04-07-2006 09:34 AM - edited 03-03-2019 12:20 PM
hi all,
i have the followinig in my router, i only want the web and the cisco vpn to work. when i apply these, it stops so apparently i am doing somethign wrong! can someone help? thanks!!
access-list 2 remark <name>
access-list 2 permit <ip> 0.0.0.255
access-list 120 permit udp any any eq isakmp
access-list 120 permit udp any any eq non500-isakmp
access-list 120 deny ip 10.0.0.0 0.255.255.255 any
access-list 120 deny ip 127.0.0.0 0.255.255.255 any
access-list 120 deny ip 172.16.0.0 0.15.255.255 any
access-list 120 deny ip 192.168.0.0 0.0.255.255 any
access-list 120 deny ip 224.0.0.0 31.255.255.255 any
access-list 120 permit tcp any any eq www
access-list 120 permit esp any any
access-list 130 deny ip any any
i have these applied to my wan int with 120 in and 130 out.
TIA,
R
04-07-2006 09:41 AM
Hi,
One of the problems I can see immediately is that ACL 130 is blocking absolutely everything.
For starters, I suggest you remove the outbound ACL 130. That will allow you to check whether the inbound ACL 120 works or not.
Paresh
04-07-2006 09:45 AM
Another thing I can see is where you have matched on the tcp port... In an extended ACL you can insert the 'eq' keyword after the source and/or the destination, depending on where the server is located. It is sometimes better to have statements that match on both the source and destination.
So you may want to modify ACL 120 so that it looks like this:
access-list 120 permit udp any any eq isakmp
access-list 120 permit udp any eq isakmp any
access-list 120 permit udp any any eq non500-isakmp
access-list 120 permit udp any eq non500-isakmp any
access-list 120 deny ip 10.0.0.0 0.255.255.255 any
access-list 120 deny ip 127.0.0.0 0.255.255.255 any
access-list 120 deny ip 172.16.0.0 0.15.255.255 any
access-list 120 deny ip 192.168.0.0 0.0.255.255 any
access-list 120 deny ip 224.0.0.0 31.255.255.255 any
access-list 120 permit tcp any any eq www
access-list 120 permit tcp any eq www any
access-list 120 permit esp any any
Pls do remember to rate the posts.
Paresh
04-07-2006 09:57 AM
thanks for your help.
when i try this, with taking the 130 out totally as well, i can use the vpn but not the web.
04-07-2006 03:47 PM
It might help if you pasted a bit more of your config so that we can see the context in which you are applying the ACL and any NAT setup etc.
Paresh
04-07-2006 07:20 PM
You might also want to add the following like to ACL 120 to allow https:
access-list 120 permit tcp any any eq 443
access-list 120 permit tcp any eq 443 any
Paresh
04-10-2006 05:19 AM
Hi Paresh,
Sorry for the delay, the weekend came around and my work ethic went out the window! ;)
my config is as follows:
interface FastEthernet0/0
description LAN Int
ip address
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0:1
no ip address
ip access-group 120 in
ip access-group 130 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip route-cache flow
shutdown
no fair-queue
!
interface Serial0/0/1:1
no ip address
!
interface Serial0/1/0
ip address
no ip redirects
ip nat outside
encapsulation frame-relay IETF
ip route-cache flow
fair-queue
frame-relay interface-dlci
frame-relay lmi-type ansi
!
no ip classless
ip route 0.0.0.0 0.0.0.0
!
!
no ip http server
no ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 2 interface Serial0/1/0 overload
!
access-list 2 remark Charlotte_NAT
access-list 2 permit
access-list 120 permit udp any any eq isakmp
access-list 120 permit udp any eq isakmp any
access-list 120 permit udp any any eq non500-isakmp
access-list 120 permit udp any eq non500-isakmp any
access-list 120 deny ip 10.0.0.0 0.255.255.255 any
access-list 120 deny ip 127.0.0.0 0.255.255.255 any
access-list 120 deny ip 172.16.0.0 0.15.255.255 any
access-list 120 deny ip 192.168.0.0 0.0.255.255 any
access-list 120 deny ip 224.0.0.0 31.255.255.255 any
access-list 120 permit tcp any any
access-list 120 permit esp any any
access-list 130 deny ip any any
!
04-10-2006 06:00 AM
I believe that with this config, if you remove access-;ist 130, everything will work. Access-list 130 is blocking everything.
However, you have permitted all tcp connections. This might not be desirable to you. Initially you permitted http traffic with the line
access-list 120 permit tcp any any eq www.
Since this is an inbound access-list, the line will allow outside users to connect to your locally hosted webservers on port 80. For you to browse and connect to the internet, use the line
access-list 120 permit tcp any eq www any.
What you should note is that when you initiate a connection, the destination port oftens identifies the type of connection. Hence when you launch your web browse and connect to cisco.com, the destination port is 80. However, the response from the web server to you, would have the source port to now be 80. Hence, for an inbound access-list on the wan interface, you should match on the source port. If it was outbound, on the wan interface, then you can match on the destination port.
04-10-2006 06:15 AM
Hmm..I could have sworn I removed the 130 acl. Paresh said the same as you, but maybe i was mistaken.
I shall try the suggestions.
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide