Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
829
Views
0
Helpful
3
Replies

routing ACL issue

nepalies_24
Level 1
Level 1

‎06-19-2011 01:37 AM - edited ‎03-07-2019 12:52 AM

Hi All,

If anyone can help I will really appreciate. I could not figure out the problem myself

Basically, I have got router with 1 F0/0 and 4eth port. I have got 1f0/0 as WAN port configured and 4Eth port connected to different network. What I want to do is router traffic between 4eth connected hosts, so I can perform RDP and other stuff between eachother

Please check my config as follow

Current configuration : 6823 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

!

hostname pirate

!

boot-start-marker

boot-end-marker

!

security passwords min-lengthx

no logging buffered

logging cns-events alerts

enable secret x

enable password x

!

aaa new-model

!

!

!

aaa session-id common

clock timezone GMT 20 28

clock summer-time London date Mar 30 2003 21:28 Oct 26 2003 22:28

no network-clock-participate slot 1

no network-clock-participate wic 0

--More--                           ip cef

!

!

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.xxxx 192.168.1.xxxx

ip dhcp excluded-address 10.10.10.xxxx 10.10.10.xxxx

ip dhcp excluded-address 192.168.10.xxxx 192.168.10.xxxx

ip dhcp excluded-address 10.10.20.xxxx 10.10.20.xxxx

!

ip dhcp pool xxxxx

   import all

   network 192.168.1.0 255.255.255.0

   default-router 192.168.1.1

   dns-server 

!

ip dhcp pool xxxxx

   import all

   network 10.10.10.0 255.255.255.0

   default-router 10.10.10.1

   dns-server 

!

ip dhcp pool xxxxx

   import all

   network 192.168.10.0 255.255.255.0

   default-router 192.168.10.1

   dns-server 

!

--More--                

          ip dhcp pool Server

   import all

   network 10.10.20.0 255.255.255.0

   default-router 10.10.20.1

   dns-server

!

ip dhcp pool wirless

   import all

   network 10.10.5.0 255.255.255.0

   default-router 10.10.5.xxxx

!

!

ip flow-cache timeout active 1

no ip bootp server

ip domain name xxxxxx

ip name-server xxxxx

login block-for 80 attempts xxxxx within xxxxx

login quiet-mode access-class 10

login on-failure log every xxxxx

vpdn enable

!

vpdn-group xxxxx

! Default PPTP VPDN group

accept-dialin

  protocol pptp

  virtual-template 1

!

!

--More--                           !

!

crypto pki trustpoint TP-self-signed-1020500782

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1020500782

revocation-check none

rsakeypair TP-self-signed-1020500782

!

!

username xxxxx privilege 15 password 7 xxxxx

username xxxx secret xxx.

username xxxxx privilege 15 password xxxx

username xxxxx view ITSUPPOT secretxxxx

username xxxxx  view Support secret xxxxx

username xxxxx privilege 15 secret xxxxx

!

!

ip ssh port xxxx rotary 1

ip ssh version 2

!

!

!

!

interface FastEthernet0/0

description WAN

ip address 10.10.5.78 255.255.255.0

ip helper-address 10.10.5.78

ip access-group route_virgn out

no ip redirects

no ip unreachables

--More--                            ip nat outside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

no cdp enable

!

interface Ethernet1/0

description Pulchok_pool exHdd

ip address 192.168.1.xxxx 255.255.255.0

ip nat inside

ip virtual-reassembly

full-duplex

!

interface Ethernet1/1

description Server Pool

ip address 10.10.20.xxxx 255.255.255.0

ip access-group route_virgn out

no ip unreachables

ip nat inside

ip virtual-reassembly

full-duplex

no cdp enable

!

interface Ethernet1/2

description Switch POOL

ip address 192.168.10.1 255.255.255.0

no ip unreachables

no ip proxy-arp

--More--                          

ip nat inside

ip virtual-reassembly

shutdown

full-duplex

no cdp enable

!

interface Ethernet1/3

description JAPAN_POOL

ip address 10.10.10.1 255.255.255.0

ip access-group route_virgn out

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

full-duplex

!

interface Virtual-Template1

description VPDN

ip unnumbered FastEthernet0/0

peer default ip address pool PPTP-Pool

ppp encrypt mppe 128

ppp authentication ms-chap-v2

!

interface Dialer0

no ip address

shutdown

!

ip local pool PPTP-Pool xxx.xxxx.1.xxx xxx.xxxx.1.xxx

no ip classless

--More--                           ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 10.10.5.1

ip flow-export source FastEthernet0/0

ip flow-export version 5

ip flow-export destination 10.10.10.xx 9996

!

ip http server

ip http authentication local

ip http secure-server

ip nat inside source list 101 interface FastEthernet0/0 overload

ip nat inside source static tcp 10.10.10.xx 3389 interface FastEthernet0/0 3389

!

ip access-list extended xxx_drive

permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255

permit ip 10.10.5.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 10.10.5.0 0.0.0.255

permit ip 10.10.20.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 10.10.20.0 0.0.0.255

permit ip any any

permit tcp any any

ip access-list extended route_xxxx

permit ip 10.10.10.0 0.0.0.255 10.10.5.0 0.0.0.255

permit ip 10.10.5.0 0.0.0.255 10.10.10.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 10.10.5.0 0.0.0.255

permit ip 10.10.5.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 10.10.20.0 0.0.0.255 10.10.5.0 0.0.0.255

permit ip 10.10.5.0 0.0.0.255 10.10.20.0 0.0.0.255

permit ip any any

--More--                           !

logging trap debugging

logging 10.10.10.xx

access-list 10 permit 10.10.10.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 101 permit ip 10.10.10.0 0.0.0.255 any

access-list 101 permit ip 192.168.10.0 0.0.0.255 any

access-list 120 remark Internal 10 host

snmp-server ifindex persist

!

!

control-plane

!

!

!

banner motd ^C

***************

NO UNAUTHORIZED ACCESS

***********************^C

no alias exec s

alias exec ipint sh ip int brief

!

line con 0

logging synchronous

line aux 0

line vty 0 3

exec-timeout 15 0

privilege level 15

logging synchronous

--More--                            rotary 1

transport input ssh

line vty 4

exec-timeout 15 0

privilege level 15

logging synchronous

rotary 1

transport input ssh

parser view xxxx

secret

commands exec include ping

commands exec include configure terminal

commands exec include configure

commands exec include show ip interface brief

commands exec include show ip interface

commands exec include show ip

commands exec include show running-config

commands exec include show

!

parser view Ixxxx

secret

commands exec exclude configure terminal

commands exec include configure

commands exec include show ip nat translations

commands exec include show ip nat

commands exec include show ip interface brief

commands exec include show ip interface

commands exec include show ip

commands exec include show running-config

--More--                            commands exec include show

!

parser view xxxxx

secret

commands exec include ping

commands exec include configure terminal

commands exec include configure

commands exec include show ip interface brief

commands exec include show ip interface

commands exec include show ip

commands exec include show running-config

commands exec include show

!

Labels:
0 Helpful
3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

‎06-19-2011 03:15 AM

You indicate that there is a problem but you do not tell us what the problem is. Without some understanding of what the problem is it is difficult to know where to start in looking at the config.

As a start I will observe that you have this access list configured on several interfaces:

ip access-group route_virgn out

but I do not see that access list in the config that you posted. Perhaps this is part of the problem?

If you can tell us some things that do work and some specific things that do not work we might be able to give better answers.

HTH

Rick

HTH

Rick
0 Helpful

nepalies_24
Level 1
Level 1
In response to Richard Burts

‎06-19-2011 03:40 AM

Hi Rick

Thank you for reply.

My problem is I can access host on 10.10.5.0 network from 10.10.10.0 network, but can't access any host from 10.10.5.0 network to 10.10.10.0 network AND also I can't access any host from 10.10.10.0 network to 10.10.20.0 network

ip access-group route_virgn out on int are for following access list

ip access-list extended route_virgn

permit ip 10.10.10.0 0.0.0.255 10.10.5.0 0.0.0.255

permit ip 10.10.5.0 0.0.0.255 10.10.10.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 10.10.5.0 0.0.0.255

permit ip 10.10.5.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 10.10.20.0 0.0.0.255 10.10.5.0 0.0.0.255

permit ip 10.10.5.0 0.0.0.255 10.10.20.0 0.0.0.255

permit ip any any

10.10.5.0 is my wireless network

0 Helpful

CSCO11151677
Level 1
Level 1
In response to nepalies_24

‎06-20-2011 05:11 AM

Hi

Please add the below access into existing route_virgin ACL

ip access-list ext route_virgin

permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255

Are you able to access from 10.10.5.x to 10.10.20.x? if no, please get us output of show ip access-list route_virgin (need to find if we are getting hits)

otherwise we need to check ACL 101 which is using for NAT.

Thanks

Vignesh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card