Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Need some clarification regarding Cisco Access-Lists

Status
Not open for further replies.
dbarasch

dbarasch

MIS
Feb 16, 2004
14
0
0
US
As you can see from my two NICs, the only access-lists in use are 102 and 198. Access-list 11 is not in use according to the configuration.

I decided to delete access-list 11, since it wasnt needed. When I did that no clients on the internal network could access the internet.

Why would deleting access-list 11 have any bearing on the internal clients when access-list 198 is bound to the Internal NIC card on the router?


====================================================
interface FastEthernet0/0
description connected to internet
ip address SCRUBBED
ip access-group 102 in
ip nat outside
ip route-cache flow
duplex auto
speed 100
!
interface FastEthernet0/1
description connected to inside
ip address 192.168.10.1 255.255.255.0 secondary
ip address 192.168.11.1 255.255.255.0
ip access-group 198 in
ip nat inside
ip route-cache flow
speed 100
full-duplex
!

ip http server
no ip http secure-server
ip classless

!
!
!
ip access-list extended INTERNAL
remark New not in use, yet-----------------------------
permit tcp any any eq www
permit tcp any any eq domain
permit udp any any eq domain
permit tcp any any eq telnet
permit tcp any any eq ftp
permit tcp any any eq 443
permit tcp any any eq pop3
permit tcp any any eq smtp
deny ip any any



access-list 11 permit 192.168.11.0 0.0.0.255
access-list 11 permit 192.168.10.0 0.0.0.255
!
access-list 102 permit udp any host SCRUBBED eq isakmp
access-list 102 permit esp any host SCRUBBED
access-list 102 permit tcp any host SCRUBBED eq telnet
access-list 102 permit tcp any host SCRUBBED eq 1352
access-list 102 permit tcp any host SCRUBBED eq www
access-list 102 permit udp any eq domain any
access-list 102 permit tcp any any established
access-list 102 permit tcp any host SCRUBBED eq www
access-list 102 permit tcp any host SCRUBBED eq 1352
access-list 102 permit tcp any host SCRUBBED eq www
access-list 102 permit tcp any host SCRUBBED eq ftp
access-list 102 permit tcp any host SCRUBBED eq ftp-data
access-list 102 permit tcp any host SCRUBBED eq www
access-list 102 permit tcp any SCRUBBED eq www
access-list 102 permit tcp any SCRUBBED eq www
access-list 102 permit tcp any host SCRUBBED eq www
access-list 102 permit ip any host SCRUBBED
access-list 102 permit ip any host SCRUBBED
access-list 102 permit ip any host SCRUBBED log
access-list 102 permit ip any host SCRUBBED log

access-list 198 deny tcp any any eq 135
access-list 198 deny udp any any eq 135
access-list 198 deny udp any any eq tftp
access-list 198 deny tcp any any eq 139
access-list 198 deny tcp any any eq 445
access-list 198 deny tcp any any eq 593
access-list 198 deny tcp any any eq 2745
access-list 198 deny tcp any any eq 1025
access-list 198 deny tcp any any eq 3127
access-list 198 deny tcp any any eq 6129
access-list 198 deny tcp any any eq 554
access-list 198 deny tcp any any eq 7070
access-list 198 permit ip any any

====================================================
 
Sort by date Sort by votes
Do you have
ip nat inside source list 11 int fa0/0 overload

If this is associated with your NAT statement, what you say makes sense.

Please post the entire config, minus passwords/public IP's

Burt
 
Upvote 0 Downvote
Building configuration...

