cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
238
Views
0
Helpful
1
Replies
Highlighted
Beginner

ACL on Switch 3550 (with routing enabled)

Hi there

Can you help me?

I'm configuring acl on my cisco but it doesn't work.

My network looks like this :

Internet  <--->(eth0) MikrotikRouter (eth1) <--->(fa0/1) Cisco switch (3550) (int vlanX) <---> Internal VLANs

1. On my MIKROTIK :

- I have a public IP and NAT configure

- I have RIP v2 configure on the internal interace (eth1) : 172.16.1.1

- I have some rule that block microsoft downloading site, social network, steaming, etc.

2. On my Cisco switch (3550):

- I have Routing enabled, RIP v2 enabled, networks (To and From Mikrotik network: 172.16.1.1, VLANs networks:192,168.0.0/24) configured, ...

My problem is :

Without ACL, the internet is working.

But when I configure the ACL, internet does not pass.

NB : Ping and DNS work : ping google.fr is ok

         But Internet (on browser) does not work. Telnet on port 80, etc. does not work.

MY ACL is :

no access-list 111
no access-list 112
access-list 111 permit tcp host 192.168.1.25  any eq 23
access-list 111 permit tcp host 192.168.1.26  any eq 23
access-list 111 permit tcp host 192.168.2.25  any eq 23
access-list 111 permit tcp host 192.168.2.26  any eq 23

access-list 111 permit udp host 192.168.1.25  any eq 23
access-list 111 permit udp host 192.168.1.26  any eq 23
access-list 111 permit udp host 192.168.2.25  any eq 23
access-list 111 permit udp host 192.168.2.26  any eq 23

access-list 111 permit tcp any any eq www
access-list 111 permit tcp any any eq 8080
access-list 111 permit tcp any any eq smtp
access-list 111 permit tcp any any eq pop3
access-list 111 permit tcp any any eq 443
access-list 111 permit tcp any host 8.8.8.8 eq 53
access-list 111 permit ip host 8.8.8.8 any
access-list 111 permit tcp any any eq 53
access-list 111 permit tcp any any eq 22
access-list 111 permit tcp any any eq 20
access-list 111 permit tcp any any eq 21
access-list 111 permit tcp any any eq 175
access-list 111 permit tcp any any eq 194
access-list 111 permit tcp any any eq 465
access-list 111 permit tcp any any eq 902
access-list 111 permit tcp any any eq 993
access-list 111 permit tcp any any eq 995
access-list 111 permit tcp any any eq 1194
access-list 111 permit tcp any any eq 5060

access-list 111 permit udp any any eq 20
access-list 111 permit udp any any eq 21
access-list 111 permit udp any any eq 53
access-list 111 permit udp any any eq 67
access-list 111 permit udp any any eq 68
access-list 111 permit udp any any eq bootps
access-list 111 permit udp any any eq 5060
access-list 111 permit udp any any eq 3128
access-list 111 permit udp any any eq rip

access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any unreachable
access-list 111 permit icmp any any time-exceeded
access-list 111 deny   icmp any any

access-list 111 permit tcp any 172.16.1.0 0.0.0.255 eq www
access-list 111 permit tcp any 172.16.1.0 0.0.0.255 eq 8080
access-list 111 permit tcp any 172.16.1.0 0.0.0.255 eq 443
access-list 111 permit tcp any 172.16.1.0 0.0.0.255 eq 53
access-list 111 permit tcp any 172.16.1.0 0.0.0.255 eq smtp
access-list 111 permit tcp any 172.16.1.0 0.0.0.255 eq pop3
access-list 111 permit tcp any 172.16.1.0 0.0.0.255 eq 22
access-list 111 permit tcp any 172.16.1.0 0.0.0.255 eq 20
access-list 111 permit tcp any 172.16.1.0 0.0.0.255 eq 21
access-list 111 permit tcp any 172.16.1.0 0.0.0.255 eq 175
access-list 111 permit tcp any 172.16.1.0 0.0.0.255 eq 194
access-list 111 permit tcp any 172.16.1.0 0.0.0.255 eq 465
access-list 111 permit tcp any 172.16.1.0 0.0.0.255 eq 902
access-list 111 permit tcp any 172.16.1.0 0.0.0.255 eq 993
access-list 111 permit tcp any 172.16.1.0 0.0.0.255 eq 995
access-list 111 permit tcp any 172.16.1.0 0.0.0.255 eq 1194
access-list 111 permit tcp any 172.16.1.0 0.0.0.255 eq 5060

access-list 111 permit udp any 172.16.1.0 0.0.0.255 eq 20
access-list 111 permit udp any 172.16.1.0 0.0.0.255 eq 21
access-list 111 permit udp any 172.16.1.0 0.0.0.255 eq 53
access-list 111 permit udp any 172.16.1.0 0.0.0.255 eq 67
access-list 111 permit udp any 172.16.1.0 0.0.0.255 eq 68
access-list 111 permit udp any 172.16.1.0 0.0.0.255 eq bootps
access-list 111 permit udp any 172.16.1.0 0.0.0.255 eq 5060
access-list 111 permit udp any 172.16.1.0 0.0.0.255 eq 3128
access-list 111 permit udp any 172.16.1.0 0.0.0.255 eq rip

access-list 111 permit tcp  172.16.1.0 0.0.0.255 any established
access-list 111 permit tcp  172.16.1.0 0.0.0.255 any

inter range vlan 1 - 20
no ip access-group 111 out
ip access-group 111 out
exit

Everyone's tags (3)
1 REPLY 1
Enthusiast

If I understood your topology

If I understood your topology correctly I believe what you want is "ip access-group 111 in", not "out"...

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards