06-03-2019 12:53 AM
Hi
we have a 1841 router that we can ping it's interface and the network beyond that when the acl* applied to the interface and when the acl is removed we can just communicate with the router and the network beyond is completely disconnected.
acl contains one line : permit ip any any
and for the testing purpose we have replaced the router with a new one and the problem still exist.
Can anyone help please
Thanks in advance
Solved! Go to Solution.
06-03-2019 05:10 AM
Hi
i have issued the commands below and the problem solved :
int f0/0
no ip cef
no ip proxy-arp
06-03-2019 01:05 AM
Hi there,
Please can you share the running the config of the router?
cheers,
Seb.
06-03-2019 01:07 AM
Hello
@m-hossainagri wrote:
Hi
we have a 1841 router that we can ping it's interface and the network beyond that when the acl* applied to the interface and when the acl is removed we can just communicate with the router and the network beyond is completely disconnected.
acl contains one line : permit ip any any
Can you post the configuration of the router with this acl attached please , Sounds like your acl is tied to network translation.
06-03-2019 01:14 AM
06-03-2019 01:26 AM - edited 06-03-2019 01:27 AM
Hi there,
The ACL ETHERNET_IN contains only one ACE:
ip access-list extended ETHERNET_IN permit ip any any log
...if you remove the only permit statement, you essential have an implict deny all ACE. This is why you cannot reach beyond the interface.
If you want to remove the ACE, you also need to the remove it from the interface:
! interface FastEthernet0/0 no ip access-group ETHERNET_IN in !
cheers,
Seb.
06-03-2019 01:31 AM
I think you get it wrong when i remove the ACL from the interface the network is disconnected:
! interface FastEthernet0/0 no ip access-group ETHERNET_IN in !
when i do the above command there should be no filtering but instead everything gets disconnected.
06-03-2019 01:42 AM - edited 06-03-2019 01:43 AM
Hello
@m-hossainagri wrote:
I think you get it wrong when i remove the ACL from the interface the network is disconnected:
! interface FastEthernet0/0 no ip access-group ETHERNET_IN in !when i do the above command there should be no filtering but instead everything gets disconnected.
No sure how this can be, the acl ETHERNET_IN is allowing everything anyway and it isnt tied to any-other thing so without it applied to that interface all traffic will continue to be allowed it so nothing should be impeded.
06-03-2019 01:49 AM
hmmm, I agree with @paul driver . For our sanity can you provide the output of:
sh ip int fa0/0
...when the access-group is both applied and removed.
cheers,
Seb.
06-03-2019 01:52 AM
FastEthernet0/0 is up, line protocol is up
Internet address is 10.7.120.5/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.2 224.0.0.5 224.0.0.6
Outgoing access list is not set
Inbound access list is ETHERNET_IN
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF Feature Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
06-03-2019 02:03 AM
...
Outgoing access list is not set Inbound access list is ETHERNET_IN
...
...OK and what is the output with the ACL removed from the interface?
06-03-2019 02:11 AM
we dont have an output acl.
the funny part is when we remove the inside acl as well everything will be discarded.
06-03-2019 02:21 AM
I meant remove the ACL:
! interface FastEthernet0/0 no ip access-group ETHERNET_IN in !
...and then share the output of sh ip int fa0/0
I just want to the see the router confirming that no ACL is set.
06-03-2019 03:54 AM
FastEthernet0/0 is up, line protocol is up
Internet address is 10.7.120.5/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.2 224.0.0.5 224.0.0.6
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
06-03-2019 05:10 AM
Hi
i have issued the commands below and the problem solved :
int f0/0
no ip cef
no ip proxy-arp
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide