Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

problem with access lists 1

Status
Not open for further replies.
mmorgensen

mmorgensen

MIS
Jun 26, 2002
58
US
I am having a problem with access lists on my 2611. End I enable access list 110-in on the external interface f0/0 nothing works. When I remove it everything works.

please help, I am very rusty with this router stuff...been a MS monkey for far too long.

mm


current config:

ip subnet-zero
!
ip domain-name corp.onedown.net
!
interface FastEthernet0/0
ip address 63.204.210.65 255.255.255.248
ip nat outside
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
description Inside Interface
ip address 10.10.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
no cdp enable
!
ip default-gateway 63.204.210.70
ip nat pool ONEDOWN-DMZ 63.204.210.65 63.204.210.65 prefix-length 30
ip nat inside source list 1 pool ONEDOWN-DMZ overload
ip nat inside source static tcp 10.10.1.10 137 63.204.210.65 137 extendable
ip nat inside source static tcp 10.10.1.10 138 63.204.210.65 138 extendable
ip nat inside source static tcp 10.10.1.10 139 63.204.210.65 139 extendable
ip nat inside source static udp 10.10.1.10 5632 63.204.210.65 5632 extendable
ip nat inside source static tcp 10.10.1.10 5631 63.204.210.65 5631 extendable
ip nat inside source static tcp 10.10.1.10 80 63.204.210.65 80 extendable
ip nat inside source static tcp 10.10.1.10 8080 63.204.210.65 8080 extendable
ip nat inside source static tcp 10.10.1.10 1010 63.204.210.65 1010 extendable
ip nat inside source static udp 10.10.1.10 53 63.204.210.65 53 extendable
ip nat inside source static tcp 10.10.1.10 53 63.204.210.65 53 extendable
ip nat inside source static tcp 10.10.1.10 25 63.204.210.65 25 extendable
ip nat inside source static tcp 10.10.1.10 110 63.204.210.65 110 extendable
ip nat inside source static tcp 10.10.1.10 143 63.204.210.65 143 extendable
ip nat inside source static tcp 10.10.1.10 3389 63.204.210.65 3389 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 63.204.210.70
no ip http server
!
access-list 1 permit 10.10.1.0 0.0.0.255
access-list 110 permit tcp any any eq 3389
access-list 110 permit tcp any any eq www
access-list 110 permit tcp any any eq smtp
access-list 110 permit tcp any any eq pop3
access-list 110 permit tcp any any eq 143
access-list 110 permit tcp any any eq domain
access-list 110 permit udp any any eq domain
access-list 110 permit tcp any any eq 1010
access-list 110 permit tcp any any eq 5631
access-list 110 permit udp any any eq 5632
access-list 110 permit tcp host 63.204.210.69 host 63.204.210.65 eq 137
access-list 110 permit tcp host 63.204.210.69 host 63.204.210.65 eq 138
access-list 110 permit tcp host 63.204.210.69 host 63.204.210.65 eq 139
access-list 110 permit tcp any any eq echo
access-list 110 permit udp any any eq echo
access-list 110 permit icmp any any echo
no cdp run

 
Sort by date Sort by votes
add
access-list 110 permit tcp any any established
logo-tektips.gif
 
Upvote 0 Downvote
new problem now.

I have this as the access list on int f0/0 inbound

access-list 110 permit tcp any any eq 3389
access-list 110 permit tcp any any eq www
access-list 110 permit tcp any any eq smtp
access-list 110 permit tcp any any eq pop3
access-list 110 permit tcp any any eq 143
access-list 110 permit tcp any any eq domain
access-list 110 permit udp any any eq domain
access-list 110 permit tcp any any eq 1010
access-list 110 permit tcp any any eq 5631
access-list 110 permit udp any any eq 5632
access-list 110 permit tcp host 63.204.210.69 host 63.204.210.65 eq 137
access-list 110 permit tcp host 63.204.210.69 host 63.204.210.65 eq 138
access-list 110 permit tcp host 63.204.210.69 host 63.204.210.65 eq 139
access-list 110 permit tcp host 67.48.130.101 host 67.48.130.101 eq 137
access-list 110 permit tcp host 67.48.130.101 host 67.48.130.101 eq 138
access-list 110 permit tcp host 67.48.130.101 host 67.48.130.101 eq 139
access-list 110 permit icmp any any echo
access-list 110 permit tcp any any established


problem is now that I can not ping or do Nameserver lookups from the inside machines (10.10.1.x/24 network). I need the inside machines to be able to do anything outbound.

Using the nat as described above!

thanks!

mm
 
Upvote 0 Downvote
This statment from your list allows outside to ping your addrsses.
access-list 110 permit icmp any any echo
To allow inside to get a ping back in you need a reply statment.
access-list 110 permit icmp any any echo-reply

 
Upvote 0 Downvote
For the DNS queries...
Lookup tools like NSLOOKUP use a UDP source port gt 1023 and destination port of 53. You may need to add a statment like:
access-list 110 permit udp any eq domain (your internals) gt 1023
You don't need one for tcp since the established statment should allow the tcp queries to return.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DavidSigma
  • Locked
  • Question
CP7861 problem
Replies
0
Views
106
DavidSigma
DavidSigma
WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat 1
Replies
1
Views
155
BIS
BIS
khashyar2021
  • Locked
  • Question
Problem with cisco switch after upgrading
Replies
1
Views
125
Geraldine Souza
Geraldine Souza
inlsp05
  • Locked
  • Question
2811 ios start with cf
Replies
0
Views
86
inlsp05
inlsp05
Collab_Guy
  • Locked
  • Question
Anyone using automation with their CUCM?
Replies
1
Views
98
kyle555
kyle555

Part and Inventory Search

Sponsor

Back
Top