|
|
Question : Problem: Use Access lists on mpls network, but now can't access internet
|
|
Ok Here it goes....
I found a network on our mpls link that isn't ours in our routing tables. So I am trying to put access lists on the switches at all our locations. However, when I apply the access lists all the internal networks can talk, but nothing can go out to the internet. I thought that I could put a rule to allow any traffic out but the switch will only allow you to apply an access group in. Besides that I don't know if cisco keeps track of sessions. ie. if a packet is allowed out, is it allow to receive the ack if theres no rule to specifically allow that ip?
Ok so heres what I have setup.
access-list 1 permit 10.10.0.0 0.0.255.255 access-list 1 permit 192.168.0.0 0.0.255.255 access-list 1 permit 172.16.0.0 0.0.255.255
I have tried applying the group on all ports of the switches and just the vlans.
It can traverse the mpls but won't allow you to go out to the internet.
I tried making a rule to allow any traffic and apply it to an interface out but there is no out command.
On the 3750s' I'm running 12.2(40)SE and on the 2960s' I'm running 12.2(25)see3.
Is there some kind of command you need to remember sessions or something?
|
Answer : Problem: Use Access lists on mpls network, but now can't access internet
|
|
ok here is the plan
1- remove those access lists as it will be blocking incoming internet traffic 2- i understand that the strange route is coming via eigrp from the SP, in that case add an input distribute list to the eigrp config to deny this route as an example i'd assume that the route is 172.25.3.4/24
Router(config)#access-list 50 deny 172.25.3.4 0.0.0.255 Router(config)#access-list 50 permit any
Router(config)#router eigrp 1 Router(config-router)#distribute-list 50 in
|
|
|
|