Need Help with Access-lists Please

[cmstanphill]

Here is my example for a access-list
Router 3640
serial0/0 (internet port)
serial1/1:0 (customer on a T1)

Router 2610
serial 0/0 (going to router 3640 serial1/1:0

Router 3640 config
interface Serial0/0
bandwidth 1536
no ip address
encapsulation frame-relay IETF
no ip route-cache
no ip mroute-cache
no fair-queue
service-module t1 timeslots 1-24
frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
bandwidth 1536
ip address 192.168.0.1 255.255.255.252
ip access-group 100 in
no ip route-cache
no ip mroute-cache
frame-relay interface-dlci 500 IETF

interface Serial1/1:0
bandwidth 1536
ip address 10.0.0.1 255.255.255.252
encapsulation ppp
no ip route-cache
no fair-queue

access-list 100 permit tcp any any established
access-list 100 permit icmp any any
access-list 100 permit tcp any any eq domain
access-list 100 permit udp any any eq domain
access-list 100 permit tcp any any eq www
access-list 100 permit udp any any eq 80
access-list 100 permit tcp any any eq pop3
access-list 100 permit udp any any eq 110
access-list 100 permit tcp any any eq 443
access-list 100 permit udp any any eq 443
access-list 100 permit tcp any any eq 445
access-list 100 permit udp any any eq 445
access-list 100 permit tcp any 0.0.0.1 eq 1433
access-list 100 permit udp any eq 1433
access-list 100 permit tcp any any eq 3389
access-list 100 permit udp any any eq 3389
access-list 100 permit tcp any any eq 7002
access-list 100 permit udp any any eq 7002
access-list 100 permit tcp any any eq 8383
access-list 100 permit udp any any eq 8383
access-list 100 permit tcp any any range ftp-data smtp
access-list 100 permit udp any any range 20 25
access-list 100 permit tcp any any range 1645 1646
access-list 100 permit udp any any range 1645 1646
access-list 100 permit tcp any any range 5631 5632
access-list 100 permit udp any any range 5631 5632


Router 2610
interface Serial0/0
bandwidth 1536
ip address 10.0.0.2 255.255.255.252
ip access-group 100 in
no ip directed-broadcast
encapsulation ppp
no ip mroute-cache
no fair-queue
service-module t1 linecode ami
service-module t1 timeslots 1-24 speed 56

access-list 100 permit tcp any any established
access-list 100 permit icmp any any
access-list 100 permit tcp host 192.168.0.120 any eq telnet
access-list 100 permit udp host 192.168.0.120 any eq 23
access-list 100 permit tcp host 192.168.0.100 any eq telnet
access-list 100 permit udp host 192.168.0.100 any eq 23

What I am trying to do is close all ports on the 2610 but telnet to the host listed. the 3640 works fine with that access-list
but when I apply the access-list to the 2610 it works on all the incoming but then
everything going out does not work like pulling up websites.
any ideas?
Thanks

 

[ChrisAC]

access-list 100 permit tcp any any established
access-list 100 permit icmp any any
access-list 100 permit tcp host 192.168.0.120 any eq telnet
access-list 100 permit udp host 192.168.0.120 any eq 23
access-list 100 permit tcp host 192.168.0.100 any eq telnet
access-list 100 permit udp host 192.168.0.100 any eq 23

If you apply this inbound on the serial then you will not be able to browse the web if your clients are doing DNS lookups. Their initial DNS query will be allowed out and the reply from the DNS server will come in on a UDP port greater than 1023. As you are not allowing this in on your access list your clients will not be able to browse the web.

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************