Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
528
Views
0
Helpful
1
Replies

ACL on Switch 3550 (with routing enabled)

MUKADI Pierre
Level 1
Level 1

‎09-21-2016 08:25 AM - edited ‎03-08-2019 07:31 AM

Hi there

Can you help me?

I'm configuring acl on my cisco but it doesn't work.

My network looks like this :

Internet  <--->(eth0) MikrotikRouter (eth1) <--->(fa0/1) Cisco switch (3550) (int vlanX) <---> Internal VLANs

1. On my MIKROTIK :

- I have a public IP and NAT configure

- I have RIP v2 configure on the internal interace (eth1) : 172.16.1.1

- I have some rule that block microsoft downloading site, social network, steaming, etc.

2. On my Cisco switch (3550):

- I have Routing enabled, RIP v2 enabled, networks (To and From Mikrotik network: 172.16.1.1, VLANs networks:192,168.0.0/24) configured, ...

My problem is :

Without ACL, the internet is working.

But when I configure the ACL, internet does not pass.

NB : Ping and DNS work : ping google.fr is ok

         But Internet (on browser) does not work. Telnet on port 80, etc. does not work.

MY ACL is :

no access-list 111
no access-list 112
access-list 111 permit tcp host 192.168.1.25  any eq 23
access-list 111 permit tcp host 192.168.1.26  any eq 23
access-list 111 permit tcp host 192.168.2.25  any eq 23
access-list 111 permit tcp host 192.168.2.26  any eq 23

access-list 111 permit udp host 192.168.1.25  any eq 23
access-list 111 permit udp host 192.168.1.26  any eq 23
access-list 111 permit udp host 192.168.2.25  any eq 23
access-list 111 permit udp host 192.168.2.26  any eq 23

access-list 111 permit tcp any any eq www
access-list 111 permit tcp any any eq 8080
access-list 111 permit tcp any any eq smtp
access-list 111 permit tcp any any eq pop3
access-list 111 permit tcp any any eq 443
access-list 111 permit tcp any host 8.8.8.8 eq 53
access-list 111 permit ip host 8.8.8.8 any
access-list 111 permit tcp any any eq 53
access-list 111 permit tcp any any eq 22
access-list 111 permit tcp any any eq 20
access-list 111 permit tcp any any eq 21
access-list 111 permit tcp any any eq 175
access-list 111 permit tcp any any eq 194
access-list 111 permit tcp any any eq 465
access-list 111 permit tcp any any eq 902
access-list 111 permit tcp any any eq 993
access-list 111 permit tcp any any eq 995
access-list 111 permit tcp any any eq 1194
access-list 111 permit tcp any any eq 5060

access-list 111 permit udp any any eq 20
access-list 111 permit udp any any eq 21
access-list 111 permit udp any any eq 53
access-list 111 permit udp any any eq 67
access-list 111 permit udp any any eq 68
access-list 111 permit udp any any eq bootps
access-list 111 permit udp any any eq 5060
access-list 111 permit udp any any eq 3128
access-list 111 permit udp any any eq rip

access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any unreachable
access-list 111 permit icmp any any time-exceeded
access-list 111 deny   icmp any any

access-list 111 permit tcp any 172.16.1.0 0.0.0.255 eq www
access-list 111 permit tcp any 172.16.1.0 0.0.0.255 eq 8080
access-list 111 permit tcp any 172.16.1.0 0.0.0.255 eq 443
access-list 111 permit tcp any 172.16.1.0 0.0.0.255 eq 53
access-list 111 permit tcp any 172.16.1.0 0.0.0.255 eq smtp
access-list 111 permit tcp any 172.16.1.0 0.0.0.255 eq pop3
access-list 111 permit tcp any 172.16.1.0 0.0.0.255 eq 22
access-list 111 permit tcp any 172.16.1.0 0.0.0.255 eq 20
access-list 111 permit tcp any 172.16.1.0 0.0.0.255 eq 21
access-list 111 permit tcp any 172.16.1.0 0.0.0.255 eq 175
access-list 111 permit tcp any 172.16.1.0 0.0.0.255 eq 194
access-list 111 permit tcp any 172.16.1.0 0.0.0.255 eq 465
access-list 111 permit tcp any 172.16.1.0 0.0.0.255 eq 902
access-list 111 permit tcp any 172.16.1.0 0.0.0.255 eq 993
access-list 111 permit tcp any 172.16.1.0 0.0.0.255 eq 995
access-list 111 permit tcp any 172.16.1.0 0.0.0.255 eq 1194
access-list 111 permit tcp any 172.16.1.0 0.0.0.255 eq 5060

access-list 111 permit udp any 172.16.1.0 0.0.0.255 eq 20
access-list 111 permit udp any 172.16.1.0 0.0.0.255 eq 21
access-list 111 permit udp any 172.16.1.0 0.0.0.255 eq 53
access-list 111 permit udp any 172.16.1.0 0.0.0.255 eq 67
access-list 111 permit udp any 172.16.1.0 0.0.0.255 eq 68
access-list 111 permit udp any 172.16.1.0 0.0.0.255 eq bootps
access-list 111 permit udp any 172.16.1.0 0.0.0.255 eq 5060
access-list 111 permit udp any 172.16.1.0 0.0.0.255 eq 3128
access-list 111 permit udp any 172.16.1.0 0.0.0.255 eq rip

access-list 111 permit tcp  172.16.1.0 0.0.0.255 any established
access-list 111 permit tcp  172.16.1.0 0.0.0.255 any

inter range vlan 1 - 20
no ip access-group 111 out
ip access-group 111 out
exit

Labels:
0 Helpful
1 Reply 1

Iulian Vaideanu
Level 4
Level 4

‎09-22-2016 08:02 AM

If I understood your topology correctly I believe what you want is "ip access-group 111 in", not "out"...

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card