cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1636
Views
0
Helpful
14
Replies

Why wont this basic ACL work?

scottford
Level 1
Level 1

I have been trying to set up an Access Control List on a Cisco 1841 router. I can see that a basic ACL isnt exactly rocket science, but this just doesn't seem to work. By "doesn't work" I mean that as soon as I apply the ACL to an interface, i immediately lose all IP connectivity to the 192.168.240.0 network. Please see http://www.geocities.com/muzikan/basicdiagram.gif for a view of the basic network structure. I need to set up the router at 10.1.1.3 so that it will only permit traffic to enter from the 192.168.242.0 subnet. I have tried to account for both the internal and external interfaces of the source network. All subnet masks are /24. The access control list entries look as follows:

access-list 1 permit 192.168.242.0 0.0.0.255

access-list 1 permit 10.1.1.0 0.0.0.255

Surely there is something ridiculously easy I am overlooking here.

TIA,

Scott

14 Replies 14

Mark Yeates
Level 7
Level 7

Scott,

The ACL would be better suited if applied outbound on the 10.1.1.1 interface.

HTH,

Mark

Edison Ortiz
Hall of Fame
Hall of Fame

Try the following ACL:

access-list 101 permit ip 192.168.242.0 0.0.0.255 any

access-list 101 permit ip 10.1.1.0 0.0.0.255 any

And apply on the interface facing those networks:

ip access-group 101 in

HTH,

__

Edison.

Hey guys, thanks a lot for the fast replies. I will try these suggestions after business hours today (5:00 CST)and leave a follow up with the results. I have tried using the access-list 101 entry but I don't think i specified "all". I havent tried applying to the external interface because its a remote site and if it doesn't work i'm locked out of it. Ill run over there tonght and try all options.

Scott

I havent tried applying to the external interface because its a remote site and if it doesn't work i'm locked out of it.

Are there other networks traversing this external interface?

If so, those networks will be blocked unless you add them to the permit list.

If the external facing interface is connected to the internet, then do apply the ACL there.

From your post, it seems the connection was a private point-to-point session between 2 locations.

If you can, please draw a diagram of your topology and post it here. We can determine where is the best location to place the ACL.

HTH,

__

Edison.

I don't know if this works or not, but I see that you have a permit list. Shouldn't you also have a deny list? where you can basically say deny all except the ones you permit?

Greetings

Che

Hi Che,

Unless I am mistaken, the deny list is implied at the bottom of the ACL. Please correct me if I am wrong. Thanks.

the deny list is implied at the bottom of the ACL. Please correct me if I am wrong. Thanks.

You are correct.

Hi Edison,

The router in question has external interface of 10.1.1.3 and internal int of 192.168.240.3. I only want to apply the ACL as an ingress filter on this router. It doesnt really matter to me which interface has the ACL applied, except that if I apply to the external interface I will lose connectivity to the router from my site. Does this clear it up at all? Thanks!

I only want to apply the ACL as an ingress filter on this router.

Ideally, you want to place the ACL closest to the source network.

If the packets are coming from the outside, you need to place the ACL in the external interface.

The ACL must have the subnets you want to allow in the source field and the destination will be your network, in this case you can use 'any' keyword.

The direction of the access-group must be 'in' as the packet are coming into the router.

HTH,

__

Edison.

Ok, seems like I understand. I should be trying to apply the ACL to interface FA0/0 (10.1.1.3) instead of to interface FA0/0/0 (192.168.240.3). Could this be why the ACL is locking out all traffic regardless of the permit list?

Could this be why the ACL is locking out all traffic regardless of the permit list?

Without seeing the network topology and/or traffic flow, very hard to answer that.

HTH,

__

Edison.

Please rate helpful posts

Understood. I posted a link to gif showing the very basic topo structure in my first post, were you able to get to that? Perhaps it didnt show enough detail. In any case I will take your suggestions to heart and try this a couple of different ways after biz hours today and follow up with a response/rating, etc. Much appreciate the advice you have given.

I posted a link to gif showing the very basic topo structure in my first post, were you able to get to that?

Oops, missed that :)

Yes, 10.1.1.3 it is...

enghmq007
Level 1
Level 1

Hi

 can you try the following Configuration :

 #access-list 1 permit 192.168.242.0 0.0.0.255

#access-list 1 permit 10.1.1.0 0.0.0.255

#access-list 1 deny any log

logging buffered

and generate your trffic , then take a look at the log file

#sh logging

you will see the traffic blocked and you can correct the ACL. :)