Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
282
Views
0
Helpful
1
Replies

Access Control List Problem

Go to solution
hacabrera001
Level 1
Level 1

‎08-02-2005 10:35 AM - edited ‎03-09-2019 12:01 PM

Hi guys, I'm experiencing a problem with one of my ACLs...

I have it applied INBOUND on the Router's Interace that is facing the Internet.

I'm trying to restrict access so the only thing visible to Internet is my WebPage, but when I apply this ACL on the Router's Interface it takes down the connection to Internet (I'm running a ping on one of my internal hosts, but as soon as I apply that ACL INBOUND on my Router's External Interface it takes down any communication to the Internet).

I think that it is because the Router is dropping all the "returning" packets.

I know that there is one argument (ESTABLISHED) that I can enable to permit those returning packets, but it just applies to TCP, but What about ICMP, UDP?

This is the ACL I'm using:

access-list 101 remark FW-Outside-to-Inside

access-list 101 deny ip 192.168.0.0 0.0.0.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 deny ip host 0.0.0.0 0.0.0.0 any

access-list 101 permit tcp host 66.137.99.107 any eq 1720

access-list 101 permit tcp host 66.137.99.108 any eq 1720

access-list 101 permit tcp host 66.137.99.109 any eq 1720

access-list 101 permit tcp host 66.137.99.107 any range 16000 20000

access-list 101 permit tcp host 66.137.99.108 any range 16000 20000

access-list 101 permit tcp host 66.137.99.109 any range 16000 20000

access-list 101 permit udp host 66.137.99.107 any range 5000 5075

access-list 101 permit udp host 66.137.99.108 any range 5000 5075

access-list 101 permit udp host 66.137.99.109 any range 5000 5075

access-list 101 permit tcp any host MYWEBSERVERSIP eq 80

access-list 101 deny ip any any

I hope you guys can give me a clue...

Thank you!!!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rsmith
Level 3
Level 3

‎08-02-2005 01:52 PM

The last two deny statments (before your permit statements), "host 255.255.255.255 any" and "host 0.0.0.0 0.0.0 any" may be the problem. You specified a reverse-mask on the 0.0.0.0 0.0.0.0, which will override the 'host' command (I believe) I would first try removing these and see if it works, then re-inserting them (without the mask) to see if it still works.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
rsmith
Level 3
Level 3

‎08-02-2005 01:52 PM

The last two deny statments (before your permit statements), "host 255.255.255.255 any" and "host 0.0.0.0 0.0.0 any" may be the problem. You specified a reverse-mask on the 0.0.0.0 0.0.0.0, which will override the 'host' command (I believe) I would first try removing these and see if it works, then re-inserting them (without the mask) to see if it still works.

0 Helpful
Customers Also Viewed These Support Documents