09-03-2004 11:23 AM - edited 03-02-2019 06:14 PM
Hi,
I want to setup simple ACL which blocks all incoming traffic initiated into our network through (WAN) serial interface. And allow the outgoing traffic from our network to the world through Router ethernet interface which then puts onto WAN serial interace.
I though once the ACL is activated, it implies default deny.
Interface Ethernet0
ip access-group 101 in
access-list 101 permit ip 172.25.25.0 0.0.0.255 any
access-list 101 deny ip any any
Where 172.25.25.0 is our Secure network and the router is on the same network.
Please can you suggest if there s anything wrong with this?
Thanks, Sree
09-03-2004 12:00 PM
hey
what u have given is right....in last line small change i.e
access-list 101 deny ip any any log.. means denied packets will be logged....
bye
sat
09-04-2004 04:26 AM
Thanks for the reply.
When i had those commands, it never worked. It denied everything. But i really wanted to allow the communciation from our secure network to the world.
Interface Ethernet0
ip access-group 101 in
access-list 101 permit ip 172.25.25.0 0.0.0.255 any
access-list 101 deny ip any any
Does the logging make any difference, other than what's being denied?
Thanks, Sree
09-05-2004 06:06 AM
The logging does not make any difference in what is permitted and what is denied. It only will provide explicit listing of what is denied.
I do not understand very well what you are attempting to accomplish and what the problem is. Could you clarify what the topology is: what is the ip address on both of the router interfaces, where is 172.25.25.0?
The syntax would make sense if 172.25.25.0 is connected to Ethernet 0. Is that the case? Are there any other networks connected to the router?
HTH
Rick
09-07-2004 07:17 AM
Thanks for your reply.
I have Ethernet0 connected on 172.25.25.0/24 network and the WAN interface on 172.25.15.0/24 with IP addres on our end is 172.25.15.2 and the remote end as 172.25.15.1, which connects to the Customer network
I'd like to allow everything that is initiated from 172.25.25.0/24 network to the customer network and block everything for the connections initiated from customer network.
Hope this clarifies.
Thanks, Sree
09-07-2004 07:56 AM
First of all, does it work if you take away the access-group command. Just want to be sure we are looking at an access-list problem, and not something else.
If so, bera in mind that an access list filters individual packets, NOT connections. The access list you have given will allow 172.25.25.0/24 machines on your LAN to go to the WAN (or anywhere else for that matter). It will deny anything else on your LAN to go to the WAN.
BUT, it will not do anything to the trafic from your WAN to your LAN. For this, you would need another access list, either on input from WAN, or on output to the LAN.
Kevin Dorrell
Luxembourg
09-07-2004 09:31 AM
It works fine without access-group.
Thanks for a clue. I have added the following by slightly rearranging the list. It works great.
Serial0
ip access-group 101 out
ip access-group 102 in
access-list 101 permit tcp 172.25.25.0 0.0.0.255 any
access-list 102 permit tcp any 172.25.25.0 0.0.0.255 established
Sree
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide