Help with access-list

ricardoclements1 · ‎08-25-2003

Equip: 1760 VPN/K9 with Ethernet WIC

Goal is to allow access to only a web server behind router (port 80) yet allow any machine behind the router access to the internet

Problem is that as soon as I apply the access list to int e0/0 the machines behind the router cant get to anything outside the router

Using access lists:

access-list 101 permit tcp any host 172.31.2.2 eq 80

access-list 101 permit tcp any any established

access-list 101 permit udp any any eq 53

access-list 101 permit udp any any eq 123

any ideas??

thanks

Ricardo Clements

thisisshanky · ‎08-25-2003

How have you applied your access list ? inbound or outbound.

On your e0/0, this acl should be applied outbound.

I would recommend to change this access-list and apply it to the serial interface (or your wan interface) inbound.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

ricardoclements1 · ‎08-26-2003

e0/0 is my wan interface and I have been applying it as an inbound filter.

here is the config:

Current configuration : 1024 bytes

!

version 12.2

service config

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname xxx

!

logging queue-limit 100

enable secret xxxxx

enable password xxx

!

ip subnet-zero

!

ip domain name xxxx.com

!

ip audit notify log

ip audit po max-events 100

!

interface Ethernet0/0

ip address 192.168.1.10 255.255.255.0

ip access-group 101 in

ip access-group 1 out

half-duplex

!

interface FastEthernet0/0

ip address 172.31.1.1 255.255.0.0

speed auto

full-duplex

!

router rip

version 2

network 172.31.0.0

network 192.168.1.0

!

ip classless

ip http server

no ip http secure-server

!

access-list 1 permit any

access-list 101 permit tcp any any established

access-list 101 permit udp any any eq domain

access-list 101 permit udp any any eq ntp

!

snmp-server community public RO

snmp-server enable traps tty

...

ricardo