Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Extended Access-list question

Status
Not open for further replies.
1Drisnil

1Drisnil

MIS
Mar 29, 2003
131
US
I need to foward tcp traffic intended for ISA web proxy service across a cisco 1721 router; IOS 12.2(4). I am under the impression that to forward traffic across a router, one needs access-lists.

Apparently I missed something because once I tried this approach usning the below code, traffic to that side stopped receiving data for traffic like terminal services, etc. .

I do not intend to deny any of the traffic, I just want to assure that the traffic bound for port 8080 is making it across the WAN link.

I started with the following extended access-list as such:

config t

! access ist for web proxy traffic
RouterB(config)# access-list 101 permit tcp 10.10.11.0 0.0.0.255 any eq 8080
! access list for HTTPS traffic
RouterB(config)# access-list 101 permit tcp 10.10.11.0 0.0.0.255 any eq 443
!access list for already established return traffic
RouterB(config)# access-list 102 permit tcp any 10.10.11.0 0.0.0.255 est

Then in applying the lists, I typed:

RouterB(config)# config t
RouterB(config)# int s1
RouterB(config)# ip access-group 101 out
RouterB(config)# ip access-group 102 in

with the understanding that the point of view is the same for incoming & outgoing traffic -- interface serial 1.

Did I miss the line that keeps the interface open ?? Did I forget this line:

access-list 101 permit tcp any any

If not, what did I miss and how to fix my code?


Thanxs in advance for all your help!!
 
Sort by date Sort by votes
At the end of every access-list is an explicit deny all. You have to make sure that once you have created the appropiate access-list you follow on with the command "access-list 101 permit any any". Otherwise all other services will be denied.
 
Upvote 0 Downvote
Sorry, the correct command is
"access-list 101 permit ip any any". i left the IP out in the previous post.
 
Upvote 0 Downvote
>I need to foward tcp traffic intended for ISA web proxy service across a cisco 1721 router; IOS 12.2(4). I am under the impression that to forward traffic across a router, one needs access-lists.

The access list is used to control the traffic, the default state without any lists applied is to send it across the interface.

So, if you need to send it across remove the list and ALL traffic can be sent or received by the interfaces.

 
Upvote 0 Downvote
I was afraid you'd say that, routerman. My environment is a newly built Windows 2000 network. We initially attempted an upgrade from NT4, btu had some problems with it.

I have the 2 books from Dr. Shinder on ISA, and it states that if you have a complex network (one involving routers), that statements are reqired on your routers to enforce that traffic is sent across them. Well I crafted static routes, and as far as I can tell all traffic flows from one subnet to the other without a hitch, but those clients on the other subnet( the one that doesn't contain the ISA box) can not use it aka no internet by either means(web proxy software or SecureNAT). I am wondering if there is anything I can do that would direct traffic from a specific port to the ISA subnet that would be different than just using static routes. Is this just a deployemyn issue I should address to the ISA forum?

Inquiring Minds,
 
Upvote 0 Downvote
The problem you are seeing may be specific to the ISA application, its something I know very little about.

What I can say is that if you remove all the ACL's from the routers you should be able to ping from a client to the server in both directions. If you can do this then the routing is correct.

I have know problems like this where the applications need to rely on additional services to achieve connectivity such as DNS or WINS for name resolution. A common problem with Windows clients is thet they use broadcasts for the NetBios name resolution, these broadcasts are NOT forwarded by the routers. So thye have to use WINS servers to resolve the name to an IP address.

Sounds an interesting problem....
 
Upvote 0 Downvote
I thank you for your insight into my questions/problems, routerman.

It is indeed an interesting problem. We are running an Active Directory environment with many services including the ones you mentioned in your post.

I have some experience with Cisco products outside of work with being enrolled Cisco's Network Academy coursework for CCNA version 3.0 .

Between work and education, and other resources like Tek-tips, I am slowly uncovering the true nature behind these issues/problems.

Thanks again to everyone that gave input to my questions.


 
Upvote 0 Downvote
Weijinu,

Are you running WINs or DNS? I would suggest DNS but if you aren't oh well no problem. What routerman suggested is correct with NT (4.0 or 2k) you need to use the local server as a WINS server or use IP-helper and set the target to a WINS or DNS server as the address.
If the hosts are getting their DNS or WINS resolved via a DHCP server all the better (especially if it is local to the subnet, if not again you can use ip-helper command to point to the correct server). Set the servers to replicate make sure the server is set-up to supply WINS or DNS ionformation to the clients. This should rid you of your name resolution problems. If you need more in depth information just let me know.
 
Upvote 0 Downvote
If the hosts are getting their DNS or WINS resolved via a DHCP server all the better

oooppsss

I meant: If the hosts are getting their DNS or WINS resolution information via a DHCP server all the better
 
Upvote 0 Downvote
Well, to give more info, the following services are being run...

DHCP on both subnets
Wins on both subnets partners
DNS on both subnets Partners
AD on the root DC
there are also 2 Global catalog servers between the subnets.

Does this mean to use the IP-helper address on the routers?



 
Upvote 0 Downvote
No, you shouldn't have to run IP-helper then at all. What I would do is make sure the DHCP server is suppling the client computers with WINS, and or DNS information. Make sure the DHCP server points to whatever the WINS server is and whaterver the DNS server is (and make sure those servers are replicating properly).

This way all the client pc's know what server they have to use for name resolution. You may want to check your clinet machines and make sure they are set to use the information from the servers. (IE, wins or DNS isn't disabled on the machines).

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Zero6
  • Locked
  • Question
question about cisco cbs 350-12xs 12 port 10g sfp+
Replies
0
Views
120
Zero6
Zero6
Mogles49
  • Locked
  • Question
Firewall ACL question
Replies
1
Views
97
burtsbees
burtsbees
dmourghen
  • Locked
  • Question
PBR issue and Access-list
Replies
0
Views
85
dmourghen
dmourghen
CDIV
  • Locked
  • Question
Use uplink port as access port 2960 1
Replies
9
Views
277
CDIV
CDIV
CDIV
  • Locked
  • Question
How do I enable SSH access in 2960x 1
Replies
4
Views
461
iggsterman
iggsterman

Part and Inventory Search

Sponsor

Back
Top