Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Cisco 805 access-lists

I have configured Cisco 805 router as Internet gateway and it works fine without any access-lists. With following access-lists there is no Internet connection:

access-list 101 permit tcp any 192.168.1.0 0.0.0.255 established

access-list 101 deny ip any any

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

access-list 102 deny ip any any

serial0.1

ip access-group 101 in

ip access-group 101 out

What is wrong with my access lists?

5 REPLIES
Silver

Re: Cisco 805 access-lists

Hi,

Where do you implement the NAT, it can happen that the destination address of your packets are not your private IP as you think.

Please change the destination address to your public IP address range and I hope it will work well.

I think you wanted wrote this:

serial0.1

ip access-group 101 in

ip access-group 102 out

bye

FCS

Please rate me if I helped.

Re: Cisco 805 access-lists

Hi

Why do you want to impose above access-lists?

Regards

JD

Silver

Re: Cisco 805 access-lists

Hi,

To improve the security of your router set an ACL to the vty lines instead of the Serial interface. And set SSH instead of telnet if you can. If somebody want to attack your device the destination IP will the same as you will set in the ACL -> so every attackers will be allowed to reach your net.

bye

FCS

Please rate me if I helped.

Hall of Fame Super Gold

Re: Cisco 805 access-lists

I am not sure if the original post has a typo mistake or whether it is really the config. It has this:

access-list 101 permit tcp any 192.168.1.0 0.0.0.255 established

access-list 101 deny ip any any

serial0.1

ip access-group 101 in

ip access-group 101 out

This has the same access list applied in and out. The only traffic which would satisfy this is traffic going to 192.168.1.0 outside and going to 192.168.1.0 inside and which is established. Nothing satisfies these conditions. So all traffic gets denied.

I suspect that the intention was to apply 101 inbound and to apply 102 outbound.

HTH

Rick

New Member

Re: Cisco 805 access-lists

Hi,

the access-lists applied this way (the same one in and out) will block everything.

The ACL 102 if applied out seems to work for your internal network 192.168.1.0/24, but if you also try to protect your network from the internet and apply an inboud ACL,this should do:

access-list 101 permit tcp any any established !only inside originated TCP traffic

access-list 101 permit udp any any eq 53 !DNS

!access-list 101 deny ip any any !you don't need to put the deny statement, it's there by default

M.

133
Views
0
Helpful
5
Replies
CreatePlease to create content