Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

acl help

hi all,

i have the followinig in my router, i only want the web and the cisco vpn to work. when i apply these, it stops so apparently i am doing somethign wrong! can someone help? thanks!!

access-list 2 remark <name>

access-list 2 permit <ip> 0.0.0.255

access-list 120 permit udp any any eq isakmp

access-list 120 permit udp any any eq non500-isakmp

access-list 120 deny ip 10.0.0.0 0.255.255.255 any

access-list 120 deny ip 127.0.0.0 0.255.255.255 any

access-list 120 deny ip 172.16.0.0 0.15.255.255 any

access-list 120 deny ip 192.168.0.0 0.0.255.255 any

access-list 120 deny ip 224.0.0.0 31.255.255.255 any

access-list 120 permit tcp any any eq www

access-list 120 permit esp any any

access-list 130 deny ip any any

i have these applied to my wan int with 120 in and 130 out.

TIA,

R

8 REPLIES
Purple

Re: acl help

Hi,

One of the problems I can see immediately is that ACL 130 is blocking absolutely everything.

For starters, I suggest you remove the outbound ACL 130. That will allow you to check whether the inbound ACL 120 works or not.

Paresh

Purple

Re: acl help

Another thing I can see is where you have matched on the tcp port... In an extended ACL you can insert the 'eq' keyword after the source and/or the destination, depending on where the server is located. It is sometimes better to have statements that match on both the source and destination.

So you may want to modify ACL 120 so that it looks like this:

access-list 120 permit udp any any eq isakmp

access-list 120 permit udp any eq isakmp any

access-list 120 permit udp any any eq non500-isakmp

access-list 120 permit udp any eq non500-isakmp any

access-list 120 deny ip 10.0.0.0 0.255.255.255 any

access-list 120 deny ip 127.0.0.0 0.255.255.255 any

access-list 120 deny ip 172.16.0.0 0.15.255.255 any

access-list 120 deny ip 192.168.0.0 0.0.255.255 any

access-list 120 deny ip 224.0.0.0 31.255.255.255 any

access-list 120 permit tcp any any eq www

access-list 120 permit tcp any eq www any

access-list 120 permit esp any any

Pls do remember to rate the posts.

Paresh

New Member

Re: acl help

thanks for your help.

when i try this, with taking the 130 out totally as well, i can use the vpn but not the web.

Purple

Re: acl help

It might help if you pasted a bit more of your config so that we can see the context in which you are applying the ACL and any NAT setup etc.

Paresh

Purple

Re: acl help

You might also want to add the following like to ACL 120 to allow https:

access-list 120 permit tcp any any eq 443

access-list 120 permit tcp any eq 443 any

Paresh

New Member

Re: acl help

Hi Paresh,

Sorry for the delay, the weekend came around and my work ethic went out the window! ;)

my config is as follows:

interface FastEthernet0/0

description LAN Int

ip address 255.255.255.0

ip nat inside

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface Serial0/0/0:1

no ip address

ip access-group 120 in

ip access-group 130 out

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip route-cache flow

shutdown

no fair-queue

!

interface Serial0/0/1:1

no ip address

!

interface Serial0/1/0

ip address 255.255.255.252

no ip redirects

ip nat outside

encapsulation frame-relay IETF

ip route-cache flow

fair-queue

frame-relay interface-dlci

frame-relay lmi-type ansi

!

no ip classless

ip route 0.0.0.0 0.0.0.0

!

!

no ip http server

no ip http secure-server

ip http timeout-policy idle 5 life 86400 requests 10000

ip nat inside source list 2 interface Serial0/1/0 overload

!

access-list 2 remark Charlotte_NAT

access-list 2 permit 0.0.0.255

access-list 120 permit udp any any eq isakmp

access-list 120 permit udp any eq isakmp any

access-list 120 permit udp any any eq non500-isakmp

access-list 120 permit udp any eq non500-isakmp any

access-list 120 deny ip 10.0.0.0 0.255.255.255 any

access-list 120 deny ip 127.0.0.0 0.255.255.255 any

access-list 120 deny ip 172.16.0.0 0.15.255.255 any

access-list 120 deny ip 192.168.0.0 0.0.255.255 any

access-list 120 deny ip 224.0.0.0 31.255.255.255 any

access-list 120 permit tcp any any

access-list 120 permit esp any any

access-list 130 deny ip any any

!

Silver

Re: acl help

I believe that with this config, if you remove access-;ist 130, everything will work. Access-list 130 is blocking everything.

However, you have permitted all tcp connections. This might not be desirable to you. Initially you permitted http traffic with the line

access-list 120 permit tcp any any eq www.

Since this is an inbound access-list, the line will allow outside users to connect to your locally hosted webservers on port 80. For you to browse and connect to the internet, use the line

access-list 120 permit tcp any eq www any.

What you should note is that when you initiate a connection, the destination port oftens identifies the type of connection. Hence when you launch your web browse and connect to cisco.com, the destination port is 80. However, the response from the web server to you, would have the source port to now be 80. Hence, for an inbound access-list on the wan interface, you should match on the source port. If it was outbound, on the wan interface, then you can match on the destination port.

New Member

Re: acl help

Hmm..I could have sworn I removed the 130 acl. Paresh said the same as you, but maybe i was mistaken.

I shall try the suggestions.

Thanks!

153
Views
16
Helpful
8
Replies
CreatePlease to create content