08-28-2012 07:16 PM - edited 03-04-2019 05:24 PM
I'm trying to add an extended ACL (120) to an 800 series router (887) using Network Objects to allow the management user IP range full access to IP services and restricted access to email only for standard user IP range. However as soon as I apply the ACL to the outbound of my Vlan no matter what is in the ACL my PC looses internet connectivity. I've tried adding an explict allow for my IP address and still no access so I'm thinking possible a NAT issue, please have a look at my attached config and let me know what you think. Would I be better trying to control data flow with ZBF? I want to restrict standard users to email access only during the work day with web access and IM access after hours along with blocking all P2P programs for standard users at any time. Management group will have unrestricted access to all IP protocols. My original plan was to use time based ACL's!
Louise
08-29-2012 06:52 PM
I'm really not understanding this routers behaviour. As soon as I apply my ACL I loose all internet connectivity. I just created a new extended ACL for network 192.168.0.0 with wild card mask 0.0.0.255 to permit any IP protocol to any IP destination but as soon as I applied it to the ATM out interface I lost internet connectivity. Given my network IP is 192.168.0.10/24 this shouldn’t happen, any suggestions?
Louise
08-29-2012 11:41 PM
Hi,
Why would you need to apply an ACL to an interface as you've got ZBF configured ? just use ACLs in your class-maps
and they can even be time-based.
Regards.
Alain
Don't forget to rate helpful posts.
08-29-2012 11:53 PM
Hi Alain, Thanks for the advise however I'm a novice when it comes to ZBF, so please explain how I would add an ACL to to ZBF and make it time based? Do you mean add a new rule for say in zone to out?
Louise
08-29-2012 11:56 PM
Hi,
reexplain exactly what you need to control and I'll tell you the modifications to do to your ZBF config.
Regards.
Alain
Don't forget to rate helpful posts.
08-30-2012 12:36 AM
Thanks.
I need to allow all networks email access 24 hours
192.168.0.0/24
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
192.168.5.0/24
192.168.6.0/24
192.168.7.0/24
192.168.8.0/24
This is network objext QQQ.local
All management users in 192.168.0.0/24 (network objext QQQ Management Users) require full access 24 hours
All standard users in 192.168.0.0/24 (network object QQQ Standard Users) are not allowed to access web, P2P, IM, etc only emails.
Networks 192.168.1.0/24, 192.168.4.0/24, 192.168.5.0/24, 192.168.7.0/24 and 192.168.8.0/24 also require full access 24 hours
Networks 192.168.2.0/24, 192.168.3.0/24 and 192.168.6.0/24 are only allowed web and IM access between 19:00 and 22:00 hours. P2P programs are to be blocked for this networks all the time.
Louise
08-30-2012 04:55 AM
Hi,
All standard users in 192.168.0.0/24 (network object QQQ Standard Users) are not allowed to access web, P2P, IM, etc only emails.
All the time or only from 19:00 to 22:00 ?
emails ---> you mean access to external POP3/SMTP servers ?
Regards.
Alain
Don't forget to rate helpful posts.
08-30-2012 01:38 PM
Correct standard users in 192.168.0.0/24 (network object QQQ Standard Users) are only allow external access to email (POP/SMTP standard port numbers) from third party servers. In time the company will migrate to an internally hosted Exchange server. No other external access to be allowed (i.e. web, P2P, IM and web base mail) at any time. The time range 19:00 to 22:00 is for networks 192.168.2.0, 192.168.3.0, 192.168.6.0 when web and IM access is to be available, but P2P are still to be blocked.
Cheers
Louise
08-29-2012 10:49 PM
If you apply on Vlan output, you need to make it source any destination ip object.
08-29-2012 10:52 PM
Your ACL 120 looks like should be on Vlan interface input.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: