09-07-2007 09:29 AM - edited 03-03-2019 06:39 PM
Dears,
when i put these acl lists on my internet router the internet disconnect:
access-list 100 permit udp any host 55.55.55.1 range 9000 9999
access-list 100 permit tcp any host 55.55.55.1 range sip 5090
interface GigabitEthernet0/1
description International-Link
ip address 62.x.x.5 255.255.255.248
ip access-group 100 in
duplex full
speed 100
where is the problem?
09-07-2007 09:44 AM
tareq
The problem is that you have denied most access through the gig0/1 interface. The outside is only permitted to access a single host on just a few UDP ports.
Remember that at the end of every access list is an implied deny any any. So anything that is not permitted is denied. So your access list has 2 permit statements and anything that is not UDP to host 55.55.55.1 is denied.
If you can give us a statement of what you want the access list to do (what it should permit and what it should deny) we might be able to help you write a better access list.
HTH
Rick
09-07-2007 09:44 AM
Hi,
The problem is there is an implicit deny at the end of the access-list. So you have to add the access-list 100 permit ip any any at the end to permit all traffic out of the previously denied.
Hope it helps, rate if does
Krisztian
09-07-2007 10:42 PM
Hai....it is a simple problem...
just add to end of your access-list 100 as:
access-list 100 permit ip any any
then u will be connected to internet
09-08-2007 09:04 AM
Goverdhan
I believe that there is an issue of logic in your suggestion. If the permit ip any any is added to the access list then everything is permitted, and nothing is denied. If nothing is denied and everything is permitted then why are we using an access list on the interface. It would be much more simple to remove the access list entirely.
I believe that we need to clarify what the requirements are: what traffic should go through and what traffic should be denied. Once we have this clarification then we can construct an access list that will achieve the desired result.
HTH
Rick
09-12-2007 07:59 AM
hello,
my goal is : my company is VoIP provider now we need to install ASA 5510 for security please see attached file.
please remember that i have DNS server at subnet 55.55.2.0 and my main devices at 55.55.3.0 i need as possible to only pass the required packets....this my first ACL configuration:
access-list 100 extended permit udp any host 55.55.3.5 range 9000 9999
access-list 100 extended permit tcp any host 55.55.3.5 range 5060 5090
access-list 100 extended permit udp any host 55.55.3.5 range 5060 5090
access-list 100 extended permit udp any host 55.55.3.5 range 2427 2457
access-list 100 extended permit tcp any host 55.55.3.5 range 2427 2457
access-list 100 extended permit tcp any host 55.55.3.5 range 3100 3130
access-list 100 extended permit udp any host 55.55.3.5 range 3100 3130
access-list 100 extended permit tcp any host 55.55.3.5 eq 1500
access-list 100 extended permit tcp any host 55.55.3.5 eq 2099
access-list 100 extended permit udp any host 55.55.3.5 range 2100 2129
access-list 100 extended permit udp any host 55.55.3.5 eq domain
access-list 100 extended permit tcp any host 55.55.3.5 eq domain
access-list 100 extended permit udp any host 55.55.3.5 eq tftp
access-list 100 extended permit tcp any host 55.55.3.5 eq ssh
access-list 100 extended permit udp any eq domain host 55.55.3.5 gt 1024
access-list 100 extended deny ip any host 55.55.3.5 log
access-list 100 extended permit icmp any any
===================================
====================================
access-list 101 extended permit udp host 55.55.3.5 any range 9000 9999
access-list 101 extended permit tcp host 55.55.3.5 any range 5060 5090
access-list 101 extended permit udp host 55.55.3.5 any range 5060 5090
access-list 101 extended permit udp host 55.55.3.5 any range 2427 2457
access-list 101 extended permit tcp host 55.55.3.5 any range 2427 2457
access-list 101 extended permit tcp host 55.55.3.5 any range 3100 3130
access-list 101 extended permit udp host 55.55.3.5 any range 3100 3130
access-list 101 extended permit tcp host 55.55.3.5 any eq 1500
access-list 101 extended permit tcp host 55.55.3.5 any eq 2099
access-list 101 extended permit udp host 55.55.3.5 any range 2100 2129
access-list 101 extended permit udp host 55.55.3.5 any eq domain
access-list 101 extended permit tcp host 55.55.3.5 any eq domain
access-list 101 extended permit udp host 55.55.3.5 any eq tftp
access-list 101 extended permit tcp host 55.55.3.5 any eq ssh
access-list 101 extended permit udp host 55.55.3.5 eq domain any gt 1024
access-list 101 extended permit icmp any any
access-list 101 extended permit ip any any
--------------------------
access-group 101 in interface inside
access-group 100 in interface outside
please any help for this design
09-12-2007 08:48 AM
tareq
I have looked at your diagram and I have these comments about your access lists.
- access-list 100 has quite a few permits for a specific host 55.55.3.5. I do not see that host in your drawing (it may not be important that this host is not in the drawing). I do not see any permit (except for permit icmp) for the hosts that are in the drawing (Radius server and Softswitch) I think the lack of permits for these hosts or any other addresses in the subnet is a problem.
- access-list 101 has quite a few permits for a specific host 55.55.3.5 and then a permit ip any any. Nothing is denied. So why have an access list with anything more than permit ip any any?
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide