Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

WAN ACL Access Problem

Hello,

Another technician and myself are scratching our heads over an issue at one of our remote school sites. We have blocked access to the 189.0 network so they cannot access the web or the rest of the WAN and only access local servers. The 199.0 network is open so they can access anything on the WAN. The problem we are having is WE cannot remote access the 189.0 network from our main school office (Via RDP or Dameware) although we can access the servers which are under 10.100.189.248 /0.0.0.7. We can only ping the rest of the addresses on the 189.0 network. Can someone please look over this ACL list attached and see what we are missing? Do we have to have an IN and OUT ACL or can we just leave the OUT ACL without an IN?

The 181.0 subnet is the WAN connection back to our office.

Thank You!

Tim

  • WAN Routing and Switching
1 REPLY
Hall of Fame Super Bronze

Re: WAN ACL Access Problem

I'm proposing re-writing the entire ACL.

If you want to block access from 189.0 network to the web and the rest of the WAN, then you do a src 189.0 with dst any and the ACL is out.

However, you also want to RDP and Dameware that subnet from your main school office. You need to have a permit on that ACL before the above deny with src/dst specific networks.

I also see you have some udp 53 being allowed from that subnet's servers. Your ACL would look like this.

access-list 110 permit ip 10.100.189.248 0.0.0.7 any

access-list 110 permit tcp 10.100.189.0 0.0.0.255 eq 3389 any

access-list 110 permit udp 10.100.189.0 0.0.0.255 eq 3389 any

access-list 110 permit tcp 10.100.189.0 0.0.0.255 eq 6129 any

access-list 110 permit udp host 10.100.189.250 any eq domain

access-list 110 deny ip 10.100.189.0 0.0.0.127 any

access-list 110 deny ip 10.100.189.128 0.0.0.63 any

access-list 110 permit ip any any

interface Serial0/0

ip access-group 110 out

HTH,

__

Edison.

111
Views
0
Helpful
1
Replies
This widget could not be displayed.