Re: My Access List Blocks Everything?

Kia_Breizzze · ‎05-10-2006

I have a lan set up with a dmz for a webserver.

My external router is a cisco 3600 and the internal is a cisco 2600.

I am attempting to apply an access list but each time I apply it I end up blocking everything. Is anyone able to tell me where I am going wrong, please?

My acl:

access list (name/number) incoming on internal

permit tcp any 172.16.32.0 0.0.0.255 established

permit tcp any 172.16.32.0 0.0.0.255 5050

permit tcp any 172.16.32.0 0.0.0.255 5100

permit tcp any 172.16.32.0 0.0.0.255 5101

permit tcp any 172.16.32.0 0.0.0.255 1863

permit tcp any 172.16.32.0 0.0.0.255 110

permit tcp any 172.16.32.0 0.0.0.255 25

permit tcp any 172.16.32.0 0.0.0.255 80

permit tcp any 172.16.32.0 0.0.0.255 range 6881-6969

permit tcp any 172.16.32.0 0.0.0.255 6346

permit tcp any 172.16.32.0 0.0.0.255 1366

permit tcp any 172.16.32.0 0.0.0.255 5190

permit tcp any 172.16.32.0 0.0.0.255 1080

permit tcp any 172.16.32.0 0.0.0.255 1366

permit tcp any 172.16.32.0 0.0.0.255 1367

permit tcp any 172.16.32.0 0.0.0.255 5190

deny any any

mheusinger · ‎05-10-2006

Hello,

are you sure the destination address is in the range 172.16.32.0/24?

What means "everything" is blocked? How do you test this? Can you add

permit icmp any 172.16.32.0 0.0.0.255

above the "deny any any" command and ping the server?

Regards, Martin

Richard Burts · ‎05-10-2006

Looking at the access list I would think it was more likely built as an outbound access list: especially the use of tcp established (more often out than in) and the fact that destination addresses are specified. But this line in the original post makes me wonder if it is applied as inbound:

access list (name/number) incoming on internal

Perhaps the original poster can clarify on which interface and in which direction the access list is applied. In fact it would be helpful if the original poster can post the entire configuration of the interface.

HTH

Rick

HTH

Rick