WAN ACL Access Problem

tbrooks25 · ‎02-14-2008

Hello,

Another technician and myself are scratching our heads over an issue at one of our remote school sites. We have blocked access to the 189.0 network so they cannot access the web or the rest of the WAN and only access local servers. The 199.0 network is open so they can access anything on the WAN. The problem we are having is WE cannot remote access the 189.0 network from our main school office (Via RDP or Dameware) although we can access the servers which are under 10.100.189.248 /0.0.0.7. We can only ping the rest of the addresses on the 189.0 network. Can someone please look over this ACL list attached and see what we are missing? Do we have to have an IN and OUT ACL or can we just leave the OUT ACL without an IN?

The 181.0 subnet is the WAN connection back to our office.

Thank You!

Tim

Edison Ortiz · ‎02-14-2008

I'm proposing re-writing the entire ACL.

If you want to block access from 189.0 network to the web and the rest of the WAN, then you do a src 189.0 with dst any and the ACL is out.

However, you also want to RDP and Dameware that subnet from your main school office. You need to have a permit on that ACL before the above deny with src/dst specific networks.

I also see you have some udp 53 being allowed from that subnet's servers. Your ACL would look like this.

access-list 110 permit ip 10.100.189.248 0.0.0.7 any

access-list 110 permit tcp 10.100.189.0 0.0.0.255 eq 3389 any

access-list 110 permit udp 10.100.189.0 0.0.0.255 eq 3389 any

access-list 110 permit tcp 10.100.189.0 0.0.0.255 eq 6129 any

access-list 110 permit udp host 10.100.189.250 any eq domain

access-list 110 deny ip 10.100.189.0 0.0.0.127 any

access-list 110 deny ip 10.100.189.128 0.0.0.63 any

access-list 110 permit ip any any

interface Serial0/0

ip access-group 110 out

HTH,

__

Edison.