Problem with access list. Please help!

[tabularasa]

I'm trying to set up a basic access-list for our two routers using BGP here to get into our network. I just want these services to enter and nothing else. That way it will take a little stress off of the firewall that is behind the routers. I use this access-list on both routers, then i am unable to access the web-pages on the servers on our network.. any suggestions?

access-list 100 permit tcp any any eq domain
access-list 100 permit udp any any eq domain
access-list 100 permit tcp any any eq bgp
access-list 100 permit tcp any any eq www
access-list 100 permit tcp any any eq 21
access-list 100 permit tcp any any eq 20
access-list 100 permit tcp any any eq pop3
access-list 100 permit tcp any any eq 443
access-list 100 permit tcp any any eq smtp
access-list 100 permit tcp any any eq 8383
access-list 100 permit tcp any any eq 1723
access-list 100 permit tcp host 10.10.0.5 any eq telnet
access-list 100 deny ip any any

int fas 0/0
ip access-group 100 in

Any suggestions? am i missing a protocol that is critical to letting traffic get to my servers? please help

 

[tabularasa]

Forgot to mention one IMPORTANT thing.

I can access the pages from outside the network, but am unable to resolve DNS from inside our network, and can not see our own web pages.

Any suggestions?

Thanks!

 

[tcvander]

Try adding this:

access-list 100 permit ip any any established


See more here, and then search the doc for the word established

http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113t/113t_3/stdlog.htm#xtocid0

Todd VanDerwerken, CCNA, CCDA
Technical Consultant

http://www.ciscolinks.net

"If at first you don't succeed...then sky diving isn't for you!"

 

[tabularasa]

I tried this


permit tcp any any established


didnt work..


wouldnt a IP permit any any established open up a big security whole?

 

[tabularasa]

to be more specific:

i was able to access the pages for a short period of time, but other work stations on the same subnet were unable to see the page.

It works if you are already connected to the page or just were, but does not work how i need it to.

 

[OCiTiLLO]

one thing you may want to try is using your logs
use the command:

deny ip any any log

then check your log (sh log) or syslog server and identify what ip and port is being rejected and adjust your acl accordingly.

your probably denying return traffic from dns or web servers

 

[mrmonday]

Quote(s):
"I'm trying to set up a basic access-list for our two routers using BGP here to get into our network. I just want these services to enter and nothing else." So essentially the list is working and only denying access to internal users, an unwanted side effect.

"I use this access-list on both routers, then i am unable to access the web-pages on the servers on our network.." Try placing the list on only one of the routers. If my source is accurate (my CCNA book) extended access lists are placed on the router (interface) closest to the destination...your web server.

I hope this is helpful?

 

[ChrisAC]

What you are trying to do is the job of the firewall. Your router isn't stateful so when traffic leaves the network heading for DNS server and web servers the reply traffic will be blocked by your access list.

If you have a firewall then try to enforce your security on that rather than the router. If something doesn't work then you'll have a hell of a time trying to determine if the router or the firewall is at fault.

Chris.
**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[tabularasa]

"""your probably denying return traffic from dns or web servers """

Yes, this is probably true. If so, how would this be fixed. im going to put that log command in and see what happens. Thanks!

Mr. Monday, look at the BGP section in your book. both routers are border routers.

IPRoute, im setting up security on the router, firewall, and anywhere else i can.