Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1659
Views
0
Helpful
3
Replies

2600 router conection issue when an access-group applied to int

willymaldonado1
Level 1
Level 1

‎05-24-2012 04:54 PM - edited ‎03-04-2019 04:28 PM 

Hi everyone, I'm running into an issue with an isp DHCP server, 
on my router outside interface we are getting a dynamic ip add from the isp dhcp server 
however, when we apply the access-list IN to the outside interface our internet transmision
gets drop, below we have a part of an access-list and a log message...
 what could be the issue here... thanks in advance for your help guys..


access-list 102 permit tcp any any gt 1023 established
access-list 102 permit tcp any any eq www established
access-list 102 permit udp any any eq domain
access-list 102 permit udp any eq domain any
access-list 102 permit tcp any any eq domain
access-list 102 permit tcp any eq domain any
access-list 102 permit udp host 192.168.x.xx host 172.17.xx.xx eq 67
access-list 102 permit udp host 192.168.x.xx host 172.17.xx.xx eq 68
access-list 102 permit tcp any 10.0.100.0 0.0.0.255 established
access-list 102 permit tcp any 10.0.100.0 0.0.0.255 established log-input
access-list 102 deny   tcp any any eq ftp-data
access-list 102 deny   tcp any any eq ftp
access-list 102 deny   tcp any any eq telnet
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any log-input
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any log-input
access-list 102 deny   ip 172.17.0.0 0.0.255.255 any log-input
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any log-input
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any log-input
access-list 102 deny   ip 255.0.0.0 0.255.255.255 any log-input
access-list 102 deny   ip 224.0.0.0 31.255.255.255 any log-input

%SEC-6-IPACCESSLOGP: list 102 denied udp 10.1.0.1(67) (Fas
tEthernet0/0 00d0.8804.cf08) -> 255.255.255.255(68), 1 packet
TECHNET#
 %SEC-6-IPACCESSLOGP: list 102 denied udp 172.17.0.1(67) (F
astEthernet0/0 00d0.8804.cf08) -> 255.255.255.255(68), 10 packets
 %SEC-6-IPACCESSLOGP: list 102 denied udp 192.168.1.12(67)
(FastEthernet0/0 00d0.8804.cf08) -> 255.255.255.255(68), 22 packets
TECHNET#
*Mar  3 04:49:29.123: %SEC-6-IPACCESSLOGP: list 102 denied udp 172.17.0.1(67) (F
astEthernet0/0 00d0.8804.cf08) -> 255.255.255.255(68), 16 packets
 %SEC-6-IPACCESSLOGP: list 102 denied udp 192.168.1.12(67)
(FastEthernet0/0 00d0.8804.cf08) -> 255.255.255.255(68), 16 packets
 %SEC-6-IPACCESSLOGP: list 102 denied udp 10.1.0.1(67) (Fas
tEthernet0/0 00d0.8804.cf08) -> 255.255.255.255(68), 11 packets
Labels:
0 Helpful
3 Replies 3

bret
Level 3
Level 3

‎05-24-2012 06:27 PM

If you remove the acl does connectivity work. If so, your acl needs to be reworked. Since your getting dhcp from the provider you may need to add ports UDP 68 for requests and UDP 67 for replies. You should be able to add an permit any any log to see what ports you are missing.

hth

Sent from Cisco Technical Support iPad App

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to bret

‎05-24-2012 07:47 PM

Bret is certainly on the right track. If you want the router outside interface to learn its IP address from a DHCP server then you need to have permits in the access list to allow the DHCP.

He seems to have overlooked the fact that you already have some permits for DHCP which are

access-list 102 permit udp host 192.168.x.xx host 172.17.xx.xx eq 67
access-list 102 permit udp host 192.168.x.xx host 172.17.xx.xx eq 68

There are at least three problems with your access list.

- your access list is specifying a particular host as the destination. But as the log messages clearly show the destination address is the broadcast address. So you need to fix the destination address in the access list.

- your access list is specifying a particular host as the source. The log messages show that there are three source addresses and none of them match your specified source host. So you need to fix the source address in the access list.

- your access list specifies both 67 and 68 as destination ports. But the log messages show clearly that 67 is the source port and 68 is the destination port. The good news is that this inconsistency in your access list is not causing any traffic to be denied, since you are specifying only destination ports. So you got it right in one statement and the other statement will never permit anything so it is technically superfluous. So it is not necessary to alter the destination ports (though you might want to fix it as a matter of good form).

HTH

Rick

HTH

Rick
0 Helpful

willymaldonado1
Level 1
Level 1

‎05-25-2012 02:03 PM 

my isp tied up a ip add to the modem mac add. that's why I know what ip add will get
assigned to the out/int in my acl's......... I reversed the source to the dest and so far 
had worked... but I still have a feeling that inconsistency in my acl still exist as 
Richard mentioned....

Bret as soon as I take off the access-group IN from the int it works as a charme
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card