Current configuration : 3693 bytes
!
version 12.3
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cisco2621-2
!
boot-start-marker
boot-end-marker
!
enable secret 5 SCRUBBED
enable password 7 SCRUBBED
!
no aaa new-model
ip subnet-zero
ip cef
!
!
ip name-server SCRUBBED
ip name-server SCRUBBED
!
ip audit po max-events 100
!
!
!
interface FastEthernet0/0
description connected to internet
ip address SCRUBBED 255.255.255.224
ip access-group 102 in
ip nat outside
ip route-cache flow
duplex auto
speed 100
!
interface FastEthernet0/1
description connected to inside
ip address 192.168.10.1 255.255.255.0 secondary
ip address 192.168.11.1 255.255.255.0
ip access-group 198 in
ip nat inside
ip route-cache flow
speed 100
full-duplex
!
ip nat pool external-pool SCRUBBED SCRUBBED netmask 255.255.255.0
ip nat inside source list 11 pool external-pool overload
ip nat inside source static 192.168.11.35 SCRUBBED
ip nat inside source static 192.168.11.36 SCRUBBED
ip nat inside source static 192.168.11.27 SCRUBBED
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 SCRUBBED
ip route SCRUBBED 255.255.255.255 FastEthernet0/0
ip route 192.168.75.0 255.255.255.0 192.168.75.1
!
!
!
ip access-list extended BAS
remark ----------------------------------------
remark CONTAINS ALLOWED PORTS COMING FROM THE INTERNAL NIC TO INTERNET
permit tcp any any eq www
permit tcp any any eq domain
permit udp any any eq domain
permit tcp any any eq telnet
permit tcp any any eq ftp
permit tcp any any eq 443
permit tcp any any eq pop3
permit tcp any any eq smtp
deny ip any any
access-list 11 permit 192.168.11.0 0.0.0.255
access-list 11 permit 192.168.10.0 0.0.0.255
access-list 102 permit udp any host SCRUBBED eq isakmp
access-list 102 permit esp any host SCRUBBED
access-list 102 permit tcp any host SCRUBBED eq telnet
access-list 102 permit tcp any host SCRUBBED eq 1352
access-list 102 permit tcp any host SCRUBBED eq www
access-list 102 permit udp any eq domain any
access-list 102 permit tcp any any established
access-list 102 permit tcp any host SCRUBBED eq www
access-list 102 permit tcp any host SCRUBBED eq 1352
access-list 102 permit tcp any host SCRUBBED eq www
access-list 102 permit tcp any host SCRUBBED eq ftp
access-list 102 permit tcp any host SCRUBBED eq ftp-data
access-list 102 permit tcp any host SCRUBBED eq www
access-list 102 permit tcp any host SCRUBBED eq www
access-list 102 permit tcp any host SCRUBBED eq www
access-list 102 permit tcp any host SCRUBBED eq www
access-list 102 permit ip any host SCRUBBED
access-list 102 permit ip any host SCRUBBED
access-list 102 permit ip any host SCRUBBED log
access-list 102 permit ip any host SCRUBBED log
access-list 198 deny tcp any any eq 135
access-list 198 deny udp any any eq 135
access-list 198 deny udp any any eq tftp
access-list 198 deny tcp any any eq 139
access-list 198 deny tcp any any eq 445
access-list 198 deny tcp any any eq 593
access-list 198 deny tcp any any eq 2745
access-list 198 deny tcp any any eq 1025
access-list 198 deny tcp any any eq 3127
access-list 198 deny tcp any any eq 6129
access-list 198 deny tcp any any eq 554
access-list 198 deny tcp any any eq 7070
access-list 198 permit ip any any
access-list 198 remark From local network to Internet
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password 7 SCRUBBED
login
!
!
end

cisco2621-2#
 
Upvote 0 Downvote
This is why you need list 11 back...

ip nat inside source list 11 pool external-pool overload

That's your NAT---your hosts will NOT be able to get to the internet without it.

Burt
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

pbxcomm
  • Locked
  • Question
CISCO VG450
Replies
1
Views
204
bdk76
bdk76
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
176
madwok
madwok
Jared R
  • Locked
  • Question
Cisco UC320W Paging Help
Replies
0
Views
191
Jared R
Jared R
Hayden09
  • Locked
  • Question
Cisco Sg-300 Flapping?
Replies
0
Views
182
Hayden09
Hayden09
Pankaj88
  • Locked
  • Question
BGP Routing Clarification
Replies
0
Views
98
Pankaj88
Pankaj88

Part and Inventory Search

Sponsor

Back
Top