1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Im hungover and cant think today..... HELP!!

Discussion in 'General Cisco Certifications' started by jonny7_2002, Oct 15, 2010.

  1. jonny7_2002

    jonny7_2002 Byte Poster

    191
    9
    37
    Could you fine people help me as im being a little thick today.....

    Branch site has 877 router and VPNs into an ASA at their main site (remote network 192.168.120.0)
    The requirement:
    Deny Internet access for IP's 192.168.123.1 & 192.168.123.2
    Permit access to Log Me In servers (ACL entries 10 to 15)
    Allow all others full outbound access

    The ACL below is applied to the dialer 0 interface outbound....
    Extended IP access list BLOCK_INTERNET
    10 permit tcp any 74.201.72.0 0.0.3.255
    11 permit tcp any 216.52.233.0 0.0.0.255
    12 permit tcp any 69.25.20.0 0.0.3.255
    13 permit tcp any 64.94.18.0 0.0.0.255
    14 permit tcp any 77.242.192.0 0.0.3.255
    15 permit tcp any 212.118.234.0 0.0.0.255
    18 permit tcp any 82.x.x.x 0.0.0.7
    20 deny tcp host 192.168.123.1 any eq www
    21 deny tcp host 192.168.123.2 any eq www
    22 deny tcp host 192.168.123.1 any eq 443
    23 deny tcp host 192.168.123.2 any eq 443
    30 permit tcp any any (1357 matches)
    31 permit udp any any (136 matches)
    32 permit ip any any (21 matches)

    If i dont have 32 permit ip any any on the end then i cannot ping the remote PC'd from the main site! i tried a few variations using the source network address etc but didnt work.

    I am hungover today:blink and this isnt my final hour but hope someone can feel pity for me and help out! :-)
     
    Certifications: CCNA R&S, CCNP R&S, CCDA, CCNA Voice, CCNA Wireless & CCNA Security
    WIP: CCIE V5 (when its out)
  2. danielno8

    danielno8 Gigabyte Poster

    1,305
    48
    92
    you haven't got a line to enable ICMP...
     
    Certifications: CCENT, CCNA
    WIP: CCNP
  3. jonny7_2002

    jonny7_2002 Byte Poster

    191
    9
    37
    The list now looks like this

    Extended IP access list INET_BLOCK
    10 permit tcp any 74.201.72.0 0.0.3.255
    11 permit tcp any 216.52.233.0 0.0.0.255
    12 permit tcp any 69.25.20.0 0.0.3.255
    13 permit tcp any 64.94.18.0 0.0.0.255
    14 permit tcp any 77.242.192.0 0.0.3.255
    15 permit tcp any 212.118.234.0 0.0.0.255
    18 permit tcp any x.x.x.x x.x.x.x
    20 deny tcp host 192.168.123.1 any eq www
    21 deny tcp host 192.168.123.2 any eq www
    22 deny tcp host 192.168.123.1 any eq 443
    23 deny tcp host 192.168.123.2 any eq 443
    30 permit tcp any any (2883 matches)
    31 permit udp any any (34 matches)
    33 permit icmp any any (235 matches)

    The ACL is now assigned to the vlan1 outbound direction.

    As you can see with the 'matches' statement, if i go onto the internet on the PC with 192.168.123.1 its still works? its like it is not picking up the source IP?

    Has anyone got any ideas?? im sure i have missed something basic!?

    Cheers
    Jon
     
    Certifications: CCNA R&S, CCNP R&S, CCDA, CCNA Voice, CCNA Wireless & CCNA Security
    WIP: CCIE V5 (when its out)
  4. greenbrucelee
    Highly Decorated Member Award

    greenbrucelee Zettabyte Poster

    14,283
    254
    329
    you have a 3 day hangover? :D
     
    Certifications: A+, N+, MCDST, Security+, 70-270
    WIP: 70-620 or 70-680?
  5. jonny7_2002

    jonny7_2002 Byte Poster

    191
    9
    37
    It cleared up on friday night then with a drinking session saturday night into sunday morning and then guns & roses concert last night, i shouldnt actually be alive!!! :-)
     
    Certifications: CCNA R&S, CCNP R&S, CCDA, CCNA Voice, CCNA Wireless & CCNA Security
    WIP: CCIE V5 (when its out)
  6. danielno8

    danielno8 Gigabyte Poster

    1,305
    48
    92
    Surely you should have it on VLAN 1 inbound? outbound VLAN 1 source IP will be the internet sites you are going to.
     
    Certifications: CCENT, CCNA
    WIP: CCNP
  7. jonny7_2002

    jonny7_2002 Byte Poster

    191
    9
    37
    er....... its now fixed.... :-/
     
    Certifications: CCNA R&S, CCNP R&S, CCDA, CCNA Voice, CCNA Wireless & CCNA Security
    WIP: CCIE V5 (when its out)

Share This Page

Loading...