Trouble with ACL

eagletec1 · ‎08-28-2012

I'm trying to add an extended ACL (120) to an 800 series router (887) using Network Objects to allow the management user IP range full access to IP services and restricted access to email only for standard user IP range. However as soon as I apply the ACL to the outbound of my Vlan no matter what is in the ACL my PC looses internet connectivity. I've tried adding an explict allow for my IP address and still no access so I'm thinking possible a NAT issue, please have a look at my attached config and let me know what you think. Would I be better trying to control data flow with ZBF? I want to restrict standard users to email access only during the work day with web access and IM access after hours along with blocking all P2P programs for standard users at any time. Management group will have unrestricted access to all IP protocols. My original plan was to use time based ACL's!

Louise

eagletec1 · ‎08-29-2012

I'm really not understanding this routers behaviour. As soon as I apply my ACL I loose all internet connectivity. I just created a new extended ACL for network 192.168.0.0 with wild card mask 0.0.0.255 to permit any IP protocol to any IP destination but as soon as I applied it to the ATM out interface I lost internet connectivity. Given my network IP is 192.168.0.10/24 this shouldn’t happen, any suggestions?

Louise

cadet alain · ‎08-29-2012

Hi,

Why would you need to apply an ACL to an interface as you've got ZBF configured ? just use ACLs in your class-maps

and they can even be time-based.

Regards.

Alain

Don't forget to rate helpful posts.

eagletec1 · ‎08-29-2012

Hi Alain, Thanks for the advise however I'm a novice when it comes to ZBF, so please explain how I would add an ACL to to ZBF and make it time based? Do you mean add a new rule for say in zone to out?

Louise

cadet alain · ‎08-29-2012

Hi,

reexplain exactly what you need to control and I'll tell you the modifications to do to your ZBF config.

Regards.

Alain

Don't forget to rate helpful posts.

eagletec1 · ‎08-30-2012

Thanks.

I need to allow all networks email access 24 hours

192.168.0.0/24

192.168.1.0/24

192.168.2.0/24

192.168.3.0/24

192.168.5.0/24

192.168.6.0/24

192.168.7.0/24

192.168.8.0/24

This is network objext QQQ.local

All management users in 192.168.0.0/24 (network objext QQQ Management Users) require full access 24 hours

All standard users in 192.168.0.0/24 (network object QQQ Standard Users) are not allowed to access web, P2P, IM, etc only emails.

Networks 192.168.1.0/24, 192.168.4.0/24, 192.168.5.0/24, 192.168.7.0/24 and 192.168.8.0/24 also require full access 24 hours

Networks 192.168.2.0/24, 192.168.3.0/24 and 192.168.6.0/24 are only allowed web and IM access between 19:00 and 22:00 hours. P2P programs are to be blocked for this networks all the time.

Louise

cadet alain · ‎08-30-2012

Hi,

All standard users in 192.168.0.0/24 (network object QQQ Standard Users) are not allowed to access web, P2P, IM, etc only emails.

All the time or only from 19:00 to 22:00 ?

emails ---> you mean access to external POP3/SMTP servers ?

Regards.

Alain

Don't forget to rate helpful posts.

eagletec1 · ‎08-30-2012

Correct standard users in 192.168.0.0/24 (network object QQQ Standard Users) are only allow external access to email (POP/SMTP standard port numbers) from third party servers. In time the company will migrate to an internally hosted Exchange server. No other external access to be allowed (i.e. web, P2P, IM and web base mail) at any time. The time range 19:00 to 22:00 is for networks 192.168.2.0, 192.168.3.0, 192.168.6.0 when web and IM access is to be available, but P2P are still to be blocked.

Cheers

Louise

cciehelps · ‎08-29-2012

If you apply on Vlan output, you need to make it source any destination ip object.

http://cciehelp.co.cc

cciehelps · ‎08-29-2012

Your ACL 120 looks like should be on Vlan interface input.

http://cciehelp.co.cc