Questions

Cisco IOS ACL's nightmare. Of Course I'm a newbie.

Tags:
+
0 Votes
Locked

Cisco IOS ACL's nightmare. Of Course I'm a newbie.

jnolla
Why is it that we tech people like to complicate our lives?
Is it to find
the solution to a problem, and feel good about our
problem solving
skills?<br/><br/>

How long those it actually take you? I'm sitting here after
2 days of
reading and scratching my head over my stupidity. I have
wasted
precious time with my family, reading and researching,
trying to find
the solution to this problem that I have once again created
fo myself.<br/><br/>

Maybe you can help...<br/>

Replaced a Cisco PIX 501, which we we're using as a
router for a CIDR
bloack we got from the ISP. Needless to say it was working
fine, but
we anted to try a real router, so we got a 2611xm.
<br/>
Now we got everything to work, with the exception of the
ACL's. Why
I don't know.<br/><br/>

<b>Here are the simple statements:</b><br/>

FA0/0<br/>
ip address 70.1.1.132 255.255.255.240<br/>
access-group 101 in<br/>
access-group 102 out<br/><br/>

FA0/1<br/>
ip address 70.1.2.129 255.255.255.240<br/><br/>

access-list 101 permit tcp any any established<br/>
access-list 101 permit tcp any host 70.1.2.130 eq
www<br/>
access-list 101 deny ip any any<br/>
access-list 102 permit ip 70.1.2.128 0.0.0.15 any<br/
><br/>


That's It! For some reason after I enter just one statement
for ACL
101, the connection to the outside world drops! Even
more, I can't
even ping FA0/1!<br/><br/>

I ask of your help. I'm in misery, and my family needs me
back.<br/>
Thanks.
  • +
    0 Votes
    CG IT

    there is an implicit deny statement at the end of every ACL. so if you don't specifically allow it, the traffic is denied.

    if you disable the ACL and you regain connectivity, the problem is in the ACL.

    +
    0 Votes
    realsom1

    I think the problem could be at the 3th line where u say .. access-list 101 deny ip any any... since will deny all IP traffic.. ok I am not expert but I try my best. regards

    +
    0 Votes
    kunal.khandait

    Hi,
    The problem could be with direction you have given with ACL command. I think it should be vice-versa. I am not an Expert, try out by disabling ACL's; if it works then ACL configuration is wrong. In your case implicit deny is working. So try with directions.

    +
    0 Votes
    jolevine

    Have you tried:

    access-group 101 out
    access-group 102 in

    Also ping your Default GW and watch to see if you get any hits on the ACL

  • +
    0 Votes
    CG IT

    there is an implicit deny statement at the end of every ACL. so if you don't specifically allow it, the traffic is denied.

    if you disable the ACL and you regain connectivity, the problem is in the ACL.

    +
    0 Votes
    realsom1

    I think the problem could be at the 3th line where u say .. access-list 101 deny ip any any... since will deny all IP traffic.. ok I am not expert but I try my best. regards

    +
    0 Votes
    kunal.khandait

    Hi,
    The problem could be with direction you have given with ACL command. I think it should be vice-versa. I am not an Expert, try out by disabling ACL's; if it works then ACL configuration is wrong. In your case implicit deny is working. So try with directions.

    +
    0 Votes
    jolevine

    Have you tried:

    access-group 101 out
    access-group 102 in

    Also ping your Default GW and watch to see if you get any hits on the ACL