Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ACL Help

Status
Not open for further replies.
captnops

captnops

IS-IT--Management
Joined
Feb 12, 2003
Messages
141
My 2811 router has two 100 ports (fe0/0, fe0/1). fe0/0 is LAN side and fe0/1 is wan side to t1. Could anyone explain why the following ACL would prevent all traffic if applied to WAN outbound port?

deny ip any host 216.178.32.52 log
permit ip any any log

Thank you for the help
 
Sort by date Sort by votes
first question would be what does the log contain?

That acl will deny any IP traffic from any host to 216.178.32.52

UnaBomber
ccnp mcse2k
 
Upvote 0 Downvote
Thanks UnaBomber, for the confirmation. That is what it was supposed to accomplish. What I am unsure of is why all outbound traffic was prevented.

Log just shows that the interfaces bounced (presumably due to the ACL being updated on the router)
 
Upvote 0 Downvote
That ACL on its own cannot prevent all outbound traffic. Are you sure there aren't other ACL's applied on other interfaces that may be contributing.

Presumably if you remove all ACL's, connectivity is fully restored?
 
Upvote 0 Downvote
There are other ACL's on the internal interface, but (in theory) the traffic should already have gone through any ACL on the internal interface on its way out of the network on the external interface, no?
 
Upvote 0 Downvote
Well.. the other ACL's could be preventing response traffic from the destination back to the source perhaps.

What happens if you remove JUST the ACL above, is full connectivity then resumed?
 
Upvote 0 Downvote
Traffic was sent and received without issue prior to adding the ACL above.

Here is the sh access-list (IP's x'ed to protect the guilty)

Extended IP access list 101
10 deny ip 10.x.x.0 0.0.0.255 192.x.x.0
20 deny ip 10.x.x.0 0.0.0.255 199.x.x.0 0.0.0.255 (21353 matches)
30 permit ip 10.x.x.0 0.0.0.255 any (174131 matches)
Extended IP access list 111
10 permit udp any host 204.x.x.x eq isakmp (228 matches)
20 permit esp any host 204.x.x.x (45093 matches)
30 permit ip 192.x.x.0 0.0.0.255 10.10.10.0 0.0.0.255
40 permit gre any host 204.x.x.x
50 permit tcp any host 204.x.x.x eq matches)
60 permit tcp any host 204.x.x.x eq 443 (72845 matches)
70 permit tcp any host 204.x.x.x eq smtp (71971 matches)
80 permit tcp any host 204.x.x.x eq 2004 (130549 matches)
90 permit tcp any host 204.x.x.x eq 443 (394745 matches)
100 permit tcp any host 204.x.x.x eq 1723 (12 matches)
110 permit udp host 170.x.x.x host 204.x.x.x eq snmp
120 permit tcp 206.x.x.0 0.0.0.255 host 204.x.x.x eq 1433
130 permit tcp 198.x.x.0 0.0.0.255 host 204.x.x.x eq 1433
140 permit icmp any any echo-reply (24 matches)
150 permit icmp any any administratively-prohibited (1737 matches)
160 permit icmp any any time-exceeded (342 matches)
170 permit icmp any any traceroute
180 permit icmp any any unreachable (10260 matches)
190 permit icmp any any packet-too-big
200 permit icmp any any echo (3104 matches)
210 permit udp host 204.x.x.x any eq non500-isakmp
220 permit udp any host 204.x.x.x eq non500-isakmp (177 matches)
230 permit tcp 65.x.x.0 0.0.0.255 host 204.x.x.x
240 permit udp host 192.x.x.0 host 204.x.x.x eq ntp (885 matches)
250 permit udp host 192.x.x.0 host 204.x.x.x eq ntp (711 matches)
260 permit udp 65.x.x.0 0.0.0.255 host 204.x.x.x eq 23
Extended IP access list 112
10 permit icmp any any echo-reply
20 permit icmp any any administratively-prohibited
30 permit icmp any any time-exceeded
40 permit icmp any any traceroute
50 permit icmp any any unreachable
60 permit icmp any any packet-too-big
70 permit icmp any any echo
Extended IP access list 115
10 permit ip 10.x.x.0 0.0.0.255 192.x.x.0 0.0.0.255
Extended IP access list 120
10 permit ip host 10.x.x.0 192.x.x.0 0.0.0.255
20 permit ip host 10.x.x.0 192.x.x.0 0.0.0.255 (39 matches)
30 permit ip host 10.x.x.0 192.x.x.0 0.0.0.255
Extended IP access list 125
10 permit ip 10.x.x.0 0.0.0.255 199.x.x.0 0.0.0.255 (45036 matches)
Extended IP access list group-lock
Extended IP access list idletime
Extended IP access list protocol
Extended IP access list tty66
 
Upvote 0 Downvote
Where's the access control list in question? I do not see it in the config. Is 216.178.32.52 your dns server, or web server? If so, you are denying anything from getting to it.

Tim
 
Upvote 0 Downvote
I did not make that ACL part of the running config (which may be the problem?) That address is the IP of the site I would like to block.

As a side note, i thought I read somewhere that you cannot have more than one ACL associated with an interface, can you confirm?

Thanks
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Jared R
  • Locked
  • Question Question
Cisco UC320W Paging Help
Replies
0
Views
712
Jared R
Jared R
WinstonCH
  • Locked
  • Helpful tip Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat
Replies
1
Views
937
BIS
BIS
Mogles49
  • Locked
  • Question Question
Firewall ACL question
Replies
1
Views
363
burtsbees
burtsbees
bfordz
  • Locked
  • Question Question
new help on setting up third party VoIP phones through Catalyst 2960x switch
Replies
0
Views
368
bfordz
bfordz
DigiByte34
  • Locked
  • Question Question
Need Help Cisco AAA to any RADIUS Software
Replies
9
Views
938
DigiByte34
DigiByte34

Part and Inventory Search

Sponsor

Back
Top