Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACL disable mi conection

I `ve a router 1721 with IOS default version,

The Serial0 int is a FR encap, there`s a subint s0.x, I need to install ACL over

that ints0.x, but when I apply it to that int all the traffic inside and outside is lost,

the acl I`m using is:

ip access-list extended XXXXX

permit tcp any host x.x.x.x 255.255.255.255 eq x

similar line

similar line

then, I apply it to s0.x ¨ in ¨

Can you help me please

regards

Martin Cordero

  • Other Security Subjects
1 REPLY
New Member

Re: ACL disable mi conection

Martin,

Keep in mind that when you apply an acl like this, it allows any external user to access host x.x.x.x on port x. It blocks ALL other traffic, including return traffic.

You need to identify other traffic which you want to permit, including return traffic (very typical is dns replies, icmp traffic, established tcp traffic, etc).

Consider temporarily modifying your ACL as follows:

permit tcp any host x.x.x.x 255.255.255.255 eq x

permit tcp any any log

permit udp any any log

permit icmp any any log

permit ip any any log

Then, enable "logging on" and logging buffer debug" and do a show log and see what traffic you normally permit, then allow the desired portion of that traffic. Once you have the majority of that traffic identified, then you can remove the extra permit statements, and consider temporarily putting a "deny ip any any log" to see what else you might be missing.

Once you're done tuning, then remove all the extraneous lines.

HTH

Jeff

82
Views
0
Helpful
1
Replies
This widget could not be displayed.