Access list

From: cejackson1@comcast.net
Date: Thu Dec 22 2005 - 18:01:51 GMT-3

• Next message: Edwards, Andrew M: "RE: ssh timeout"
• Previous message: Farrukh Haroon: "Re: Question for Brian McGahan and others"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

We are trying to bring up this MFR , interface is up but I beleive with all this access list icmp is being blocked!

Any ideas on which one might cause icmp to be blocked?

  67.39.137.116/30

thanks

cecil
!
 

!
interface Tunnel1
 ip address 65.112.67.37 255.255.255.252
 ip mtu 1500
 ip ospf authentication message-digest
 ip ospf message-digest-key 5 md5 7 050831180A5F495F412D2F37395A3D1909
 ip ospf hello-interval 3
 ip ospf retransmit-interval 3
 keepalive 10 3
 tunnel source Loopback0
 tunnel destination 67.53.28.78
!
interface Loopback0
 ip address 65.112.67.17 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
!
interface Loopback1
 ip address 216.207.228.78 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
!
interface Multilink1
 ip address 65.112.64.10 255.255.255.252
 ip access-group 102 in
 ip access-group 101 out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 rate-limit input access-group 110 128000 16000 16000 conform-action transmit exceed-actio
n drop
 rate-limit output access-group 110 128000 16000 16000 conform-action transmit exceed-acti
on drop
 no cdp enable
 ppp multilink
 ppp multilink fragment disable
 ppp multilink group 1
!
interface MFR0
 description 15.YHFP.000521
 no ip address
 encapsulation frame-relay IETF
 frame-relay multilink bid test
 frame-relay lmi-type ansi
!
interface MFR0.628 point-to-point
 description WAN
 ip address 67.39.137.118 255.255.255.252
 no cdp enable
 frame-relay interface-dlci 628 IETF
!
interface Ethernet1/0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 half-duplex
 no cdp enable
!
interface Ethernet1/0/1
 description Phoenix Care Systems Co-Location
 ip address 65.113.217.73 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no cdp enable
!
interface Ethernet1/0/2
 description Coating Excellence Co-Location
 ip address 65.113.217.201 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip policy route-map CEI-VPN-VIA-TUNNEL
 no cdp enable
!
interface Ethernet1/0/3
 description Gunderson Co-Location
 ip address 65.113.217.81 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no cdp enable
!
interface Ethernet1/0/4
 ip address 192.168.254.1 255.255.255.0 secondary
 ip address 65.113.217.1 255.255.255.252 secondary
 ip address 65.113.217.9 255.255.255.252 secondary
 ip address 65.113.217.17 255.255.255.248 secondary
 ip address 65.113.217.25 255.255.255.248 secondary
 ip address 65.113.217.41 255.255.255.248 secondary
 ip address 65.113.217.49 255.255.255.248 secondary
 ip address 65.113.217.65 255.255.255.248 secondary
 ip address 65.112.67.53 255.255.255.252
 ip access-group 121 in
 ip access-group 121 out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 rate-limit input access-group 199 544000 68750 68750 conform-action transmit exceed-actio
n drop
 rate-limit input access-group 110 128000 16000 16000 conform-action transmit exceed-actio
n drop
 rate-limit input access-group 196 512000 64000 64000 conform-action transmit exceed-actio
n drop
 rate-limit input access-group 194 1536000 256000 256000 conform-action transmit exceed-ac
tion drop
 rate-limit input access-group 193 3000000 375000 375000 conform-action transmit exceed-ac
tion drop
 rate-limit input access-group 192 128000 48000 96000 conform-action transmit exceed-actio
n drop
 rate-limit input access-group 195 1536000 256000 256000 conform-action transmit exceed-ac
tion drop
 rate-limit input access-group 197 1096000 137500 137500 conform-action transmit exceed-ac
tion drop
 rate-limit input access-group 198 3000000 384000 384000 conform-action transmit exceed-ac
tion drop
 rate-limit output access-group 199 544000 68750 68750 conform-action transmit exceed-acti
on drop
 rate-limit output access-group 110 128000 16000 16000 conform-action transmit exceed-acti
on drop
 rate-limit output access-group 196 512000 64000 64000 conform-action transmit exceed-acti
on drop
 rate-limit output access-group 194 1536000 256000 256000 conform-action transmit exceed-a
ction drop
 rate-limit output access-group 193 3000000 375000 375000 conform-action transmit exceed-a
ction drop
 rate-limit output access-group 192 128000 48000 96000 conform-action transmit exceed-acti
on drop
 rate-limit output access-group 195 1536000 256000 256000 conform-action transmit exceed-a
ction drop
 rate-limit output access-group 197 1096000 137500 137500 conform-action transmit exceed-a
ction drop
 rate-limit output access-group 198 3000000 384000 384000 conform-action transmit exceed-a
ction drop
 ip ospf authentication message-digest
 ip ospf message-digest-key 5 md5 7 04583C1124324B1851313D32205D353708
 ip ospf hello-interval 3
 ip ospf retransmit-interval 3
 full-duplex
 no cdp enable
!
interface Ethernet1/0/5
 no ip address
 shutdown
 no cdp enable
!
interface Ethernet1/0/6
 no ip address
 shutdown
 no cdp enable
!
interface Ethernet1/0/7
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 no cdp enable
!
interface Serial1/1/0
 no ip address
 shutdown
 serial restart-delay 0
 no cdp enable
!
interface Serial1/1/1
 no ip address
 shutdown
 serial restart-delay 0
 no cdp enable
!
interface Serial1/1/2
 no ip address
 shutdown
 serial restart-delay 0
 no cdp enable
!
interface Serial1/1/3
 description Circuit ID: 15.YHFP.000521.001
 no ip address
 encapsulation frame-relay MFR0
 serial restart-delay 0
 no arp frame-relay
 frame-relay multilink lid link1
!
interface FastEthernet4/0
 description Little Chute POP 65.112.67.0/28
 bandwidth 10000
 ip address 65.113.218.5 255.255.255.252 secondary
 ip address 65.112.67.81 255.255.255.248 secondary
 ip address 65.112.67.113 255.255.255.248 secondary
 ip address 65.112.67.121 255.255.255.248 secondary
 ip address 65.112.67.1 255.255.255.240
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache same-interface
 half-duplex
 no cdp enable
!
interface FastEthernet4/1
 description Qwest:DS1IT-4121389 SBC:41/HCGS/106718 & 109623/WT 877 886-6515
 bandwidth 3088
 ip address 216.207.228.78 255.255.255.252
 ip access-group 102 in
 ip access-group 101 out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 rate-limit input access-group 110 128000 16000 16000 conform-action transmit exceed-actio
n drop
 rate-limit output access-group 110 128000 16000 16000 conform-action transmit exceed-acti
on drop
 shutdown
 half-duplex
 no cdp enable
!
interface Serial5/0
 description Dorner-Stahl Luxenburg HYDA357721 65.112.67.32/30
 bandwidth 64
 ip address 65.112.67.33 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation ppp
 serial restart-delay 0
 no cdp enable
!
interface Serial5/1
 description Gustman (Kaukauna) 41/HCGS/109338/WT 65.112.67.56/30
 bandwidth 1544
 ip address 65.112.67.57 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 serial restart-delay 0
 no cdp enable
!
interface Serial5/2
 description Valley Grinding 41/HCGS/108963/WT 65.112.67.24/30
 bandwidth 1544
 ip address 65.112.67.25 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 serial restart-delay 0
 no cdp enable
!
interface Serial5/3
 description Green Bay POP 41/HCGS/106388/WT 65.112.67.20/30
 bandwidth 1544
 ip address 65.112.67.21 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 serial restart-delay 0
 no cdp enable
!
interface Serial5/4
 description Circuit ID: 15.YHFP.000521.002
 no ip address
 encapsulation frame-relay MFR0
 serial restart-delay 0
 no arp frame-relay
 frame-relay multilink lid link2
!
interface Serial5/5
 description Circuit ID: 15.YHFP.000521.003
 no ip address
 encapsulation frame-relay MFR0
 serial restart-delay 0
 no arp frame-relay
 frame-relay multilink lid link3
!
interface Serial5/6
 no ip address
 encapsulation ppp
 serial restart-delay 0
 no fair-queue
 no cdp enable
 ppp multilink group 1
!
interface Serial5/7
 no ip address
 encapsulation ppp
 serial restart-delay 0
 no fair-queue
 no cdp enable
 ppp multilink group 1
!
router eigrp 1220
 redistribute connected
 redistribute static route-map STATIC
 redistribute ospf 666 metric 1544 10 255 1 1500
 passive-interface Ethernet1/0/0
 passive-interface Ethernet1/0/1
 passive-interface Ethernet1/0/2
 passive-interface Ethernet1/0/3
 passive-interface Ethernet1/0/4
 passive-interface Ethernet1/0/5
 passive-interface Ethernet1/0/6
 passive-interface Ethernet1/0/7
 passive-interface Serial1/1/0
 passive-interface Serial1/1/1
 passive-interface Serial1/1/2
 passive-interface Serial1/1/3
 passive-interface FastEthernet4/0
 passive-interface FastEthernet4/1
 passive-interface Serial5/0
 passive-interface Serial5/1
 passive-interface Serial5/2
 passive-interface Serial5/4
 passive-interface Serial5/5
 passive-interface Serial5/6
 passive-interface Serial5/7
 network 65.0.0.0
 no auto-summary
!
router ospf 666
 log-adjacency-changes
 network 65.112.67.37 0.0.0.0 area 0
 network 65.112.67.53 0.0.0.0 area 0
 default-information originate always
!
router bgp 31785
 no synchronization
 bgp log-neighbor-changes
 network 65.112.67.0 mask 255.255.255.0
 network 65.112.68.0 mask 255.255.255.0
 network 65.113.216.0 mask 255.255.252.0
 network 65.113.216.0 mask 255.255.255.0
 network 65.113.217.0 mask 255.255.255.0
 network 65.113.218.0 mask 255.255.255.0
 network 65.113.219.0 mask 255.255.255.0
 neighbor 65.112.64.9 remote-as 209
 neighbor 65.112.64.9 description Qwest EBGP via Tasman
 neighbor 65.112.64.9 ebgp-multihop 3
 neighbor 65.112.64.9 route-map QWESTOUT out
 neighbor 65.112.64.9 filter-list 70 out
 neighbor 65.112.68.17 remote-as 31785
 neighbor 65.112.68.17 description HBS in GB IBGP via T1
 neighbor 65.112.68.17 update-source Loopback0
 no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 65.112.64.9
ip route 0.0.0.0 0.0.0.0 65.112.67.22 10
ip route 65.112.64.8 255.255.255.252 216.207.228.77
ip route 65.112.67.0 255.255.255.0 Null0 254
ip route 65.112.67.40 255.255.255.252 65.112.67.7
ip route 65.112.67.44 255.255.255.252 65.112.67.26
ip route 65.112.67.48 255.255.255.252 65.112.67.62
ip route 65.112.67.64 255.255.255.248 65.113.218.6
ip route 65.112.67.72 255.255.255.248 65.112.67.7
ip route 65.112.67.88 255.255.255.248 65.112.67.58
ip route 65.112.67.104 255.255.255.248 65.113.218.6
ip route 65.112.68.0 255.255.255.0 Null0 254
ip route 65.112.68.17 255.255.255.255 65.112.67.22
ip route 65.113.216.0 255.255.252.0 Null0 254
ip route 65.113.216.0 255.255.255.0 65.112.67.3
ip route 65.113.216.0 255.255.255.0 Null0 254
ip route 65.113.217.0 255.255.255.0 Null0 254
ip route 65.113.217.96 255.255.255.248 65.112.67.58
ip route 65.113.217.208 255.255.255.248 65.112.67.34
ip route 65.113.217.216 255.255.255.248 65.112.67.9
ip route 65.113.217.224 255.255.255.224 65.112.67.13
ip route 65.113.218.0 255.255.255.0 Null0 254
ip route 65.113.218.0 255.255.255.128 Null0 254
ip route 65.113.219.0 255.255.255.0 Null0 254
ip route 208.234.20.228 255.255.255.255 65.112.67.22
!
no ip http server
no ip http secure-server
!
ip as-path access-list 70 permit ^$
!
!
ip prefix-list STATIC seq 5 deny 65.112.67.0/24
ip prefix-list STATIC seq 10 deny 65.112.68.0/24
ip prefix-list STATIC seq 15 deny 65.113.216.0/22
ip prefix-list STATIC seq 25 deny 65.113.217.0/24
ip prefix-list STATIC seq 30 deny 65.113.218.0/24
ip prefix-list STATIC seq 35 deny 65.113.219.0/24
ip prefix-list STATIC seq 45 permit 0.0.0.0/0 le 32
!
ip prefix-list TDSPREFER seq 5 permit 65.112.68.0/24
ip prefix-list TDSPREFER seq 10 permit 65.112.219.0/24
!
ip prefix-list qwest_bgp_out seq 5 permit 65.112.67.0/24
ip prefix-list qwest_bgp_out seq 10 permit 65.112.68.0/24
ip prefix-list qwest_bgp_out seq 15 permit 65.113.216.0/24
ip prefix-list qwest_bgp_out seq 20 permit 65.113.217.0/24
ip prefix-list qwest_bgp_out seq 25 permit 65.113.218.0/24
ip prefix-list qwest_bgp_out seq 30 permit 65.113.219.0/24
!
ip access-list extended CEI-VPN-TRAFFIC
 remark ACL to MATCH VPN TRAFFIC TO ROUTE VIA CABLE
 permit esp host 65.113.217.202 host 65.113.217.6
access-list 1 remark VTY ACL allow SSH from America
access-list 1 permit 24.0.0.0 0.255.255.255
access-list 1 permit 63.0.0.0 0.255.255.255
access-list 1 permit 64.0.0.0 3.255.255.255
access-list 1 permit 68.0.0.0 1.255.255.255
access-list 1 permit 199.0.0.0 0.255.255.255
access-list 1 permit 204.0.0.0 3.255.255.255
access-list 1 permit 208.0.0.0 1.255.255.255
access-list 1 permit 216.0.0.0 0.255.255.255
access-list 1 permit 10.0.0.0 0.0.255.255
access-list 1 permit 70.0.0.0 0.255.255.255
access-list 5 remark NTP ACL
access-list 5 permit 65.112.68.6
access-list 5 permit 65.113.216.67
access-list 71 remark Match IP to set outgoing BGP Metric
access-list 71 permit 65.112.67.0 0.0.0.255
access-list 71 permit 65.113.216.0 0.0.0.255
access-list 71 permit 65.113.217.0 0.0.0.255
access-list 71 remark Match IPs that should be in GB but are in LC
access-list 71 permit 65.112.68.24 0.0.0.3
access-list 71 permit 65.113.218.4 0.0.0.3
access-list 71 permit 65.113.218.0 0.0.0.127
access-list 101 deny icmp any any fragments
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny icmp any any
access-list 101 permit ip 65.112.67.0 0.0.0.255 any
access-list 101 permit ip 65.112.68.0 0.0.0.255 any
access-list 101 permit ip 65.113.216.0 0.0.3.255 any
access-list 101 permit ip 216.207.228.76 0.0.0.3 any
access-list 101 deny ip any any log
access-list 102 remark Ingress Filter
access-list 102 deny icmp any any fragments
access-list 102 permit icmp any any echo
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any source-quench
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 deny icmp any any
access-list 102 deny 53 any any
access-list 102 deny 55 any any
access-list 102 deny 77 any any
access-list 102 deny pim any any
access-list 102 deny ip 0.0.0.0 0.255.255.255 any log
access-list 102 deny ip 127.0.0.0 0.255.255.255 any log
access-list 102 deny ip 10.0.0.0 0.255.255.255 any log
access-list 102 deny ip 172.16.0.0 0.15.255.255 any log
access-list 102 deny ip 192.168.0.0 0.0.255.255 any log
access-list 102 deny ip 224.0.0.0 31.255.255.255 any log
access-list 102 deny ip 65.112.67.0 0.0.0.255 any log
access-list 102 permit ip 65.113.219.0 0.0.0.255 any
access-list 102 deny ip 65.113.216.0 0.0.3.255 any log
access-list 102 deny ip host 65.26.93.106 any
access-list 102 deny udp any any eq 1645
access-list 102 deny udp any any eq 1646
access-list 102 deny tcp any any eq 135
access-list 102 deny udp any any eq 135
access-list 102 permit ip any any
access-list 102 remark Ingress Filter
access-list 102 remark Ingress Filter
access-list 103 deny udp any any eq 135 log
access-list 103 deny tcp any any eq 135 log
access-list 103 deny udp any any eq netbios-ns log
access-list 103 deny udp any any eq netbios-ss log
access-list 103 deny udp any any eq netbios-dgm log
access-list 103 permit ip any any
access-list 110 remark Match ICMP for rate-limit
access-list 110 permit icmp any any
access-list 110 remark Match ICMP for rate-limit
access-list 110 remark Match ICMP for rate-limit
access-list 121 remark ACL to limit Cargills wireless to Cargills network
access-list 121 permit ip 167.136.0.0 0.0.255.255 65.113.217.24 0.0.0.7
access-list 121 permit ip 65.112.66.0 0.0.1.255 65.113.217.24 0.0.0.7
access-list 121 permit ip 65.113.216.0 0.0.3.255 65.113.217.24 0.0.0.7
