Need help with my Access List on a Cisco 2620

[mcse4u]

Can someone tell me why this access list isn't working. When I implement it, I cannot do anything like Terminal Server into a machine outside of my network even though I specifically have port 3389 open, etc.

access-list 101 permit icmp any any
access-list 101 permit tcp any any eq 21
access-list 101 permit udp any any eq 21
access-list 101 permit tcp any any eq 23
access-list 101 permit udp any any eq 23
access-list 101 permit tcp any any eq 25
access-list 101 permit udp any any eq 25
access-list 101 permit tcp any any eq 53
access-list 101 permit udp any any eq 53
access-list 101 permit tcp any any eq 80
access-list 101 permit udp any any eq 80
access-list 101 permit tcp any any eq 110
access-list 101 permit udp any any eq 110
access-list 101 permit tcp any any eq 119
access-list 101 permit udp any any eq 119
access-list 101 permit tcp any any eq 123
access-list 101 permit udp any any eq 123
access-list 101 permit tcp any any eq 443
access-list 101 permit udp any any eq 443
access-list 101 permit tcp any any eq 1723
access-list 101 permit udp any any eq 1723
access-list 101 permit tcp any any eq 1863
access-list 101 permit udp any any eq 1863
access-list 101 permit tcp any any eq 3389
access-list 101 permit udp any any eq 3389
access-list 101 permit tcp any any eq 5631
access-list 101 permit udp any any eq 5631
access-list 101 permit tcp any any eq 5632
access-list 101 permit udp any any eq 5632
access-list 101 permit tcp any any eq 8080
access-list 101 permit udp any any eq 8080
access-list 101 permit tcp any any eq 6891
access-list 101 permit udp any any eq 6891
access-list 101 permit tcp any any eq 6892
access-list 101 permit udp any any eq 6892
access-list 101 permit tcp any any eq 6893
access-list 101 permit udp any any eq 6893
access-list 101 permit tcp any any eq 6894
access-list 101 permit udp any any eq 6894
access-list 101 permit tcp any any eq 6895
access-list 101 permit udp any any eq 6895
access-list 101 permit tcp any any eq 6896
access-list 101 permit udp any any eq 6896
access-list 101 permit tcp any any eq 6897
access-list 101 permit udp any any eq 6897
access-list 101 permit tcp any any eq 6898
access-list 101 permit udp any any eq 6898
access-list 101 permit tcp any any eq 6899
access-list 101 permit udp any any eq 6899
access-list 101 permit tcp any any eq 6900
access-list 101 permit udp any any eq 6900

!
interface Serial0/0
ip address x.x.x.x 255.255.255.252 (ip address removed for security purposes)
ip access-group 101 in
ip load-sharing per-packet
encapsulation ppp
no ip route-cache
no ip mroute-cache
no fair-queue
service-module t1 timeslots 1-24
service-module t1 remote-alarm-enable
no cdp enable
!

!
interface Serial0/1
ip address x.x.x.x 255.255.255.252 (ip address removed for security purposes)
ip access-group 101 in
ip load-sharing per-packet
encapsulation ppp
no ip route-cache
no ip mroute-cache
no fair-queue
service-module t1 timeslots 1-24
service-module t1 remote-alarm-enable
no cdp enable

 

[ChrisAC]

Looks like you are allowing all these ports inbound into your network from the outside, not outbound.

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[mcse4u]

That's correct. This list is for the inbound traffic only. Anything originating from inside to the outside should be allowed. I only want to allow these ports unitiated to enter my network. So why would this affect what i'm sending out?

 

[lgarner]

Because you're blocking the high-port traffic which comes back. I think that you need to add

access-list 101 permit tcp any any gt 1023 established

 

[mcse4u]

I've already tried adding access-list 101 permit tcp any any established
and it didn't help any. Someone else suggested it could be because of the per packet load sharing. Any thoughts?

 

[ChrisAC]

Why are you allowing all those ports into anything on your network? It doesn't look very secure.

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************