| [Config] access list issue? hi guys,
i hope someone can help me with my issue with access list on 887 running dsl and fibre services. everytime i apply an acl on the vlan where the fibre is served it stops the traffic out to the internet but the internet from outside in was still fine. i have the dialer interface as well that uses the same access list. is this the problem? the fibre service is to be the primary connection and when it fails the router switches to dsl interface using ip sla.
below is the sanitized config:
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname rt-router-name
!
boot-start-marker
boot-end-marker
!
!
logging buffered 4096
enable secret 5 password
!
no aaa new-model
!
memory-size iomem 10
clock timezone NZST 12 0
clock summer-time NZDT recurring 1 Sun Oct 2:00 3 Sun Mar 3:00
crypto pki token default removal timeout 0
!
!
no ip source-route
!
!
!
ip dhcp excluded-address xx.xx.xx.xx xx.xx.xx.xx
ip dhcp excluded-address xx.xx.xx.xx
!
ip dhcp pool dhcppool
import all
network xx.xx.xx.xx 255.255.255.0
default-router xx.xx.xx.xx
dns-server 210.48.65.2 210.48.66.2
update arp
!
!
ip cef
no ip bootp server
no ip domain lookup
ip domain name local
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall cuseeme
ip inspect name firewall h323
ip inspect name firewall rcmd
ip inspect name firewall realaudio
ip inspect name firewall streamworks
ip inspect name firewall vdolive
ip inspect name firewall sqlnet
ip inspect name firewall tftp
ip inspect name firewall ftp
ip inspect name firewall icmp
ip inspect name firewall sip
ip inspect name firewall esmtp max-data 52428800
ip inspect name firewall fragment maximum 256 timeout 1
ip inspect name firewall netshow
ip inspect name firewall rtsp
ip inspect name firewall pptp
ip inspect name firewall skinny
no ipv6 cef
!
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
!
license udi pid CISCO887VA-SEC-K9 sn FGL15332522
!
!
archive
log config
hidekeys
!
no spanning-tree vlan 1
username username privilege 15 secret 5 password
!
!
!
!
controller VDSL 0
!
ip tcp selective-ack
ip tcp timestamp
!
!
!
!
!
!
!
interface Ethernet0
no ip address
shutdown
no fair-queue
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
pvc 0/100
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
description Connection to Iconz Fibre
switchport access vlan 2
duplex full
speed 100
!
interface Vlan1
ip address xx.xx.xx.xx 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan2
description WAN
ip address xx.xx.xx.xx 255.255.255.248
no ip redirects
no ip unreachables
ip nat outside
no ip virtual-reassembly in
!
interface Dialer0
ip address negotiated
ip access-group 101 in
no ip redirects
no ip unreachables
ip nat outside
ip inspect firewall out
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp pap sent-username username@dslusername password 7 password
C36
ppp ipcp dns request
ppp ipcp route default
no cdp enable
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source route-map FIBRE interface Vlan2 overload
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx
!
logging esm config
access-list 10 permit xx.xx.xx.xx 0.0.0.255
access-list 11 permit xx.xx.xx.xx
access-list 11 permit xx.xx.xx.xx
access-list 11 permit xx.xx.xx.xx 0.0.0.255
access-list 100 permit ip xx.xx.xx.xx 0.0.0.255 any
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 permit ip host xx.xx.xx.xx any
access-list 101 permit ip host xx.xx.xx.xx any
access-list 101 permit ip host xx.xx.xx.xx any
access-list 101 permit ip host xx.xx.xx.xx any
access-list 101 permit ip host xx.xx.xx.xx any
access-list 101 permit ip host xx.xx.xx.xx any
access-list 101 deny ip 0.0.0.0 0.255.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 169.254.0.0 0.0.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.0.2.0 0.0.0.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 198.18.0.0 0.1.255.255 any
access-list 101 deny ip 224.0.0.0 0.15.255.255 any
access-list 101 deny ip any host 255.255.255.255
access-list 101 permit tcp any any eq 1723
access-list 101 permit gre any any
access-list 101 deny ip any any log
access-list 102 permit ip xx.xx.xx.xx 0.0.0.255 any
access-list 190 remark protection in
access-list 190 permit ip host xx.xx.xx.xx any
access-list 190 permit ip host xx.xx.xx.xx any
access-list 190 permit tcp host xx.xx.xx.xx any eq 8089
access-list 190 permit udp host xx.xx.xx.xx any eq 8089
access-list 190 deny tcp any any eq 8089 log
access-list 190 deny udp any any eq 8089 log
access-list 190 permit ip any any
dialer-list 1 protocol ip permit
!
!
!
!
route-map FIBRE permit 10
match ip address 102
match interface Vlan2
!
snmp-server community xxxxxxxx RO
!
control-plane
!
!
line con 0
password 7 xxxxxx
no modem enable
line aux 0
line vty 0 4
password 7 xxxxxx
no login
transport input all
!
scheduler max-task-time 5000
end |
|
|
|
| You forgot either an ACL permitting traffic out VLAN 2, or the INSPECT configuration like
you have on your Dialer0 interface. Try that.
Regards |
|
| thank you for your reply. but the the acl out is already done on the route-map part? i am thinking about applying the fw inspect after i get this sorted  |
|
| reply to execnz
said by execnz:but the the acl out is already done on the route-map part? Not quite, if you check this document, PBR / routemaps get processed AFTER interface ACLs. I'd try adding the
INSPECT configs as I suspect that's your problem right now.
Second, not sure what you're trying to do with your route-map, as it has two match conditions,
but doesn't do anything with the traffic.
May also want to check the FAQ for dual-wan configs that you can crib as well.
Regards |
|
