Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ACL not working on new interface

Status
Not open for further replies.

jfmays

ISP
Oct 2, 2008
35
US
We recently changed the backbone connection for one office from a T1 to a bonded DSL line. In doing so, we moved the ACL from the T1 interface to the dialer1 config for the bonded DSL line. The ACL, which was only to block unwanted inbound traffic on the line, was now blocking damned near everything going out.

Without going into to the ACL itself (not yet, at least), the name of the ACL was "OfficeACL". If I put "ip access-group OfficeACL in" in the config for Dialer1, it should only effect traffic coming IN to dialer 1 from outside, shouldn't it? Yet it seemed to be blocking all outgoing connection attempts.
 
No atm interface. Two ethernet interfaces connected to modems operating in bridge mode, that get combined into a multilink bundle. So we have....

Code:
interface Ethernet1/0
 no ip address
 full-duplex
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Ethernet2/0
 no ip address
 full-duplex
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
[...]
interface Dialer1
 ip address negotiated
 encapsulation ppp
 no ip route-cache cef
 no ip route-cache
 ip tcp adjust-mss 1420
 dialer pool 1
 dialer-group 1
 ppp authentication pap callin
 ppp pap sent-username K1.LXFU.396820..SC@win.net password 0 paulf56
 ppp multilink

which yields....

Code:
gw1.office#show users
    Line       User       Host(s)              Idle       Location
*130 vty 0     admin      idle                 00:00:00 admin1.win.net

  Interface    User               Mode         Idle     Peer Address
  Vi2                             PPPoE        00:00:00
  Vi3                             PPPoE        00:00:00
  Vi4                             MLP Bundle   00:00:00 216.24.12.193

So where else could I put it but the dialer interface?
 
Okay, I think I figured out what's going on. The version of IOS I had did not support the "ip inspect" feature, so that temporary ACL's were not being created for outbound connections. I upgraded the IOS to a version that does support firewall commands like "ip inspect xxx". Added the following commands...

Code:
ip inspect max-incomplete high 1000
ip inspect max-incomplete low 800
ip inspect one-minute high 1000
ip inspect one-minute low 800
ip inspect dns-timeout 60
ip inspect tcp idle-time 10800
ip inspect name WinnetOffice icmp
ip inspect name WinnetOffice fragment maximum 500 timeout 15
ip inspect name WinnetOffice netshow
ip inspect name WinnetOffice realaudio
ip inspect name WinnetOffice tcp
ip inspect name WinnetOffice http
ip inspect name WinnetOffice udp
ip inspect name WinnetOffice tftp
ip inspect name WinnetOffice ftp audit-trail off

Thing is, when I add "ip inspect WinnetOffice in" to the LAN (FastEthernet0/0) interface, or "ip inspect WinnetOffice out" to the WAN (Dialer1) interface that command alone begins breaking connection attempts to the world, even without the ACL set enabled. That shouldn't happen, should it?
 
You should have the inspect statement applied to the Lan interface and an ACL applied to the multilink interface.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top