Router access list - help!

[Throp]

I have been try to make an ACL to keep my VPN users from get to my core server network. But everytime I put the access group I loose connectivity to the router. The following is the acl:

VPN network - 192.15.6.0
Internal - 192.15.5.0
Core - 24.63.5.0
router - intfa0/1 192.15.5.2 (8 other smaller networks use this interface to access the core server network)
intSer0/0 24.63.5.1

access-list 1 deny 192.15.6.0 0.0.0.255
access-list 1 permit 192.15.0.0 0.0.255.255
access-list 101 tcp deny 192.15.6.0 0.0.0.255 any
access-list 101 udp deny 192.15.6.0 0.0.0.255 any
access-list 101 tcp permit 192.15.0.0 0.0.255.255 any
access-list 101 udp permit 192.15.0.0 0.0.255.255 any

intfa0/1
ip access-group 1 in
ip access-group 101 in
Ctrl-Z (then I loose connection, and have to reboot so the old config will give me back connectivity.
Can someone tell me what I am doing wrong? Please!!!

 

[ChrisAC]

Your syntax on the extended access-list 101 seems to be wrong! Unless this is on an old IOS and the command syntax was different then, the tcp/udp statement can't come before the permit/deny statement. Just to make sure I tried this on my router!!

collossus(config)#access-list 101 tcp ?
% Unrecognized command
collossus(config)#access-list 101 ?
deny Specify packets to reject
dynamic Specify a DYNAMIC list of PERMITs or DENYs
permit Specify packets to forward
remark Access list entry comment

collossus(config)#access-list 101

You might want to check that! What IOS is it?

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[nohair]

Hi,
I think I might see the problem here. The syntax is wrong as chrisac said...so perhaps the access list statements are not being added to conf as you thought they were, and when you applied ip access-group 101 in the only statement on the ACL was the inherent "deny all" at the bottom. You also cannot have 2 access lists applied to and interface in the same direction, unless your version of IOS specifically allows this, but I have not heard of any that can do that. Could be wrong... so when you enter ip access-group 101 in in over rides the standard list you initially put in.

-Stephen

 

[ChrisAC]

Good point nohair!! You can't apply two access-lists on the same interface in the same direction!

So, you need to put all your statements into a single access list, with your permit statements first and then the denys next!

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[czimmerm]

It looks like you guys have already figured this out, so this is probably extraneous...
A practice that I've seen work pretty well when modifying/troubleshooting access lists is to add an explicit

deny ip any any log

to the access list. This will allow you to see what's getting through the other statements to check for mistakes.
Also, to keep from blocking yourself out of your box, put a specific permit statement for your host in the access list - it'll save you a reboot or console session.

Corey