|
|
| tatosala 2002-05-07, 2:44 pm |
| 
Hi, I have a little problem with access-lists and I wonder I f somebody could give me a hand
This is what I did:
Extended IP access list 101
permit tcp any host 125.1.1.100 eq ftp
permit tcp any host 125.1.1.100 eq ftp-data
permit tcp any host 125.1.1.152 eq ftp
permit tcp any host 125.1.1.152 eq ftp-data
permit tcp any any eq smtp (27 matches)
permit tcp any any eq pop3
permit tcp any any eq domain
permit udp any any eq domain (1943 matches)
permit icmp any any echo (768 matches)
permit icmp any any echo-reply (21 matches)
But when I appliedto an interface as incoming access lists they can not see me from the other side of the router, and searching on Cisco´s site I´ve found this
“Note For most protocols, if you define an inbound access list for traffic filtering, you should include explicit access list criteria statements to permit routing updates. If you do not, you might effectively lose communication from the interface when routing updates are blocked by the implicit "deny all traffic" statement at the end of the access list”
Here is my problem, wich are those explicit statements to permit routing updates ?
Ihave learnt a lot from this forum and I´ll thank you in advance.
Marcos | |
| Detour 2002-05-07, 3:57 pm |
| quote:
Originally posted by tatosala
<snip>But when I appliedto an interface as incoming access lists they can not see me from the other side of the router, and searching on Cisco´s site I´ve found this
“Note For most protocols, if you define an inbound access list for traffic filtering, you should include explicit access list criteria statements to permit routing updates. If you do not, you might effectively lose communication from the interface when routing updates are blocked by the implicit "deny all traffic" statement at the end of the access list”
Here is my problem, wich are those explicit statements to permit routing updates ?
Ihave learnt a lot from this forum and I´ll thank you in advance.
Marcos
You need to clarify what you mean by "they can't see me from the other side of the router". Can your workstation be pinged by the remote hosts?
The quote you have from cisco is in reference to routing protocol updates. This is only an issue if you are running an ip routing protocol. You might just have an access list problem. But it's hard to tell from your limited description of the problem. | |
| tatosala 2002-05-07, 5:49 pm |
| Detour : first of all I want to thank you for your fast response.
You are right now that I´m looking what I wrote is quiet confusing.
From my workstation , I can reach/ping to the router1 int1but Ican not ping a workstation attached to that router´s int2. The access lists is applied to router2´s int2 as incoming.
I have now taken off the ACL and I can ping PC1 from my Pc and from router3 but I can not do it from router2 . There´s an attach with the graphics | |
| Detour 2002-05-08, 3:49 pm |
| quote:
Originally posted by tatosala
Detour : first of all I want to thank you for your fast response.
You are right now that I´m looking what I wrote is quiet confusing.
From my workstation , I can reach/ping to the router1 int1but Ican not ping a workstation attached to that router´s int2. The access lists is applied to router2´s int2 as incoming.
I have now taken off the ACL and I can ping PC1 from my Pc and from router3 but I can not do it from router2 . There´s an attach with the graphics
I do not see an attached graphic. Now you speak of 3 routers or 3 interfaces on 1 router?
Please clarify further | |
| tatosala 2002-05-08, 4:11 pm |
| I don´t know what am I doing wrong. I went to Post Replay and then to attach file/examinar and the .doc is 139k (below the maximun )and then submit replay. I´m going to try again. Can´t be so fool. | |
| Detour 2002-05-08, 4:30 pm |
| quote:
Originally posted by tatosala
I don´t know what am I doing wrong. I went to Post Replay and then to attach file/examinar and the .doc is 139k (below the maximun )and then submit replay. I´m going to try again. Can´t be so fool.
sounds like you are having configuration issues. you can ping pc1 from "my pc" but router 2 can't ping pc1? somethings up with your configuration. | |
| guitarjim 2002-05-12, 11:54 am |
| I think your access list 101 is denying ip routing. If you using EIGRP for example:
access-list 101 permit eigrp any any
I've used the oppisite:
access-list 101 deny eigrp any any
to stop a DDR from constantly going up. | |
| tatosala 2002-05-13, 6:55 am |
| guitarjim
I think you´re right I´m denying rip updates but i can not find wich are the missing statements
I´ve tried with
access-list 101 permit udp any any eq 520 (ive found that 520 is rip's port for udp)
But I´m still loosing connection after applying it to an interface
You wrote
access-list 101 permit eigrp any any
I´ll try with
access-list 101 permit rip any any | |
|
|
| tatosala 2002-05-14, 7:36 am |
| Nadia:
Thanks for the link I´ve found a very helpfull notes there. | |
|
| Tatosala,
Access lists are hard to understand and there seem to be several different solutions to every problem. I'm trying to expand my knowledge on them. I have a few questions about your problem.
1. What network or host are you trying to protect with this ACL?
2. Why did you choose to put it on the incoming interface of router 2?
3. What are the addresses of your pc and pc1 ?
4. Did you solve your problem with the information provided in the posts? If so, what did you do.
5. What would the result of a "sho ip route" command look like from your pc? From pc1?
6. Is pc1 strictly a ftp and mail server?
I appreciate you taking the time to answer these questions. We can all learn from your experience. Thank you.
j3b | |
| tatosala 2002-05-17, 8:29 am |
| Finally I could get through.
I was almost sure that I had a problem with the routing updates as I said in the thread, and guitarjim you were right too, so remember this:
“Note For most protocols, if you define an inbound access list for traffic filtering, you should include explicit access list criteria statements to permit routing updates. If you do not, you might effectively lose communication from the interface when routing updates are blocked by the implicit "deny all traffic" statement at the end of the access list”
Ive tried again with:
access-list 101 permit udp any any eq 520 (ive found that 520 is rip's port for udp)
and this time it works.
And when the acl was applied to the interface the router got so slow that I could hardly type a command, then I found that I was missing another statement
access-list 101 permit tcp any any stablished
Now is working all right.
To j3b:
We have a building in other city and don´t want that everybody on certain sector be able to get through and see all of our servers.I put the ACL as input in one interface because the other int has to see our network.
I really thank you all of you that answer to this thread.It make me change my mind, I was beeing just a non active part of the forum, only reading the posts and see if something was usefull for me.
I´m going to make a little time and try to answer as many posts as I can.
Thank you all.
Marcos. |
|
|
|