10-23-2008 05:49 AM - edited 03-04-2019 12:03 AM
I have a Cisco 857 router.
I have given it a basic configuration and can now use it to get web access.
I want to allow incoming access to my network 192.168.2.0 from three external locations, and also to allow any outgoing connection
I have set up these access lists:
access-list 101 permit ip host 84.92.xxx.xxx any
access-list 101 permit ip host 84.92.xxx.xxx any
access-list 101 permit ip host 84.92.xxx.xxx any
access-list 101 permit tcp any 192.168.2.0 0.0.0.255 established
access-list 102 permit tcp 192.168.2.0 0.0.0.25 any
int dialer0
ip access-group 101 in
int vlan1
ip access-group 102 out
The problem is that 102 doesn't appear to be working, I can't use the internet on the local network. If I change 102 to:
access-list 102 permit ip any any
then I get internet access again.
show ip int for vlan1 shows the ip address as 192.168.2.1/24
Any suggestions??
10-27-2008 10:06 AM
Nick
"ip nat inside source list 103 interface dialer0 overload"
this is not configured under an interface it is configured in global config mode ie.
router(conf t)# ip nat inside source list 103 interface dialer0 overload
Jon
10-31-2008 05:24 AM
Hi,
I'm still not getting this, and starting to get confused. So I'll sumarise what I am trying to do, and what I have done so far.
I have a router in office A, the local network is on interface vlan1, ip address 192.168.2.0
the outside network is on interface dialer0, ip address 84.92.224.225
I want to create a vpn connection from office A to office B, and another from office A to office C.
office B is 84.92.217.194
office C is 84.92.216.206
I don't want any traffic other than the vpn traffic from office B and office C to be able to access the network
I don't want to restrict any outgoing traffic.
int dialer0
ip nat outside
ip access-group 101 in
ip access-group 102 out
int vlan1
ip nat inside
access-list 1 permit 192.168.2.0 0.0.0.255
ip nat inside source list 1 interface dialere0 overload
access-list 101 permit ip host 84.92.217.194 any
access-list 101 permit ip host 84.92.216.206 any
access-list 101 permit tcp any host 84.92.224.225 established
access-list 102 permit ip host 84.92.224.225 any
The problem is with 101, when I apply, I lose my internet connection.
10-31-2008 05:37 AM
Nick
When you say you lose Internet connection is this all internet traffic. For example if you browse to a web site by URL you would need to do a DNS lookup - DNS uses UDP not TCP so that would not resolve and you wouldn't get to the page. What happens if you try to get to a web page by typing
http://198.133.219.25 (this is Cisco's homepage)
Jon
10-31-2008 07:49 AM
Jon,
You're right, I added the following line, and it worked!
access-list 101 permit udp any eq 53 host 84.92.224.225
I have a few other things to test with this config, so may be back for some more advice.
Nick
10-31-2008 07:53 AM
Nick
Glad we are getting somewhere :)
Obviously anything that uses UDP will need to have a separate entry in your acl.
Jon
10-31-2008 10:03 AM
Many thanks to Jon and Guiseppe for their help, I now have the router config working as I want it to.
Nick
10-31-2008 10:52 AM
Nick
No problem, glad we got there in the end and thanks for letting us know it is all working.
Jon
10-24-2008 05:10 AM
Hello Nick,
ACL 103 now is fine.
But as Jon has explained in his last post it is also ACL 101 that need to be reverted
what is received on dialer0 the wan interface ?
packets destined to 84.92.x.x not coming from 84.92.x.x.
If ACL 102 is
access-list 102 permit ip host 84.92.xxx.xxx any (local site IP)
and is correct
ACL 101 cannot be
access-list 101 permit ip host 84.92.xxx.xxx any (remote site IP)
access-list 101 permit ip host 84.92.xxx.xxx any (remote site IP
...
with extended ACLs you match both source and destination addresses so ACLs in opposite directions have to swap source and destination
Hope to help
Giuseppe
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: