cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
553
Views
0
Helpful
4
Replies

2611 access-list problem

davef2000
Level 1
Level 1

I have a 2610 router connected to 2 networks via ethernet 0/0 and ethernet 1/0 and I have a problem with one access-list. Both networks are connected via switches and there is a DSL router on one switchport with the ip address that is the default gateway next hop from the network router. The access-list on the input to the router from the internet able network, 172.20.0.0, works for about 15 minutes and then stops. If I remove the access-group from the ethernet 1/0 port everything works. If i reactivate access-group 171 in on ethernet e1/0 everything works (access-lists match) for 15 minutes then stop. I have tried this on two 2600 routers.

Here is my config, followed by output from show access-lists.

Thanks for any help!

Dave Fitzpatrick

sho run

Building configuration...

Current configuration:

!

ip subnet-zero

no ip domain-lookup

!

interface Ethernet0/0

ip address 10.100.0.2 255.255.255.0

ip access-group 111 in

ip access-group 110 out

no ip directed-broadcast

!

interface Ethernet1/0

ip address 172.20.0.2 255.255.255.0

ip access-group 170 out

no ip directed-broadcast

no mop enabled

!

router rip

version 2

network 10.0.0.0

network 172.20.0.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 172.20.0.1

no ip http server

!

access-list 110 permit tcp 172.20.0.0 0.0.255.255 any established

access-list 110 permit tcp 172.20.0.0 0.0.255.255 eq ftp-data any

access-list 110 permit tcp 172.20.0.0 0.0.255.255 any eq ftp

access-list 110 deny ip any any

access-list 111 permit tcp any 172.20.0.0 0.0.255.255 established

access-list 111 permit tcp any 172.20.0.0 0.0.255.255 eq ftp

access-list 111 permit tcp any 172.20.0.0 0.0.255.255 eq ftp-data

access-list 111 deny ip any any

access-list 170 deny udp any eq snmp any

access-list 170 permit tcp any any eq ftp

access-list 170 permit tcp any any eq ftp-data

access-list 170 permit tcp host 172.20.0.1 eq telnet host 172.20.0.4

access-list 170 permit tcp host 172.20.0.1 eq www any

access-list 170 permit tcp host 172.20.0.1 eq domain any

access-list 170 permit tcp host 172.20.0.1 eq smtp any

access-list 170 deny ip any any

access-list 171 permit tcp any eq ftp any

access-list 171 permit tcp any eq ftp-data any

access-list 171 permit tcp host 172.20.0.4 host 172.20.0.1 eq telnet

access-list 171 permit tcp any any eq www

access-list 171 permit tcp any any eq domain

access-list 171 permit tcp any any eq smtp

access-list 171 permit tcp any any eq pop3

access-list 171 deny ip any any

!

line con 0

exec-timeout 20 0

logging synchronous

transport input none

line aux 0

line vty 0 4

login

!

no scheduler allocate

end

!

sho access-lists (output shows matches while working correctly)

Extended IP access list 110

permit tcp 172.20.0.0 0.0.255.255 any established (20 matches)

permit tcp 172.20.0.0 0.0.255.255 eq ftp-data any (1 match)

permit tcp 172.20.0.0 0.0.255.255 any eq ftp

deny ip any any

Extended IP access list 111

permit tcp any 172.20.0.0 0.0.255.255 established (18 matches)

permit tcp any 172.20.0.0 0.0.255.255 eq ftp (2 matches)

permit tcp any 172.20.0.0 0.0.255.255 eq ftp-data

deny ip any any (37 matches)

Extended IP access list 170

deny udp any eq snmp any

permit tcp any any eq ftp (14 matches)

permit tcp any any eq ftp-data (5 matches)

permit tcp host 172.20.0.1 eq telnet host 172.20.0.4

permit tcp host 172.20.0.1 eq www any

permit tcp host 172.20.0.1 eq domain any

permit tcp host 172.20.0.1 eq smtp any

deny ip any any (98 matches)

Extended IP access list 171

permit tcp any eq ftp any (13 matches)

permit tcp any eq ftp-data any (9 matches)

permit tcp host 172.20.0.4 host 172.20.0.1 eq telnet

permit tcp any any eq www (70 matches)

permit tcp any any eq domain

permit tcp any any eq smtp

permit tcp any any eq pop3 (2 matches)

deny ip any any (68 matches)

4 Replies 4

hemendoz
Cisco Employee
Cisco Employee

Sounds like a bug. What version of code are you running? Have you tried another version of code?

It is version 12. I have tried this on two routers, a 2611 and a 2610. I will check if they are the same version. Meanwhile I am going to try minimizing the offending access list down to permit any any if need be and see if it is the access-list or the IOS causing this. I can't get on the system until tomorrow, Wednesday.

Thanks for the help!!

Dave Fitzpatrick

I have minimized the offending access-list 171 to:

access-list 171 permit tcp any any

when I apply it to e1/0:

config t

int e1/0

ip access-group 171 in

It works for 15 or 20 minutes, shows 2 matches, and then stops. No longer can get through router. This is on the input to the router from the network allowed to access the DSL router, which is on the same network and is the gateway next hop.

Is there some debug recommended to troubleshoot this? Is there some timer I need to disable?

Router handles traffic from this network fine if no access-group is applied to the input to the router.

Dave F

I solved the problem.

I needed to add a permit UDP (local network) any to access-list 171 to allow routing communications.

I am using rip-2 and I believe it uses udp.

Dave Fitzpatrick

Review Cisco Networking for a $25 gift card