cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
392
Views
0
Helpful
5
Replies

Access List problem on 1841 IS

akalhan
Level 1
Level 1

Current configuration : 3904 bytes

!

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime !

hostname router1

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200 debugging

enable secret 5 x

!

username admin privilege 15 secret 5 x

no aaa new-model

ip subnet-zero

no ip source-route

ip cef

!

!

ip tcp synwait-time 10

!

!

no ip bootp server

no ftp-server write-enable

!

!

!

!

interface FastEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$

ip address 192.168.1.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip route-cache flow

duplex auto

speed auto

no cdp enable

no mop enabled

!

interface FastEthernet0/1

description $ES_WAN$$FW_OUTSIDE$

ip address 216.240.x.a 255.255.255.0

ip access-group 101 in

ip access-group 100 out

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip route-cache flow

duplex auto

speed auto

no cdp enable

no mop enabled

!

interface Serial0/0/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

shutdown

no cdp enable

!

ip default-gateway 216.240.x.x

ip classless

ip route 0.0.0.0 0.0.0.0 216.240.x.x

ip http server

ip http authentication local

ip http timeout-policy idle 600 life 86400 requests 10000

ip nat inside source list 1 interface FastEthernet0/1 overload

ip nat inside source static 192.168.1.10 216.240.x.b

ip nat inside source static 192.168.1.11 216.240.x.c

!

!

logging trap debugging

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 100 permit ip any any

access-list 101 permit gre any host 216.240.x.a

access-list 101 permit tcp any host 216.240.x.a eq telnet

access-list 101 permit tcp any host 216.240.x.a eq www

access-list 101 permit tcp any host 216.240.x.b eq 1723

access-list 101 permit tcp any host 216.240.x.b eq 443

access-list 101 permit tcp any host 216.240.x.b eq 47

access-list 101 permit tcp any host 216.240.x.b eq domain

access-list 101 permit tcp any host 216.240.x.b eq ftp

access-list 101 permit tcp any host 216.240.x.b eq ftp-data

access-list 101 permit tcp any host 216.240.x.b eq www

access-list 101 permit udp any host 216.240.x.b eq 1723

access-list 101 permit udp any host 216.240.x.b eq 47

access-list 101 permit udp any host 216.240.x.b eq domain

access-list 101 permit udp any host 216.240.x.c eq domain

access-list 101 permit tcp any host 216.240.x.c eq 443

access-list 101 permit tcp any host 216.240.x.c eq domain

access-list 101 permit tcp any host 216.240.x.c eq ftp

access-list 101 permit tcp any host 216.240.x.c eq ftp-data

access-list 101 permit tcp any host 216.240.x.c eq www

access-list 101 deny ip any any

no cdp run

!

control-plane

!

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

login local

transport output telnet

line aux 0

login local

transport output telnet

line vty 0 4

privilege level 15

login local

transport input telnet

line vty 5 15

privilege level 15

login local

transport input telnet

!

scheduler allocate 4000 1000

end

--------------------- PROBLEM ----------------------

I want users to be able to go out on every port and only selective ports open for incoming.

I thght the deny any ip ip is implicit.However if I dont give access-list 101 deny ip any any it lets everyone in.

the moment i state the deny it denies all outgoing traffic as well.

So i added the 101 deny and 102 incoming and it didnot work. what am i doing wrong.

Any help is really appreciated.

Thanks,

5 Replies 5

brianj
Level 1
Level 1