01-25-2013 10:44 PM - edited 03-07-2019 11:19 AM
Hi all,
Please help with an annoying ACL issue. I have the following extended ACL configured but for some I still can’t get web access when the time range is active.
The email and other ports work perfectly but when the time range shows active in the router still no web access is possible on the controlled vlans and networks, any ideas?
Thanks
Louise
QQQ_Control
time-range periodic daily 21:00 to 23:59
MAIL-PORTS
tcp eq smtp
tcp eq pop3
tcp eq 995
tcp eq 993
tcp eq telnet
tcp eq ftp
tcp eq domain
tcp eq 5900
tcp eq ftp-data
tcp eq 3389
tcp eq 20410
udp lt rip
udp lt domain
udp lt ntp
udp lt tftp
QQQ_User_Group
range 192.168.0.26 192.168.0.199
192.168.2.0 255.255.255.0
192.168.3.0 255.255.255.0
192.168.6.0 255.255.255.0
QQQ_Management_Group
range 192.168.0.1 192.168.0.25
range 192.168.0.200 192.168.0.254
192.168.1.0 255.255.255.0
192.168.4.0 255.255.255.0
192.168.5.0 255.255.255.0
192.168.7.0 255.255.255.0
192.168.8.0 255.255.255.0
192.168.9.0 255.255.255.0
192.168.10.0 255.255.255.0
10.1.0.0 255.255.0.0
10.8.0.0 255.255.255.0
QQQ_ACL
5 permint ip host 203.xxx.xxx.xxx any
10 permit udp host 203.12.160.2 eq ntp any eq ntp
20 permit udp host 192.168.0.6 eq domain any
30 permit ip object-group QQQ_Management_Group any
40 permit object-group MAIL-PORTS object-group QQQ_User_Group any
50 permit icmp object-group QQQ_User_Group any
60 permit tcp 192.168.2.0 0.0.0.255 eq www 443 8080 5190 1863 any time-range QQQ_Control
70 permit tcp 192.168.3.0 0.0.0.255 eq www 443 8080 5190 1863 any time-range QQQ_Control
80 permit tcp 192.168.6.0 0.0.0.255 eq www 443 8080 5190 1863 any time-range QQQ_Control
90 permit tcp 192.168.0.0 0.0.0.255 eq www 443 8080 5190 1863 any time-range QQQ_Control
01-25-2013 10:58 PM
Hi
I cannot see any where the http or https traffic is allowed in the ACL.
Please allow traffic to port 80 and try.
01-25-2013 11:15 PM
Hi
The web traffic (http, 80 and https, 443) are allowed in lines 60 to 90 per subnet which inturn is controlled by the time range QQQ_Control, the Cisco IOS changes port 80 to www when you type it into the ACL.
60 permit tcp 192.168.2.0 0.0.0.255 eq www 443 8080 5190 1863 any time-range QQQ_Control
70 permit tcp 192.168.3.0 0.0.0.255 eq www 443 8080 5190 1863 any time-range QQQ_Control
80 permit tcp 192.168.6.0 0.0.0.255 eq www 443 8080 5190 1863 any time-range QQQ_Control
90 permit tcp 192.168.0.0 0.0.0.255 eq www 443 8080 5190 1863 any time-range QQQ_Control
Louise
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide