12.1 and ACL problems...

hoopteyxx · ‎06-05-2005

Greetings all!

I am trying to deny all traffic through my WAN except for web, ssh, ftp, pop3, and smtp... I've got those services running behind my 2611 at a soho sized location...

I've applied the following acl to the interface, and unfortunately it's cutting off my LAN's access to anything outside the router...

permit tcp any any eq www

permit tcp any any eq ftp

permit tcp any any eq pop3

permit tcp any any eq smtp

permit tcp any any eq 22

deny ip any any

What the heck am i doing wrong, here?

Georg Pauwen · ‎06-05-2005

Hello,

you also need to allow DNS, in addition to any routing protocol traffic that you might be running. For the DNS (which is necessary for your web access), add the following to your access list:

permit tcp any any eq domain

If you are running a routing protocol, you will need to allow that traffic as well...

HTH,

GP

Richard Burts · ‎06-06-2005

The point about DNS is well taken. But the DNS querry requires a UDP permit. The TCP DNS is for zone transfers which is not the issue here.

There is also a question about which interface and which direction the access list is being applied.Depending on direction it might be

permit tcp any any eq www

or it might be

mpermit tcp any eq www any

HTH

Rick

HTH

Rick