Re: Access-list problem from Pavel Bykov on 2009-04-25 (Ccielab archives 04/2009)

From: Pavel Bykov <slidersv_at_gmail.com>
Date: Sat, 25 Apr 2009 21:23:11 +0200

looks like a bug.
Are you telnetting to the Dialer interface?

On Wed, Apr 22, 2009 at 4:17 PM, marish shah <contactmarish_at_gmail.com>wrote:

> Hi All,
> Scenario.
> DSL Router 857 connecting to ISP with dialer interface and connecting with
> LOCAL AREA NETWORK with vlan 1.
>
> Requirement,
>
> Customer want to stop browsing for some computer from 192.168.2.128 to
> 192.168.2.191 and allow any other traffic.
>
> Remaining IP s are allowed all traffic.So I put this configuration on
> customer router.
>
> *access-list 102 deny tcp 192.168.2.128 0.0.0.63 any eq www *
>
> *access-list 102 permit ip any any*
>
> *ip nat inside source list 102 interface Dialer1 overload
> *
>
> * interface Vlan1
> ip address 192.168.2.1 255.255.255.0
> ip nat inside
>
> !
> interface Dialer1
> ip address negotiated
> ip nat outside*
>
> After this every thing is work fine there was no browsing for few user's as
> customer want and they can access every thing else (FTP,TELNET,etc)
>
> And all other customer can use every thing include browsing .
>
> But here problem come from outside I cannot telnet customer router but I
> can
> ping if u see my config I didn't block port 23 for inside not for outside
> and my access-list is only effect inside traffic but from outside I can't
> able to telnet and strange from inside I can telnet.
>
> So Q is why my telnet from outside is block ?
>
> I solve this problem I just remove
>
> *no access-list 102 deny tcp 192.168.2.128 0.0.0.63 any eq www *
>
> *no access-list 102 permit ip any any*
>
> *n replace with
> *
>
> *access-list 102 deny tcp 192.168.2.128 0.0.0.63 any eq www*
>
> *access-list 102 permit ip 192.168.2.0 0.0.0.255 any*
>
> *and telnet from outside is also working so why its block and after
> removing
> Permit any any its work.*
>
>
> **
>
> *Thanks.
> *
>
> *
> *
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
Pavel Bykov
----------------
Don't forget to help stopping the braindumps, use of which reduces value of
your certifications. Sign the petition at http://www.stopbraindumps.com/
Blogs and organic groups at http://www.ccie.net

Received on Sat Apr 25 2009 - 21:23:11 ART

This archive was generated by hypermail 2.2.0 : Mon May 04 2009 - 07:39:13 ART