access-list 121 deny ip any 65.113.217.24 0.0.0.7
access-list 121 permit ip 65.113.217.24 0.0.0.7 167.136.0.0 0.0.255.255
access-list 121 permit ip 65.113.217.24 0.0.0.7 65.112.66.0 0.0.1.255
access-list 121 permit ip 65.113.217.24 0.0.0.7 65.113.216.0 0.0.3.255
access-list 121 deny ip 65.113.217.24 0.0.0.7 any
access-list 121 remark original ACL 103 since only one ACL can be on the interface
access-list 121 deny udp any any eq 135 log
access-list 121 deny tcp any any eq 135 log
access-list 121 deny udp any any eq netbios-ns log
access-list 121 deny udp any any eq netbios-ss log
access-list 121 deny udp any any eq netbios-dgm log
access-list 121 permit ip any any
access-list 121 remark ACL to limit Cargills wireless to Cargills network
access-list 121 remark original ACL 103 since only one ACL can be on the interface
access-list 121 remark ACL to limit Cargills wireless to Cargills network
access-list 121 remark original ACL 103 since only one ACL can be on the interface
access-list 192 remark Rate Limit for Cherrylands Best
access-list 192 permit ip any 65.113.217.48 0.0.0.7
access-list 192 permit ip 65.113.217.48 0.0.0.7 any
access-list 192 remark Rate Limit for Cherrylands Best
access-list 192 remark Rate Limit for Cherrylands Best
access-list 193 remark ACL for Pechman Wireless rate limit
access-list 193 permit ip any 65.113.217.40 0.0.0.7
access-list 193 permit ip 65.113.217.40 0.0.0.7 any
access-list 193 remark ACL for Pechman Wireless rate limit
access-list 193 remark ACL for Pechman Wireless rate limit
access-list 194 remark ACL for Cargill Wireless rate limit
access-list 194 permit ip any 65.113.217.24 0.0.0.7
access-list 194 permit ip 65.113.217.24 0.0.0.7 any
access-list 194 remark ACL for Cargill Wireless rate limit
access-list 194 remark ACL for Cargill Wireless rate limit
access-list 195 remark Rate Limit for Paul V. and Mike G. Wireles
access-list 195 permit ip any 65.113.217.16 0.0.0.7
access-list 195 permit ip 65.113.217.16 0.0.0.7 any
access-list 195 permit ip any 65.113.217.32 0.0.0.7
access-list 195 permit ip 65.113.217.32 0.0.0.7 any
access-list 195 remark Rate Limit for Paul V. and Mike G. Wireles
access-list 195 remark Rate Limit for Paul V. and Mike G. Wireles
access-list 196 remark Match for rate limit of Avastone External IPs
access-list 196 permit ip any 65.112.67.80 0.0.0.7
access-list 196 permit ip 65.112.67.80 0.0.0.7 any
access-list 196 remark Match for rate limit of Avastone External IPs
access-list 196 remark Match for rate limit of Avastone External IPs
access-list 197 remark Match nat-side.hbs.net for rate limit of HBS
access-list 197 deny ip 65.112.67.0 0.0.0.255 65.112.67.0 0.0.0.255
access-list 197 deny ip 65.113.216.0 0.0.3.255 65.113.216.0 0.0.3.255
access-list 197 deny ip 65.113.216.0 0.0.3.255 65.112.67.0 0.0.0.255
access-list 197 deny ip 65.112.67.0 0.0.0.255 65.113.216.0 0.0.3.255
access-list 197 permit ip any host 65.112.67.4
access-list 197 permit ip host 65.112.67.4 any
access-list 198 remark Match for rate limit of Coating Excellence
access-list 198 permit ip 65.113.217.4 0.0.0.3 any
access-list 198 permit ip any 65.113.217.4 0.0.0.3
access-list 198 permit ip 65.112.68.24 0.0.0.3 any
access-list 198 permit ip any 65.112.68.24 0.0.0.3
access-list 198 permit ip 65.113.217.32 0.0.0.7 any
access-list 198 permit ip any 65.113.217.32 0.0.0.7
access-list 199 remark Match for rate limit of Bahcall Rubber
access-list 199 permit ip 65.113.217.0 0.0.0.3 any
access-list 199 permit ip any 65.113.217.0 0.0.0.3
access-list 199 remark Match for rate limit of Bahcall Rubber
access-list 199 remark Match for rate limit of Bahcall Rubber

• Next message: Edwards, Andrew M: "RE: ssh timeout"
• Previous message: Farrukh Haroon: "Re: Question for Brian McGahan and others"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jan 09 2006 - 07:07:52 GMT-3