08-25-2003 05:06 PM - edited 03-02-2019 09:52 AM
Not sure if this should be here or WAN forum.. please advise..
Equip: 1760 VPN/K9 with Ethernet WIC
Goal is to allow access to only a web server behind router (port 80) yet allow any machine behind the router access to the internet
Problem is that as soon as I apply the access list to int e0/0 the machines behind the router cant get to anything outside the router
Using access lists:
access-list 101 permit tcp any host 172.31.2.2 eq 80
access-list 101 permit tcp any any established
access-list 101 permit udp any any eq 53
access-list 101 permit udp any any eq 123
any ideas??
thanks
Ricardo Clements
08-25-2003 06:43 PM
Add:
access-list 101 deny ip any any log
to the end of the ACL. Try connecting to the internet then examine the log to see what is being denied. Should help identify the problem.
08-26-2003 07:02 AM
Very helpful. thx
Do you know how to get the logs from the console to a file?
Running Linux RH 8.0 boxes.
Also it seems like things were working ok until the log rate limit was exceeded, then connectivity to the internet (through the router) became blocked.... I was able to get a couple of pages back... then all connections were refused
ricardo
08-26-2003 01:51 AM
Try to use correct acl in- and out statements when you apply the acl in the if-configuration.
08-26-2003 04:49 AM
Ricardo,
I am assuming that your access-group is either on the outbound for the ethernet interface, or on the inbound of the interface that faces the Internet. If so, the third line of your ACL should be changed to "access-list 101 permit udp any eq 53 any" in order to allow DNS replies to reach users on the LAN.
HTH
Mark
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: