09-06-2004 06:40 AM
I have configured a router to terminate connections from PCs running V4.0.5 of the VPN client. However, on trying to connect to a server on the private side of the network, the connection fails and, on the syslog server, the following messages are logged:
%SEC-6-IPACCESSLOGP: list FastEthernet0/1.78:IN denied tcp 10.10.3.109(2162) (FastEthernet0/1.78 2e36.342e.3233) -> 172.31.251.129(3389), 1 packet
However, the FastEthernet0/1.78:IN access list contains appropriate permit statements prior to the deny any any log-input final entry:
RTR-INET1-01#sh access-list FastEthernet0/1.78:IN
Extended IP access list FastEthernet0/1.78:IN
[output omitted]
990 permit tcp 10.10.3.0 0.0.0.255 host 172.31.251.129 eq 3389
1000 deny ip any any log-input (2706 matches)
Apart from removing the access list from the interface in question, is there anything I have missed out? Removing the access list from the interface is not an option, as this is on one of our Internet connections.
09-07-2004 07:50 AM
This does seem fairly strange. The syntax of the access list part that you posted indicates that the packet should have been permitted if it had gotten to statement 990 but it was denied.
One possible explanation is that there is some deny higher in the list that is stopping the packet not the deny any any at the end.
One suggestion would be to rewrite the access list and put the permit tcp 10.10.3.0 0.0.0.255 host 172.31.251.129 eq 3389 up at the top instead of down at the bottom where it currently is.
Another alternative would be to post the configuration of the interface and of the entire access list so that we could look at them.
HTH
Rick
09-08-2004 08:40 AM
Rick,
The ACL had a deny on the full class A subnet in ahead of the permit I had added towards the end. Moving the permit to the top had the desired effect.
I should have spotted that one a lot earlier :-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide