Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
664
Views
5
Helpful
5
Replies

Access-List Blocking Access

Create Share
Level 1
Level 1

‎05-31-2011 09:09 AM - edited ‎03-04-2019 12:34 PM

Hi!

After adding the below Extended Access-List Entry into my 1841 Router,

access-list 102 permit ip host 192.168.1.1 any

i can access the Internet from this client but cannot connect to this client from another branch through vpn tunnels. I can access all other clients that do not have this access-list entry.

Thanks.

Labels:
0 Helpful
5 Replies 5

John Peek
Level 1
Level 1

‎05-31-2011 09:31 AM

Posting your config will help.

0 Helpful

Create Share
Level 1
Level 1
In response to John Peek

‎05-31-2011 10:32 AM

Current configuration : 1934 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Branch-Router

!

boot-start-marker

boot-end-marker

!

no logging buffered

no logging monitor

enable password password

!

no aaa new-model

!

resource policy

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

ip cef

!

!

no ip dhcp use vrf connected

!

!

ip name-server Server-1

ip name-server Server-2

vpdn enable

vpdn ip udp ignore checksum

!

vpdn-template 1

!

vpdn-group 1

! Default PPTP VPDN group

accept-dialin

  protocol pptp

  virtual-template 1

!

!

username vpn password 0 vpn

!

!

!

interface Tunnel1

description VPN To Main-Office

ip address 192.168.100.2 255.255.255.0

tunnel source router wan ip

tunnel destination main-office router wan ip

!

interface FastEthernet0/0

description WAN

ip address public ip

ip nat outside

duplex auto

speed auto

!

interface FastEthernet0/1

description LAN

ip address 192.168.1.2 255.255.255.0

ip nat inside

duplex auto

speed auto

!

interface Virtual-Template1

ip unnumbered FastEthernet0/1

peer default ip address pool branch

no keepalive

ppp authentication pap chap ms-chap

!

ip local pool  192.168.1.101 192.168.1.150

ip classless

ip route 0.0.0.0 0.0.0.0 router wan ip

ip route Main Office router wan IP and mask Tunnel1

!

no ip http server

ip nat pool ovrld public ip public ip prefix-length 30

ip nat inside source list 102 pool ovrld overload

!

access-list 102 permit ip host 192.168.1.1 any

!

control-plane

!

!

line con 0

password password

login

line aux 0

line vty 0 4

password password

login

line vty 5 15

password password

login

!

end

0 Helpful

manish arora
Level 6
Level 6
In response to Create Share

‎05-31-2011 11:29 AM

You will need to NAT exempt the traffic from 192.168.1.1 going to the IP's on the other end of the tunnel , so if your other end IP subnet is for ex 10.0.1.0/24 then you will need to modify the access list 102 like :-

access-list 102 Deny ip host 192.168.1.1 10.0.1.0 0.0.0.255

access-list 102 permit ip host 192.168.1.1 any

make sure the NAT exempt statement appears before the permit any statement.

Manish

Create Share
Level 1
Level 1
In response to manish arora

‎06-01-2011 03:39 PM

Tried but did not succeed. There may be other things that need to be blocked.

Any Suggestions?

Thanks.

0 Helpful

manish arora
Level 6
Level 6
In response to Create Share

‎06-01-2011 03:58 PM

access-list 102 Deny ip host 192.168.1.1 SOURCE_IP WILDCARD_MASK

access-list 102 permit ip host 192.168.1.1 any

are you sure that you have right SOURCE_IP & WILDCARD MASK ?

Try wireshark/tcpdump on 192.168.1.1 and capture the source ip coming in and then deny that in your NAT access-list 102.

Manish

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card