From: Darryl Munro (Darryl.Munro@xxxxxxxxxxxxxxxxxx)
Date: Mon May 20 2002 - 05:38:03 GMT-3
Hi All,
I was just wondering whether anyone would be able to shed some light on a
small issue that I seem to have.
I have an ADSL connection that uses IPCP to get it's IP address on the d0
interface. I would like to apply and incoming access list to this interface
also. I am also running NAT with some static commands to port translate SMTP
and WWW traffic back to an internal server.
I would like to block any other unnecessary traffic from coming in from the
Internet.
I have an access-list as follows:
access-list 110 permit tcp any host X.X.X.X eq smtp
access-list 110 permit tcp any host X.X.X.X eq www
access-list 110 permit tcp any host X.X.X.X eq domain
access-list 110 permit udp any host X.X.X.X eq domain
access-list 110 permit icmp any host X.X.X.X echo-reply
access-list 110 permit icmp any host X.X.X.X ttl-exceeded
access-list 110 permit icmp any host X.X.X.X host-unreachable
access-list 110 permit icmp any host X.X.X.X packet-too-big
access-list 110 permit esp any any
access-list 110 permit ahp any any
access-list 110 permit udp host y.y.y.y eq isakmp any eq isakmp
X.X.X.X is the ISP assigned d0 IP address. (Yes it is always the same.);>)
y.y.y.y is an internet based firewall that I have some PC based IPSEC
clients connecting to.
The problem is when I use router(config-if)#ip access-group 110 in
no traffic can get through the router.
I have also run a loopback 0 interface with X.X.X.X 255.255.255.255 and used
ip unnumbered on the d0 interface to no avail. I am unable to add the IP
address manually to the d0 interface as I can not specify a mask for it.
TIA
Dazza
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:59:02 GMT-3