Re: Setting up simple ACL on 2511 router

spamidala · ‎09-03-2004

Hi,

I want to setup simple ACL which blocks all incoming traffic initiated into our network through (WAN) serial interface. And allow the outgoing traffic from our network to the world through Router ethernet interface which then puts onto WAN serial interace.

I though once the ACL is activated, it implies default deny.

Interface Ethernet0

ip access-group 101 in

access-list 101 permit ip 172.25.25.0 0.0.0.255 any

access-list 101 deny ip any any

Where 172.25.25.0 is our Secure network and the router is on the same network.

Please can you suggest if there s anything wrong with this?

Thanks, Sree

sateesh_k10 · ‎09-03-2004

hey

what u have given is right....in last line small change i.e

access-list 101 deny ip any any log.. means denied packets will be logged....

bye

sat

spamidala · ‎09-04-2004

Thanks for the reply.

When i had those commands, it never worked. It denied everything. But i really wanted to allow the communciation from our secure network to the world.

Interface Ethernet0

ip access-group 101 in

access-list 101 permit ip 172.25.25.0 0.0.0.255 any

access-list 101 deny ip any any

Does the logging make any difference, other than what's being denied?

Thanks, Sree

Richard Burts · ‎09-05-2004

The logging does not make any difference in what is permitted and what is denied. It only will provide explicit listing of what is denied.

I do not understand very well what you are attempting to accomplish and what the problem is. Could you clarify what the topology is: what is the ip address on both of the router interfaces, where is 172.25.25.0?

The syntax would make sense if 172.25.25.0 is connected to Ethernet 0. Is that the case? Are there any other networks connected to the router?

HTH

Rick

HTH

Rick

spamidala · ‎09-07-2004

Thanks for your reply.

I have Ethernet0 connected on 172.25.25.0/24 network and the WAN interface on 172.25.15.0/24 with IP addres on our end is 172.25.15.2 and the remote end as 172.25.15.1, which connects to the Customer network

I'd like to allow everything that is initiated from 172.25.25.0/24 network to the customer network and block everything for the connections initiated from customer network.

Hope this clarifies.

Thanks, Sree

Kevin Dorrell · ‎09-07-2004

First of all, does it work if you take away the access-group command. Just want to be sure we are looking at an access-list problem, and not something else.

If so, bera in mind that an access list filters individual packets, NOT connections. The access list you have given will allow 172.25.25.0/24 machines on your LAN to go to the WAN (or anywhere else for that matter). It will deny anything else on your LAN to go to the WAN.

BUT, it will not do anything to the trafic from your WAN to your LAN. For this, you would need another access list, either on input from WAN, or on output to the LAN.

Kevin Dorrell

Luxembourg

spamidala · ‎09-07-2004

It works fine without access-group.

Thanks for a clue. I have added the following by slightly rearranging the list. It works great.

Serial0

ip access-group 101 out

ip access-group 102 in

access-list 101 permit tcp 172.25.25.0 0.0.0.255 any

access-list 102 permit tcp any 172.25.25.0 0.0.0.255 established

Sree