Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1113
Views
0
Helpful
4
Replies

Edge Router to ISP ACL Help

stownsend
Level 2
Level 2

‎09-24-2012 03:00 PM - edited ‎03-04-2019 05:39 PM

I have one Employee that Cannot access anything at our Corporate HQ Site. If I remove the ACL on the ISP's Incoming Interface they can get through just fine. 

Here is the ACL I have defined.  Is there something out of the ordinary that I have going on here?

access-list 110 deny   ip 127.0.0.0 0.255.255.255 any

access-list 110 deny   ip 192.0.2.0 0.0.0.255 any

access-list 110 deny   ip 224.0.0.0 31.255.255.255 any

access-list 110 deny   ip host 255.255.255.255 any

access-list 110 deny   ip host 0.0.0.0 any

access-list 110 deny   ip 10.0.0.0 0.255.255.255 any

access-list 110 deny   ip 172.16.0.0 0.15.255.255 any

access-list 110 deny   ip 192.168.0.0 0.0.255.255 any

access-list 110 deny   ip 0.0.0.0 255.255.255.0 any

access-list 110 deny   tcp any any eq telnet

access-list 110 permit icmp any any echo-reply

access-list 110 permit icmp any any unreachable

access-list 110 permit icmp any any time-exceeded

access-list 110 permit ip any any

Thanks!

Labels:
0 Helpful
4 Replies 4

johnlloyd_13
Level 9
Level 9

‎09-24-2012 06:01 PM

hi,

i don't see any ACE that would hinder your user's IP traffic towards your HQ unless there's a firewall somewhere over your LAN.

maybe you can ask the user to give you a traceroute and see where the traffic drops?

0 Helpful

Jigar Dave
Level 3
Level 3

‎09-24-2012 09:05 PM

if you are using proxy, have you make sure that he has proxy enabled on his laptop while accessing HQ ?

0 Helpful

stownsend
Level 2
Level 2

‎09-25-2012 12:09 PM

I feel a bit dumb.   As I waked a co-worker through what each of the lines in the ACL was doing, I found the Offending line that was causing the issue with this user.   Looks like I also forgot to supply his Public IP address.  Its a Comcast Cable modem Customer, nothing fancy, we have several users on ComCast Cable.  his IP address was in a Subnet that was larger than a Class C Address Space. So his IP address ended in a .0

This was in there :  

          access-list 110 deny   ip 0.0.0.0 255.255.255.0 any

To prevent the Subnet's Network Address from being Spoofed and used to access the Interface for DoS Attacks.   Well if your Subnet is Larger than a Class C Address a A.B.C.0 address is a valid address.

I removed the line and they were able to connect with no issues.

Scott<-

0 Helpful

johnlloyd_13
Level 9
Level 9
In response to stownsend

‎09-25-2012 06:58 PM

Nice one Scott! Glad you were able to resolve it.

Sent from Cisco Technical Support iPhone App

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card