01-24-2011 08:17 AM - edited 03-11-2019 12:39 PM
Hello everyone! i am back with another basic question. You know, it is said that the more practice you get the better you get. However, I think age was not factored into that little statement. :-(
Here is my problem. My domain controllers are not replicating. They keep on getting denied per access group 101. first of all, my boss has had me do everything backwards. He had me deny groups of ports and then issue a permit ip any any statement at the bottom. I think that is the first problem. It looks like this:
access-list 101 line 16 extended permit tcp host 10.1.5.130 host 10.0.50.20 eq 135 (hitcnt=14) 0x19fb8a3e
access-list 101 line 17 extended permit tcp host 10.1.5.130 host 10.0.90.2 eq 135 (hitcnt=0) 0x95a5508a
access-list 101 line 18 extended permit tcp host 10.1.5.130 host 10.0.40.2 eq 135 (hitcnt=2) 0x16b82e01
access-list 101 line 19 extended permit tcp host 10.1.5.130 host 10.0.44.2 eq 135 (hitcnt=5) 0xa6a19f51
access-list 101 line 20 extended permit tcp host 10.1.5.130 host 10.0.30.2 eq 135 (hitcnt=9) 0x8a9942ae
access-list 101 line 21 extended permit tcp host 10.1.5.130 host 10.0.20.2 eq 135 (hitcnt=14) 0xf0177994
access-list 101 line 22 extended permit tcp host 10.1.5.129 host 10.0.50.20 eq 135 (hitcnt=0) 0x2b07bd97
access-list 101 line 23 extended permit tcp host 10.1.5.129 host 10.0.90.2 eq 135 (hitcnt=17) 0xb8315de7
access-list 101 line 24 extended permit tcp host 10.1.5.129 host 10.0.44.2 eq 135 (hitcnt=12) 0x29fd71b4
access-list 101 line 25 extended permit tcp host 10.1.5.129 host 10.0.30.2 eq 135 (hitcnt=0) 0xd2cab76f
access-list 101 line 26 extended permit tcp host 10.1.5.129 host 10.0.20.2 eq 135 (hitcnt=0) 0xbc9a3e27
access-list 101 line 27 extended deny tcp any any range 1495 1862 (hitcnt=964) 0x08e415d6
access-list 101 line 28 extended deny tcp any any range 1864 2597 (hitcnt=3374) 0xa55fd82a
access-list 101 line 29 extended deny tcp any any range 8081 65535 (hitcnt=49725) 0x5c902a35
access-list 101 line 30 extended deny tcp any any range 5191 5221 (hitcnt=0) 0x9f646783
access-list 101 line 31 extended deny tcp any any range 1434 1493 (hitcnt=115) 0xf3743f45
access-list 101 line 32 extended deny tcp any any range 447 1432 (hitcnt=13728) 0xe5b0e2ac
access-list 101 line 33 extended deny tcp any any range 163 442 (hitcnt=34545) 0xaeeae22e
access-list 101 line 34 extended deny tcp any any range 3102 5189 (hitcnt=11143) 0xfb0052a1
access-list 101 line 35 extended deny tcp any any range 2599 3100 (hitcnt=844) 0x14546249
access-list 101 line 36 extended deny tcp any any range 124 134 (hitcnt=0) 0xc094281e
access-list 101 line 37 extended deny tcp any any range 136 160 (hitcnt=85) 0xad8dbbab
access-list 101 line 38 extended deny tcp any any range 5223 8079 (hitcnt=9323) 0xf10670f1
access-list 101 line 39 extended deny tcp any any eq 24 (hitcnt=0) 0x8557147c
access-list 101 line 40 extended deny tcp any any eq 444 (hitcnt=0) 0xfaa8dd9a
access-list 101 line 41 extended deny tcp any any range 81 122 (hitcnt=299) 0x2636ed2b
access-list 101 line 42 extended deny tcp any any range 26 finger (hitcnt=891) 0xd6ad455f
access-list 101 line 43 extended deny tcp any any range 1 ftp-data (hitcnt=102) 0xa9f424e8
access-list 101 line 44 extended permit ip any any (hitcnt=1659756) 0x28676dfa
Lines 16 thorugh 26 are both IP addresses of our main DC and they are being pointed to remote DC. Lines 27 through 43 show allof the port ranges being blocked and line 44 is the permit ip any any. I know it is backwards but it is what the boss wants. The above is for the LAN interface which is reaching out to our MPLS interface. The MPLS interface has the same rules applied.
