Solved: Block Intenret Traffic Using Extended Access List

cigalahgroup · ‎04-05-2025

Hello All,

I have a fairly simple scenario where i am performing NAT to use internet on network and below is the configuration and I would like to Permit internet traffic on a single host and I have created an Extended access list but it doesn't works. Please check the statements below

ip access-list 102 permit 192.168.1.3 0.0.0.0 any eq 443
ip access-list 102 Permit 192.168.1.3 0.0.0.0 any eq 80

Then I applied this on my interface Ethernet0/0
ip access-Group 102 in

R1 CONFIG
==========



Building configuration...

Current configuration : 2741 bytes
!
! Last configuration change at 14:38:57 UTC Sat Apr 5 2025
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$0McA$gZe2Qh4N69dVSFV/4LZ.b/
!
no aaa new-model
!
!
!
bsd-client server url https://cloudsso.cisco.com/as/token.oauth2
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
no ip icmp rate-limit unreachable
!
!
!
!
!
!
!
!


!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
cts logging verbose
!
!
!
redundancy
!
no cdp log mismatch duplex
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Ethernet0/1
 ip address dhcp
 ip nat outside
 ip virtual-reassembly in
!
interface Ethernet0/2
 no ip address
 shutdown
!
interface Ethernet0/3
 no ip address
 shutdown
!
interface Ethernet1/0
 no ip address
 shutdown
!
interface Ethernet1/1
 no ip address
 shutdown
!
interface Ethernet1/2
 no ip address
 shutdown
!
interface Ethernet1/3
 no ip address
 shutdown
!
interface Ethernet2/0
 no ip address
 shutdown
!
interface Ethernet2/1
 no ip address
 shutdown
!
interface Ethernet2/2
 no ip address
 shutdown
!
interface Ethernet2/3
 no ip address
 shutdown
!
interface Ethernet3/0
 no ip address
 shutdown
!
interface Ethernet3/1
 no ip address
 shutdown
!
interface Ethernet3/2
 no ip address
 shutdown
!
interface Ethernet3/3
 no ip address
 shutdown
!
interface Serial4/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial4/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial4/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial4/3
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial5/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial5/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial5/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial5/3
 no ip address
 shutdown
 serial restart-delay 0
!
router rip
 version 2
 redistribute static
 network 192.168.1.0
 no auto-summary
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source list 101 interface Ethernet0/1 overload
ip route 0.0.0.0 0.0.0.0 192.168.122.1
!
!
!
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
!
control-plane
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 access-class 10 in
 password cisco
 login
 transport input all
!
!
end

M02@rt37 · ‎04-05-2025

Hello @cigalahgroup

Allow DNS also on your ACL.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

Martin L · ‎04-06-2025

what exactly does not work? 2 notes: 1 , there is always deny any any statement at the end of every ACL - even if u do not see it; 2 , don't u need tcp keyword as in

access-list 102 permit tcp x y eq z 
access-list 102 permit tcp 192.168.1.3 0.0.0.0 any eq 443
access-list 102 permit tcp 192.168.1.3 0.0.0.0 any eq 80

Regards, ML
**Please Rate All Helpful Responses **

View solution in original post

M02@rt37 · ‎04-05-2025

Hello @cigalahgroup

Allow DNS also on your ACL.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Martin L · ‎04-06-2025

what exactly does not work? 2 notes: 1 , there is always deny any any statement at the end of every ACL - even if u do not see it; 2 , don't u need tcp keyword as in

access-list 102 permit tcp x y eq z 
access-list 102 permit tcp 192.168.1.3 0.0.0.0 any eq 443
access-list 102 permit tcp 192.168.1.3 0.0.0.0 any eq 80

Regards, ML
**Please Rate All Helpful Responses **

Richard Burts · ‎04-06-2025

I agree with M02@rt37 that the proposed ACL is too restrictive, needing DNS and probably some other protocols. It would be better if the ACL just permitted the host without worrying about specific protocols.

And I agree with @Martin L that the syntax of the ACL is incomplete.

And I would point out an issue with the configured default route:

ip route 0.0.0.0 0.0.0.0 192.168.122.1

The configured next hop of 192.168.122.1 is an address that the router would not know how to get to. It is possible that since the interface uses DHCP to get its address, it might be that the router could learn a default route using dhcp, but the configured static default route needs to specify dhcp.

HTH

Rick

cigalahgroup · ‎04-07-2025

If you see the above configuration ip route is mentioned . My Question is

If there is any possibility to debug the access list and where where the packets are getting dropped ?

Richard Burts · ‎04-07-2025

Yes the configuration does mention routing. And I have pointed out that as configured it will not work as desired. You can solve this issue either by providing a correct next hop address, or by specifying that the default route is learned via dhcp.

If you want to debug the access list you could debug ip packet and the debug will tell you about all ip packets and what is happening to them. I am puzzled about asking "where the packets are getting dropped". They are dropped where the acl is applied.

HTH

Rick