cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
804
Views
0
Helpful
2
Replies

Access-list trouble

benjamin_a
Level 1
Level 1

Hi

I have 2 network X1 and X2, I have been trying to make a access-list that deny all trafic fra the X2 network to the X1 network, but the X2 network have to have connection to the internet.

My access list is working, but just to well because the host on the X2 network cant get any ip address from the X2 dhcp pool, and I cant see why, if I remove my access lists then the pool is working, but the the X2 network can access the X1 network and that is not great.

Here is some of my running config:

Building configuration...

Current configuration : 6025 bytes

!

dot11 syslog

ip source-route

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 10.0.0.1

ip dhcp excluded-address 10.0.0.2

ip dhcp excluded-address 10.0.0.3

ip dhcp excluded-address 10.0.0.4

ip dhcp excluded-address 10.0.0.5

!

ip dhcp pool x1

   network 10.0.0.0 255.255.0.0

   dns-server 8.8.8.8 8.8.4.4

   default-router 10.0.0.1

!

ip dhcp pool x2

   network 172.168.1.0 255.255.255.0

   default-router 172.168.1.1

   dns-server 8.8.8.8 8.8.4.4

!

!

multilink bundle-name authenticated

!

interface FastEthernet0/0

description Link_To_Outside(xxxxx)

ip address dhcp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1.10

description x1

encapsulation dot1Q 10

ip address 10.0.0.1 255.255.0.0

ip nat inside

ip virtual-reassembly

!

interface FastEthernet0/1.20

description x2

encapsulation dot1Q 20

ip address 172.168.1.1 255.255.255.0

ip access-group 101 in

ip nat inside

ip virtual-reassembly

!

ip dns server

ip nat inside source list 1 interface FastEthernet0/0 overload

ip nat inside source list 101 interface FastEthernet0/0 overload

!

access-list 1 permit 10.0.0.0 0.0.255.255

access-list 101 deny   ip 172.168.1.0 0.0.0.255 10.0.0.0 0.0.255.255

access-list 101 permit ip 172.168.1.0 0.0.0.255 any

!

Hope anyone can help

/Benjamin

1 Accepted Solution

Accepted Solutions

Ryan Newell
Cisco Employee
Cisco Employee

Hello Benjamin,

  You ACL is blocking the DCHP requests inbound. Please add statement in ACL 101 permitting UDP port 67. Something like below.

permit udp any any eq bootps

Regards,

Ryan

View solution in original post

2 Replies 2

Ryan Newell
Cisco Employee
Cisco Employee

Hello Benjamin,

  You ACL is blocking the DCHP requests inbound. Please add statement in ACL 101 permitting UDP port 67. Something like below.

permit udp any any eq bootps

Regards,

Ryan

Hi Ryan

Thanks for your support, now i got it working

To others that have some similar problem, here is what my access lists ended up looking like:

access-list 1 permit 10.0.0.0 0.0.255.255

access-list 101 permit udp any any eq bootps

access-list 101 deny   ip 172.168.1.0 0.0.0.255 10.0.0.0 0.0.255.255

access-list 101 permit ip 172.168.1.0 0.0.0.255 any

/Benjamin

Review Cisco Networking for a $25 gift card