Before I added the permit statements (lines 16 through 26) I had written an ACL that stated: access-list 101 line 1 extended permit ip interface lan interface mpls-lan. i thoought that one line would permit all traffic fomr one interface to the other. However, it does not seem to be working.
Can anyone help an old man on why this stuff isn't working?
Oh....next week he wants me to change everything to permit statements!
01-24-2011 10:37 AM
Hi Scott,
On what interface are these ACL applied ( interface connecting to wan or lan and in what direction , plus router ACL are different then ACL on firewall which keeps tracks of the connection initiated from secure trusted network ) , I would say replace the following statement :-
access-list 101 line 16 extended permit tcp host 10.1.5.130 host 10.0.50.20 eq 135 (hitcnt=14) 0x19fb8a3e
access-list 101 line 17 extended permit tcp host 10.1.5.130 host 10.0.90.2 eq 135 (hitcnt=0) 0x95a5508a
access-list 101 line 18 extended permit tcp host 10.1.5.130 host 10.0.40.2 eq 135 (hitcnt=2) 0x16b82e01
access-list 101 line 19 extended permit tcp host 10.1.5.130 host 10.0.44.2 eq 135 (hitcnt=5) 0xa6a19f51
access-list 101 line 20 extended permit tcp host 10.1.5.130 host 10.0.30.2 eq 135 (hitcnt=9) 0x8a9942ae
access-list 101 line 21 extended permit tcp host 10.1.5.130 host 10.0.20.2 eq 135 (hitcnt=14) 0xf0177994
access-list 101 line 22 extended permit tcp host 10.1.5.129 host 10.0.50.20 eq 135 (hitcnt=0) 0x2b07bd97
access-list 101 line 23 extended permit tcp host 10.1.5.129 host 10.0.90.2 eq 135 (hitcnt=17) 0xb8315de7
access-list 101 line 24 extended permit tcp host 10.1.5.129 host 10.0.44.2 eq 135 (hitcnt=12) 0x29fd71b4
access-list 101 line 25 extended permit tcp host 10.1.5.129 host 10.0.30.2 eq 135 (hitcnt=0) 0xd2cab76f
access-list 101 line 26 extended permit tcp host 10.1.5.129 host 10.0.20.2 eq 135 (hitcnt=0) 0xbc9a3e27
With :-
access-list 101 line 16 extended permit ip host 10.1.5.130 host 10.0.50.20
access-list 101 line 17 extended permit ip host 10.1.5.130 host 10.0.90.2
access-list 101 line 18 extended permit ip host 10.1.5.130 host 10.0.40.2
access-list 101 line 19 extended permit ip host 10.1.5.130 host 10.0.44.2
access-list 101 line 20 extended permit ip host 10.1.5.130 host 10.0.30.2
access-list 101 line 21 extended permit ip host 10.1.5.130 host 10.0.20.2
access-list 101 line 22 extended permit ip host 10.1.5.129 host 10.0.50.20
access-list 101 line 23 extended permit ip host 10.1.5.129 host 10.0.90.2
access-list 101 line 24 extended permit ip host 10.1.5.129 host 10.0.44.2
access-list 101 line 25 extended permit ip host 10.1.5.129 host 10.0.30.2
access-list 101 line 26 extended permit ip host 10.1.5.129 host 10.0.20.2
access-list 101 line 27 extended permit ip host 10.0.50.20 host 10.1.5.130
access-list 101 line 28 extended permit ip host 10.0.90.2 host 10.1.5.130
access-list 101 line 29 extended permit ip host 10.0.40.2 host 10.1.5.130
access-list 101 line 30 extended permit ip host 10.0.44.2 host 10.1.5.130
access-list 101 line 31 extended permit ip host 10.0.30.2 host 10.1.5.130
access-list 101 line 32 extended permit ip host 10.0.20.2 host 10.1.5.130
access-list 101 line 33 extended permit ip host 10.0.50.20 host 10.1.5.129
access-list 101 line 34 extended permit ip host 10.0.90.2 host 10.1.5.129
access-list 101 line 35 extended permit ip host 10.0.40.2 host 10.1.5.129
access-list 101 line 36 extended permit ip host 10.0.30.2 host 10.1.5.129
access-list 101 line 37 extended permit ip host 10.0.20.2 host 10.1.5.129
Manish
01-24-2011 11:38 AM
I guess it makes sense to remove the port. I will give that a try thanks for your help! Shoot straight!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide