Hi everyone, I have a bunch of Cisco 4321 Routers that I want to configure ACL on but I am running into some difficulties.
I have an Internal Server connected to Router 3 that is using the Windows Time Service which acts as the NTP Server for the 3 Routers. I have configured it to obtain the NTP pool from the public network, specifically 0.sg.pool.ntp.org from the NTP Pool Project. This internal server uses the Web Server(10.0.2.6)'s DNS Service.
On the Web Server connected to Router 1, I have a Webpage alongside DNS configured. This Web Server is in the DMZ that I will establish with ACLs.
I have an extended ACL configured on Router 1's G0/0/1's ingress interface. This ACL basically permits the public to access the Web Server and permits all established TCP traffic.
access-list 100 permit tcp any host 18.104.22.168 eq 443 (SNAT is configured for Web Server)
access-list 100 permit tcp any any established
After configuring this ACL, my internal Server is unable to obtain the NTP pool from 0.sg.pool.ntp.org. I assumed that this is because NTP uses a different port which is denied by my ACL. I then tried to permit NTP with the following command:
access-list 100 permit udp any host 10.0.2.2 eq 123
This still did not work. At this point, I am wondering if it is because the ACL I implemented on R1 G0/0/1 Ingress is blocking something else. I am thinking that it has something to do with the ACL blocking DNS but I am not sure. Any help?
Is this a lab setup in or are you just simulating the issue in packet tracer?
Are you NATing traffic from the 10.0.2.2 server so it reaches the internet?
Since it is 10.0.2.2 which is initiating the NTP traffic here, the access list on Gig0/0/1 should reflect that the reply is coming with a source port of udp/123 and a destination port of any high random port. Change your ACL to the following and test.
access-list 100 permit udp any eq 123 host 10.0.2.2
-- Please remember to select a correct answer and rate helpful posts
Site to Site IPSec VPN with Dynamic IP Endpoint is typically used when we have a branch sites which obtains a dynamic public IP from the Internet ISP. For example an ADSL connection.One important note is that Site-to-Site VPN with Dynamic remote routers P...
On R1, configure a key ring that defines the peer R3:Address: 22.214.171.124Local and remote pre-shared key: cisco R1(config)#crypto ikev2 keyring KRR1(config-ikev2-keyring)# peer R3R1(config-ikev2-keyring-peer)# address 126.96.36.199R1(config-ikev2-keyring-pee...
This document shows how to use the Port Radius NAS PORT Id Attribute in a compound condition to control access with 802.1X.A user jdoe is allowed to access the network only through the physical port FastEthernet 0/1 of the switch and the user jwhite is al...
This document provides a configuration example of Security Assertion Markup Language (SAML) Authentication on FTD managed over FDM. The configuration allows Anyconnect users to establish a VPN session authenticating with a SAML Identity Serv...
DMVPN Dual Hub Dual Cloud Pros and ConsProsNo single point of failureQuick failover if routing protocols are tunedLoad balancing is easyTraffic engineering is easyEasy to work with multiple ISPsConsNeed 2 tunnels per spokeConfiguration is more complicated...