Re: Access-list help

ricardoclements1 · ‎08-25-2003

Not sure if this should be here or WAN forum.. please advise..

Equip: 1760 VPN/K9 with Ethernet WIC

Goal is to allow access to only a web server behind router (port 80) yet allow any machine behind the router access to the internet

Problem is that as soon as I apply the access list to int e0/0 the machines behind the router cant get to anything outside the router

Using access lists:

access-list 101 permit tcp any host 172.31.2.2 eq 80

access-list 101 permit tcp any any established

access-list 101 permit udp any any eq 53

access-list 101 permit udp any any eq 123

any ideas??

thanks

Ricardo Clements

peterbe · ‎08-25-2003

Add:

access-list 101 deny ip any any log

to the end of the ACL. Try connecting to the internet then examine the log to see what is being denied. Should help identify the problem.

ricardoclements1 · ‎08-26-2003

Very helpful. thx

Do you know how to get the logs from the console to a file?

Running Linux RH 8.0 boxes.

Also it seems like things were working ok until the log rate limit was exceeded, then connectivity to the internet (through the router) became blocked.... I was able to get a couple of pages back... then all connections were refused

ricardo

hakan.bjorlin · ‎08-26-2003

Try to use correct acl in- and out statements when you apply the acl in the if-configuration.

mark-obrien · ‎08-26-2003

Ricardo,

I am assuming that your access-group is either on the outbound for the ethernet interface, or on the inbound of the interface that faces the Internet. If so, the third line of your ACL should be changed to "access-list 101 permit udp any eq 53 any" in order to allow DNS replies to reach users on the LAN.

HTH

Mark