Re: ACL problems - Page 2

nickc1976 · ‎10-23-2008

I have a Cisco 857 router.

I have given it a basic configuration and can now use it to get web access.

I want to allow incoming access to my network 192.168.2.0 from three external locations, and also to allow any outgoing connection

I have set up these access lists:

access-list 101 permit ip host 84.92.xxx.xxx any

access-list 101 permit tcp any 192.168.2.0 0.0.0.255 established

access-list 102 permit tcp 192.168.2.0 0.0.0.25 any

int dialer0

ip access-group 101 in

int vlan1

ip access-group 102 out

The problem is that 102 doesn't appear to be working, I can't use the internet on the local network. If I change 102 to:

access-list 102 permit ip any any

then I get internet access again.

show ip int for vlan1 shows the ip address as 192.168.2.1/24

Any suggestions??

Jon Marshall · ‎10-27-2008

Nick

"ip nat inside source list 103 interface dialer0 overload"

this is not configured under an interface it is configured in global config mode ie.

router(conf t)# ip nat inside source list 103 interface dialer0 overload

Jon

nickc1976 · ‎10-31-2008

Hi,

I'm still not getting this, and starting to get confused. So I'll sumarise what I am trying to do, and what I have done so far.

I have a router in office A, the local network is on interface vlan1, ip address 192.168.2.0

the outside network is on interface dialer0, ip address 84.92.224.225

I want to create a vpn connection from office A to office B, and another from office A to office C.

office B is 84.92.217.194

office C is 84.92.216.206

I don't want any traffic other than the vpn traffic from office B and office C to be able to access the network

I don't want to restrict any outgoing traffic.

int dialer0

ip nat outside

ip access-group 101 in

ip access-group 102 out

int vlan1

ip nat inside

access-list 1 permit 192.168.2.0 0.0.0.255

ip nat inside source list 1 interface dialere0 overload

access-list 101 permit ip host 84.92.217.194 any

access-list 101 permit ip host 84.92.216.206 any

access-list 101 permit tcp any host 84.92.224.225 established

access-list 102 permit ip host 84.92.224.225 any

The problem is with 101, when I apply, I lose my internet connection.

Jon Marshall · ‎10-31-2008

Nick

When you say you lose Internet connection is this all internet traffic. For example if you browse to a web site by URL you would need to do a DNS lookup - DNS uses UDP not TCP so that would not resolve and you wouldn't get to the page. What happens if you try to get to a web page by typing

http://198.133.219.25 (this is Cisco's homepage)

Jon

nickc1976 · ‎10-31-2008

Jon,

You're right, I added the following line, and it worked!

access-list 101 permit udp any eq 53 host 84.92.224.225

I have a few other things to test with this config, so may be back for some more advice.

Nick

Jon Marshall · ‎10-31-2008

Nick

Glad we are getting somewhere :)

Obviously anything that uses UDP will need to have a separate entry in your acl.

Jon

nickc1976 · ‎10-31-2008

Many thanks to Jon and Guiseppe for their help, I now have the router config working as I want it to.

Nick

Jon Marshall · ‎10-31-2008

Nick

No problem, glad we got there in the end and thanks for letting us know it is all working.

Jon

Giuseppe Larosa · ‎10-24-2008

Hello Nick,

ACL 103 now is fine.

But as Jon has explained in his last post it is also ACL 101 that need to be reverted

what is received on dialer0 the wan interface ?

packets destined to 84.92.x.x not coming from 84.92.x.x.

If ACL 102 is

access-list 102 permit ip host 84.92.xxx.xxx any (local site IP)

and is correct

ACL 101 cannot be

access-list 101 permit ip host 84.92.xxx.xxx any (remote site IP)

access-list 101 permit ip host 84.92.xxx.xxx any (remote site IP

...

with extended ACLs you match both source and destination addresses so ACLs in opposite directions have to swap source and destination

Hope to help

Giuseppe