Solved: Re: Basic gateway question

argnetworking · ‎12-22-2010

This is a very basic question and I hate to ask this, but I got this problem today.

I have attached a simplified diagram of the problem.

I have a PC1 IP: 90.90.90.30 with a DG: 90.90.90.100 (which is the router R1). The router R1 (90.90.90.100) has a DG to R2 (90.90.90.200). The router R2 has a DG to the internet.

Everything works great.

Now the problem, lets say I put an ACL in R1 (inbound) deny any any. With that ACL in place the PC1 stops working because it can´t get to his default gateway, what should I open in the ACL to allow the PC1 to use R1 as the default gateway????

Thanks,

Gonzalo

cadet alain · ‎12-23-2010

Hi,

Iam trying to find if there is a special ACL just to allow routing. But I guess there isn’t.

No there isn't so you must explicitly permit traffic and the implicit deny all at the end will deny everything else.

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

Dan-Ciprian Cicioiu · ‎12-22-2010

Hello,

The answer is simple : you will permit what you need from PC1 to be processed by R1

For example if you want to let PC1 only to ping , you permit ICMP = permit host PC1 icmp any

You can get more granular you want to let PC1 to ping only cisco.com = permit host PC1 icmp host 198.133.219.25

You need PC1 to access only web ( http ) then permit host PC1 any 80

Globaly thinking the access-list will tell the router what to accept from PC1 , and then the accepted packets router will processed by the router

Dan

argnetworking · ‎12-22-2010

By doing that Im permiting the host to get into the router and behind the router (I have more networks behind the router), Is there any other way?

thanks,

Gonzalo

Dan-Ciprian Cicioiu · ‎12-22-2010

PC having the default gw the internet router.

cadet alain · ‎12-22-2010

Hi,

What exactly do you want to do as it is not clear.

Regards.

Alain.

Don't forget to rate helpful posts.

argnetworking · ‎12-22-2010

This is a part of a more complex situation, there is BGP, migration, changing topology, routing problems, etc.

What I have posted is a simplifying version of the problem but represents the problem.

Thanks,

Richard Burts · ‎12-22-2010

You tell us that there is a more complex situation and that you ask a simplifying question. So I will provide a simplifying answer. You need to identify what it is that you want this PC to do, and then you need to configure permit statements in the access list. Your access list does not need to permit the PC to have blanket access, so you could configure the access list (using an extended access list) to permit host PC to access host X for HTTP, to access host Y for DNS, to access host Z for ICMP, etc. This will allow only the permitted traffic to get through the interface to the router and for the router to then forward on toward the destination addresses.

HTH

Rick

HTH

Rick

argnetworking · ‎12-22-2010

What I meant is a “simplified version of the problem”.

I want the PC to have full access to the internet using R1 as the default gateway (which at the end the R1 forwards everything to R2)

Iam trying to find if there is a special ACL just to allow routing. But I guess there isn’t.

Thanks,

Inderjeet Singh · ‎12-22-2010

isn't below acl not satisfying your purpose

access-list XX permit host 90.90.90.30 any

access-list XX deny any

cadet alain · ‎12-23-2010

Hi,

Iam trying to find if there is a special ACL just to allow routing. But I guess there isn’t.

No there isn't so you must explicitly permit traffic and the implicit deny all at the end will deny everything else.

Regards.

Alain.

Don't forget to rate helpful posts.

argnetworking · ‎12-23-2010

thanks everyone, in conclusion there is no way to allow just routing in an ACL.

Richard Burts · ‎12-23-2010

I am not clear what you mean when you ask about an ACL to allow routing. If you mean routing in terms of running a dynamic routing protocol then you can use an ACL (referenced in a distribute list) to control the routing updates. (or in some cases you might use an ACL referenced in a route map to control routing updates.)

If you mean routing in terms of the router forwarding packets, then that is what an ACL applied to an interface does, it controls the routing/forwarding of packets in or out of that interface.

Perhaps you can clarify which type of routing you are asking about?

HTH

Rick

HTH

Rick

argnetworking · ‎12-27-2010

Richard,

I mean routing in terms of packet forwarding. I didnt know if there was something to apply in the ACL to permit the forwarding of a packet that comes to an interface and goes out on the same interface (just point to the next hop).

I can see there is no such thing.

thanks,

Gonzalo