply access lists.
(1) All hosts on 172.17.0.0 can access TCP 1494 and UDP 1604 on host 192.168.200.58
(2) Only hosts 172.17.0.0-63 can access WWW and DNS anywhere
(3) All other outbound requests on 172.17.0.0 are blocked
(4) All hosts on 192.168.100.0 and 200.0 can access WWW and TCP 3389 on host 172.17.0.29
(5) All hosts on 192.168.100.0 and 200.0 have unrestricted access to each other
access-list 100 permit tcp 172.17.0.0 0.0.0.63 any eq www
access-list 100 permit tcp any host 192.168.200.58 eq 1494
access-list 100 permit udp any host 192.168.200.58 eq 1604
access-list 100 permit tcp 172.17.0.0 0.0.0.63 any eq domain
access-list 100 permit udp 172.17.0.0 0.0.0.63 any eq domain
access-list 150 permit tcp any host 172.17.0.29 eq www
access-list 150 permit tcp any host 172.17.0.29 eq 3389
does not work fine. You have to remember that there is an implicit deny at the end of every ACL. What is happening here is that you are not accounting for return traffic in your ACL's. For instance, let's say that a host on the 172.17.0.0 network initiates a TCP/1494 connection to 192.168.200.58 network. If the both ACL 100 and 150 are in place as shown above, the reply from the 192.168.200.58 host will be blocked by ACL 150 due to the implicit 'deny ip any any' at the end of the ACL. This is a common frustration with creating ACL's such as you are trying to do. To alleviate this, we created a feature known as CBAC (Context Based Access Control). This feature allows the router to "watch" traffic as it passes and dynamically create an ACL entry to allow the return traffic back in. You can get some more information on this feature here:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...