12-03-2006 06:31 PM - edited 03-03-2019 02:54 PM
Hi,
I'm having an issue trying to apply an ACL to a 2600 router. Whenever the ACL is applied to the E0/0 interface, all network access to the router is stopped. I'm wondering if this has something to do with the router doing ATM??? I'll post the config below. Basically we're trying to only allow http access to the outside from 10.35.0.x and prevent from 10.35.1-255.x
Any help is greatly appreciated.
Config
-------
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Botkins_2610
!
enable secret 5 *********
!
!
!
!
!
memory-size iomem 15
ip subnet-zero
!
!
!
!
!
!
interface Ethernet0/0
ip address 192.168.0.1 255.255.255.0 secondary
ip address 10.35.0.1 255.255.0.0
no ip directed-broadcast
half-duplex
!
interface ATM1/0
no ip address
no ip directed-broadcast
atm vc-per-vp 4096
no atm ilmi-keepalive
!
interface ATM1/0.23 multipoint
description pvc to WOCO
ip address 10.200.23.2 255.255.255.0
no ip directed-broadcast
map-group woco
atm pvc 23 0 123 aal5snap
!
ip classless
ip route 0.0.0.0 0.0.x.x.200.23.1
no ip http server
!
!
map-list woco
ip 10.200.23.1 atm-vc 23 broadcast
access-list 100 permit tcp 10.35.0.0 0.0.0.255 any eq www
snmp-server engineID local xxx
snmp-server community public RO
snmp-server community string RO
snmp-server community community RO
snmp-server community en RO
!
!
line con 0
transport input none
line aux 0
line vty 0 4
password ****
login
!
no scheduler allocate
end
Solved! Go to Solution.
12-04-2006 06:12 AM
Mike
As you have figured out, the implied deny at the bottom of an access list (both extended access list and standard access list) is a deny for everything not just for the particular protocol and port that you permitted.
Even though the router will be looking at all packets going over the interface it is a fairly simple access list and I would not expect to see a significant performance hit from applying the access list.
HTH
Rick
12-03-2006 07:10 PM
Mike
You have not showed us how you are applying the access list. From the way it is structured I am assuming that you apply it with ip access-group 100 in under the Ethernet interface. Is that correct?
The explanation of your problem is relatively simple: your access list appears to have a single line which permits a single /24 subnet to access www anywhere. In every access list there is an implied deny ip any any at the bottom of the list. So that anything that is not permitted is denied. If you want to allow this particular subnet to access www, to allow no other subnet to access www, and then to allow all other traffic this I would suggest that you use an access list like this:
access-list 100 permit tcp 10.35.0.0 0.0.0.255 any eq www
access-list 100 deny tcp any any eq www
access-list 100 permit ip any any
This will allow the www access from the particular subnet, will deny all other www access, and will permit other traffic. If that is not what you want to accomplish then perhaps you can clarify your requirements.
HTH
Rick
12-04-2006 05:30 AM
Rick,
Yes, that is correct, I'm applying it to "in" on the E0/0 interface.
I see what you're saying about the implied deny. I'm going through CCNA classes, and from what I understood is that there would be an implied deny for just www (or whatever permit I had entered) and not all IP traffic if I use an extended list... I guess this is not the case.
Thank you so much for solving this.
-Mike
12-04-2006 05:34 AM
One more question... This router is connected to the rest of our WAN via a T1 line. With a 2600 router, do you think this ACL will have a big performance degradation since it will have to look at every packet now?
Thanks,
-Mike
12-04-2006 06:12 AM
Mike
As you have figured out, the implied deny at the bottom of an access list (both extended access list and standard access list) is a deny for everything not just for the particular protocol and port that you permitted.
Even though the router will be looking at all packets going over the interface it is a fairly simple access list and I would not expect to see a significant performance hit from applying the access list.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide