cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1733
Views
0
Helpful
7
Replies
Highlighted
Beginner

ACL issue - All traffic getting block in error

Hi all,

I'm having difficultly with the below ACL. No matter which interface (dailer or fa) I apply it to all IP traffic gets blocked. I must be missing something as I tried this ACL on 3 different 800 series routers all with the same results. Any help would be greatly appreciated.

I'm testing it from a laptop with the IP of 10.1.3.253 and with the ACL off all traffic flows perfectly.

Louise

ip access-list extended QQQ_ACL

    permit ip object-group QQQ_Management_Group any

    permit tcp object-group QQQ_Users_Group any eq smtp pop3 993 995 3389 5900 telnet ftp ftp-data domain

    permit udp object-group QQQ_Users_Group any eq domain ntp rip tftp

    permit tcp 192.168.2.0 0.0.0.255 any eq www 443 8080 5190 1863 time-range QQQ_Control

    permit tcp 192.168.3.0 0.0.0.255 any eq www 443 8080 5190 1863 time-range QQQ_Control

    permit tcp 192.168.4.0 0.0.0.255 any eq www 443 8080 5190 1863 time-range QQQ_Control

object-group network QQQ_Management_Group

range 192.168.0.1 192.168.0.25

range 192.168.0.200 192.168.0.254

192.168.1.0 255.255.255.0

192.168.4.0 255.255.255.0

192.168.5.0 255.255.255.0

192.168.7.0 255.255.255.0

192.168.8.0 255.255.255.0

192.168.10.0 255.255.255.0

10.1.0.0 255.255.0.0

object-group network QQQ_Users_Group

range 192.168.0.26 192.168.0.199

192.168.2.0 255.255.255.0

192.168.3.0 255.255.255.0

192.168.6.0 255.255.255.0

time-range QQQ_Control

periodic weekdays 19:00 to 22:00

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted

When Laptop on VLAN 10, you tested with this configuration?:

IP: 10.1.3.253

Mask: 255.255.255.252

GW: 10.1.3.254

If so there is a mistake:

object-group network QQQ_Management_Group

description QQQ Management users unrestricted

range 192.168.0.1 192.168.0.25

range 192.168.0.200 192.168.0.254

192.168.1.0 255.255.255.0

192.168.4.0 255.255.255.0

192.168.5.0 255.255.255.0

192.168.7.0 255.255.255.0

192.168.8.0 255.255.255.0

192.168.10.0 255.255.255.0

10.1.1.0 255.255.255.252

10.1.2.0 255.255.255.252

10.1.3.0 255.255.255.252  --> it should be 10.1.3.252 255.255.255.252

10.1.4.0 255.255.255.252

!

Best regards,
Abzal

View solution in original post

Highlighted
Advisor

Hi Louise,

Taken from your posted config:

object-group network QQQ_Management_Group

10.1.3.0 255.255.255.252

so 10.1.3.253 is not part of this subnet

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

7 REPLIES 7
Highlighted
Rising star

Hi Louise,

ACL itself looks fine. Post here full config of router to understand better. What is default gateway for laptop?

Abzal

Best regards,
Abzal
Highlighted

Hi Abzal,

Thanks for your time. Router running config below.

The G/W is 10.1.3.254 (IP of Vlan10), I've also tried changing the G/W on the laptop to 192.168.5.251 (IP of Vlan2) but still no traffic when the ACL is attached to the interface, however both gateways work perfectly with no ACL. The basic setup is restricted users on networks 192.168.0.0/24 (only some users to be restricted), 192.168.2.0/24 (all users), 192.168.3.0/24 (all users) and 192.168.6.254 (all users). The users are to have email access all the time but only web services between 7pm - 10pm hence the time range. This 800 (888-K9) series router is one of three routers all connecting back to Vlan 2 (195.168.5.0/24) which in turn connects to the company gateway 192.168.0.254/24. All the networks that are to have restricted traffic connect to these three routers before being forwarded to the company gateway.

Louise

Current configuration : 10700 bytes

!

! No configuration change since last restart

!

version 15.0

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname QQQ_Router_5

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

enable secret 5 $1$v6zH$fsvi2qe/QGLti9dtE014h.

!

no aaa new-model

memory-size iomem 10

clock timezone Magadan 11

!

crypto pki trustpoint TP-self-signed-2051046481

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2051046481

revocation-check none

rsakeypair TP-self-signed-2051046481

!

!

crypto pki certificate chain TP-self-signed-2051046481

certificate self-signed 01

  3082024E 308201B7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 32303531 30343634 3831301E 170D3132 31313134 30363035

  35335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 30353130

  34363438 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  81009D28 3398110E 2F908631 8E027955 52824BE9 02D6BD6D 20689F4E 4D88606A

  31239BD3 E5F5D5C1 DE2D87F3 760CDCB2 AB30070D C4D345CD E40BEE45 97240876

  C5B7FE5F 3895DB54 B7050823 D16AC1E1 259DA16E 5154E82C 5943B04F 9D1C2604

  CB58C2A9 E8943DEC 96565917 F52693A3 6890CC31 FDB4DA76 CAE5B60F 7235751B

  93E70203 010001A3 76307430 0F060355 1D130101 FF040530 030101FF 30210603

  551D1104 1A301882 16515151 5F526F75 7465725F 352E5151 512E4C6F 63616C30

  1F060355 1D230418 30168014 515DEF05 D8C441BF 81D86AA0 5B0D329D 47F9D81E

  301D0603 551D0E04 16041451 5DEF05D8 C441BF81 D86AA05B 0D329D47 F9D81E30

  0D06092A 864886F7 0D010104 05000381 81006A30 270AC49B 17C7F44D 4A7C38B2

  FCBF215A F858D02E BBD76DD6 51A9BE07 C772FD05 49EE1D0E F6803EDB 2C036BD3

  AC718ABC A82FC82A 38C3805A AC601943 B8077AD7 0C5114FD C69501CB 7938716B

  BE78CDEF 1DF683BE 1ECA1E07 A0F45E0A 4DD4BDA2 09141EB8 ABDC2483 CEEC4013

  54A68CF2 77D3F45F 9E919F20 BC03DAB3 413C

        quit

ip source-route

!

!

ip nbar port-map custom-02 udp 20408 20409 20410

ip nbar port-map custom-01 tcp 20408 20409 20410

!

!

ip cef

ip domain name QQQ.Local

ip name-server 192.168.0.6

ip name-server 202.1.161.36

ip name-server 202.1.161.37

no ipv6 cef

!

!

license udi pid CISCO888-K9 sn FGL161520EM

!

!

object-group network QQQ.Local

description QQQ Doamin Group

192.168.0.0 255.255.255.0

192.168.1.0 255.255.255.0

192.168.2.0 255.255.255.0

192.168.3.0 255.255.255.0

192.168.4.0 255.255.255.0

192.168.5.0 255.255.255.0

192.168.6.0 255.255.255.0

192.168.7.0 255.255.255.0

192.168.8.0 255.255.255.0

10.1.1.0 255.255.255.252

10.1.2.0 255.255.255.252

!

object-group network QQQ_Management_Group

description QQQ Management users unrestricted

range 192.168.0.1 192.168.0.25

range 192.168.0.200 192.168.0.254

192.168.1.0 255.255.255.0

192.168.4.0 255.255.255.0

192.168.5.0 255.255.255.0

192.168.7.0 255.255.255.0

192.168.8.0 255.255.255.0

192.168.10.0 255.255.255.0

10.1.1.0 255.255.255.252

10.1.2.0 255.255.255.252

10.1.3.0 255.255.255.252

10.1.4.0 255.255.255.252

!

object-group network QQQ_Users_Group

description QQQ users restricted

range 192.168.0.26 192.168.0.199

192.168.2.0 255.255.255.0

192.168.3.0 255.255.255.0

192.168.6.0 255.255.255.0

!

username cpadmin privilege 15 secret 5 $1$VH0.$ZduqkkDaAcdfqD9M1ojJz.

!

!

controller DSL 0

mode atm

line-term co

line-mode 4-wire enhanced

dsl-mode shdsl symmetric annex B

ignore-error-duration 30

!

!

class-map match-any QQQ_QOS

match protocol sip

match protocol custom-01

match protocol custom-02

match protocol vnc

!

!

policy-map CCP-QoS-Policy-1

class QQQ_QOS

  set dscp ef

   police cir 60000000

     conform-action set-dscp-transmit 46

     exceed-action drop

!

zone security Inside

!

!

!

!

!

!

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

isdn termination multidrop

!

interface ATM0

no ip address

shutdown

no atm ilmi-keepalive

!

interface ATM0.1 point-to-point

description PPP_To_Ranandi(Not in Use)

ip address 10.1.10.254 255.255.255.252

ip access-group 101 in

ip access-group 101 out

ip mask-reply

ip nat inside

ip virtual-reassembly

pvc 8/35

  encapsulation aal5snap

!

!

interface FastEthernet0

description VLAN1

!

interface FastEthernet1

description VLAN1

!

interface FastEthernet2

description VLAN10

switchport access vlan 10

!

interface FastEthernet3

description VLAN2

switchport access vlan 2

!

interface Vlan1

description QQQ_Management_LAN

ip address 192.168.10.251 255.255.255.0

ip mask-reply

ip directed-broadcast

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security Inside

ip tcp adjust-mss 1452

!

interface Vlan2

description QQQ_WAN_To_LAN

ip address 192.168.5.251 255.255.255.0

ip access-group QQQ_ACL out

ip mask-reply

ip directed-broadcast

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security Inside

ip tcp adjust-mss 1452

!

interface Vlan10

description WAN_To_Ranandi_Via_NB724

ip address 10.1.3.254 255.255.255.252

ip mask-reply

ip directed-broadcast

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security Inside

!

router rip

version 2

passive-interface ATM0

passive-interface ATM0.1

passive-interface BRI0

network 10.0.0.0

network 192.168.0.0

network 192.168.1.0

network 192.168.2.0

network 192.168.3.0

network 192.168.4.0

network 192.168.5.0

network 192.168.6.0

network 192.168.7.0

network 192.168.8.0

network 192.168.10.0

no auto-summary

!

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list 1 interface ATM0.1 overload

ip route 0.0.0.0 0.0.0.0 Vlan2 permanent

ip route 10.1.3.0 255.255.255.252 Vlan10 permanent

ip route 192.168.0.0 255.255.255.0 Vlan2 permanent

ip route 192.168.5.0 255.255.255.0 Vlan2 permanent

ip route 192.168.10.0 255.255.255.0 Vlan1 permanent

!

ip access-list extended QQQ_ACL

    permit ip object-group QQQ_Management_Group any

    permit tcp object-group QQQ_Users_Group any eq smtp pop3 993 995 3389 5900 telnet ftp ftp-data domain

    permit udp object-group QQQ_Users_Group any eq domain ntp rip tftp

    permit tcp 192.168.2.0 0.0.0.255 any eq www 443 8080 5190 1863 time-range QQQ_Control

    permit tcp 192.168.3.0 0.0.0.255 any eq www 443 8080 5190 1863 time-range QQQ_Control

    permit tcp 192.168.4.0 0.0.0.255 any eq www 443 8080 5190 1863 time-range QQQ_Control

!

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.0.0.0 0.255.255.255

access-list 1 permit 10.1.0.0 0.0.255.255

access-list 23 remark CCP_ACL Category=16

access-list 23 remark WAN_One

access-list 23 permit 10.1.1.0 0.0.0.255

access-list 23 remark WAN_Two

access-list 23 permit 10.1.2.0 0.0.0.255

access-list 23 remark China_Town_VLAN1

access-list 23 permit 192.168.0.0 0.0.0.255

access-list 23 remark Vavaya_Ridge_VLAN1

access-list 23 permit 192.168.1.0 0.0.0.255

access-list 23 remark Mbokonavera_VLAN1

access-list 23 permit 192.168.2.0 0.0.0.255

access-list 23 remark Ranandi_VLAN1

access-list 23 permit 192.168.3.0 0.0.0.255

access-list 23 remark VOIP_VLAN2

access-list 23 permit 192.168.4.0 0.0.0.255

access-list 23 remark China_Town_VLAN3 (WAN)

access-list 23 permit 192.168.5.0 0.0.0.255

access-list 23 remark Vavaya_Ridge_VLAN2

access-list 23 permit 192.168.6.0 0.0.0.255

access-list 23 remark Mbokonavera_VLAN2

access-list 23 permit 192.168.7.0 0.0.0.255

access-list 23 remark Ranandi_VLAN2

access-list 23 permit 192.168.8.0 0.0.0.255

access-list 100 remark Any_Any

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip object-group QQQ.Local any

access-list 101 remark QQQ_Extended_ACL

access-list 101 remark CCP_ACL Category=1

access-list 101 remark Auto generated by CCP for NTP (123) 203.12.160.2

access-list 101 permit udp host 203.12.160.2 eq ntp host 10.1.10.254 eq ntp

access-list 101 remark Auto generated by CCP for NTP (123) 203.12.160.2

access-list 101 permit udp host 203.12.160.2 eq ntp host 10.1.3.254 eq ntp

access-list 101 remark WAN_One

access-list 101 permit ip 10.1.1.0 0.0.0.255 any

access-list 101 remark Wan_Two

access-list 101 permit ip 10.1.2.0 0.0.0.255 any

access-list 101 remark Domain_Server_Any_Any

access-list 101 permit ip host 192.168.0.6 any

access-list 101 remark China_Town_VLan1

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

access-list 101 remark Vavaya_Ridge_VLAN1

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 101 remark Mbokonavera_VLAN1

access-list 101 permit ip 192.168.2.0 0.0.0.255 any

access-list 101 remark Ranandi_VLAN1

access-list 101 permit ip 192.168.3.0 0.0.0.255 any

access-list 101 remark VOIP_VLAN2

access-list 101 permit ip 192.168.4.0 0.0.0.255 any

access-list 101 remark China_Town_VLan3 (WAN)

access-list 101 permit ip 192.168.5.0 0.0.0.255 any

access-list 101 remark Vavaya_Ridge_VLAN2

access-list 101 permit ip 192.168.6.0 0.0.0.255 any

access-list 101 remark Mbokonavera_VLAN2

access-list 101 permit ip 192.168.7.0 0.0.0.255 any

access-list 101 remark Ranandi_VLAN2

access-list 101 permit ip 192.168.8.0 0.0.0.255 any

access-list 102 remark CCP_ACL Category=1

access-list 102 permit udp host 202.1.161.37 eq domain any

access-list 102 permit udp host 202.1.161.36 eq domain any

access-list 102 permit udp host 192.168.0.6 eq domain any

access-list 102 remark WAN_One

access-list 102 permit ip 10.1.1.0 0.0.0.255 any

access-list 102 remark WAN_Two

access-list 102 permit ip 10.1.2.0 0.0.0.255 any

access-list 102 remark China_Town_VLAN1

access-list 102 permit ip 192.168.0.0 0.0.0.255 any

access-list 102 remark Vavaya_Ridge_VLAN1

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

access-list 102 remark Mbokonavera_VLAN1

access-list 102 permit ip 192.168.2.0 0.0.0.255 any

access-list 102 remark Ranandi_VLAN1

access-list 102 permit ip 192.168.3.0 0.0.0.255 any

access-list 102 remark VOIP_VLAN2

access-list 102 permit ip 192.168.4.0 0.0.0.255 any

access-list 102 remark China_Town_VLAN3 (WAN)

access-list 102 permit ip 192.168.5.0 0.0.0.255 any

access-list 102 remark Vavaya_Ridge_VLAN2

access-list 102 permit ip 192.168.6.0 0.0.0.255 any

access-list 102 permit ip 192.168.7.0 0.0.0.255 any

access-list 102 remark Ranandi_VLAN2

access-list 102 permit ip 192.168.8.0 0.0.0.255 any

!

!

!

!

!

control-plane

!

banner exec ^C^C

banner login ^CWelcome to QQQ Router 5

=====================

************************************************************

* Authorised access ONLY. Unauthorised access is forbidden *

************************************************************^C

banner motd ^C^C

!

line con 0

login local

no modem enable

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input telnet ssh

!

scheduler max-task-time 5000

ntp update-calendar

ntp server 203.12.160.2 prefer

time-range QQQ_Control

periodic daily 19:00 to 22:00

!

end

Highlighted

Ok, thank you for requested info. Now how your network is organized. How is your network getting access to the Internet?

What is gateway for it? Is it Vlan2 or ATM0.1? I cannot understand it. On which VLAN your testing laptop is?

Diagram of network topolgy will be very useful.

Abzal

Best regards,
Abzal
Highlighted

When Laptop on VLAN 10, you tested with this configuration?:

IP: 10.1.3.253

Mask: 255.255.255.252

GW: 10.1.3.254

If so there is a mistake:

object-group network QQQ_Management_Group

description QQQ Management users unrestricted

range 192.168.0.1 192.168.0.25

range 192.168.0.200 192.168.0.254

192.168.1.0 255.255.255.0

192.168.4.0 255.255.255.0

192.168.5.0 255.255.255.0

192.168.7.0 255.255.255.0

192.168.8.0 255.255.255.0

192.168.10.0 255.255.255.0

10.1.1.0 255.255.255.252

10.1.2.0 255.255.255.252

10.1.3.0 255.255.255.252  --> it should be 10.1.3.252 255.255.255.252

10.1.4.0 255.255.255.252

!

Best regards,
Abzal

View solution in original post

Highlighted

Thanks guys, this was driving me crazy, such a small simple mistake. That’s why it always pays to get a third person to look at your work. Thanks again

Louise

Highlighted
Advisor

Hi Louise,

Taken from your posted config:

object-group network QQQ_Management_Group

10.1.3.0 255.255.255.252

so 10.1.3.253 is not part of this subnet

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

Highlighted

Thanks guys, this was driving me crazy, such a small simple mistake. That’s why it always pays to get a third person to look at your work. Thanks again

Louise

Content for Community-Ad