- Posts: 8
- Thank you received: 0
ACL & Route-Maps
10 years 1 month ago #38614
by dmourghen
We currently have a router and we have setup PBR on it. When the user arrives on the router and its an internet traffic, it should go out through the ADSL and if not, it should connect to the other way i.e RDP, printing. The only problem is that its making all the dns request on the second link, once there is no connection from the second link, no one can browse the internet.
Anyone knows how to do refine our ACL
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq 5938
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq 88
access-list 101 permit tcp any any eq 4007
access-list 101 deny icmp any any
access-list 101 deny tcp any any
access-list 101 permit tcp any any eq 3389
access-list 101 permit icmp any any
access-list 102 deny tcp any any eq www
access-list 102 deny tcp any any eq domain
access-list 102 deny udp any any eq domain
access-list 102 deny tcp any any eq 443
access-list 102 deny tcp any any eq ftp
access-list 102 deny tcp any any eq 5938
access-list 102 deny tcp any any eq smtp
access-list 102 deny tcp any any eq 88
access-list 102 permit tcp any any
Anyone knows how to do refine our ACL
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq 5938
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq 88
access-list 101 permit tcp any any eq 4007
access-list 101 deny icmp any any
access-list 101 deny tcp any any
access-list 101 permit tcp any any eq 3389
access-list 101 permit icmp any any
access-list 102 deny tcp any any eq www
access-list 102 deny tcp any any eq domain
access-list 102 deny udp any any eq domain
access-list 102 deny tcp any any eq 443
access-list 102 deny tcp any any eq ftp
access-list 102 deny tcp any any eq 5938
access-list 102 deny tcp any any eq smtp
access-list 102 deny tcp any any eq 88
access-list 102 permit tcp any any
10 years 1 month ago - 10 years 1 month ago #38615
by Chris
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
Replied by Chris on topic ACL & Route-Maps
Hi dmourghen,
I'm assuming you've got two route-maps where ACL 101 applies to the first route-map and ACL 102 to the second.
It would greatly help if you provided the whole Route-Map configuration, so we can clearly understand your setup.
As a general rule-of-thumb, you need to keep in mind that we use the permit statements for the traffic we do NOT want to route through the router's default route (Dialer interface/Internet). In your case, the permit statement would be used for the RDP/Printing traffic.
Keep in mind that the DENY statement will explicitly route traffic via the default-route, however there is always an explicit (invisible) DENY at the end of every access-list, so you do not need to make use of the DENY statement it unless you really need to.
A typical example for the use of the DENY statement is the following example:
Route the whole 192.168.1.0/24 subnet via the second router except host 192.168.1.10 - which would translate to the following commands:
access-list 101 deny ip host 192.168.1.10 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
You can also check the following article that contains route-map and ACL configuration and can help provide an insight to your problem:
Configuring Policy-Based Routing (PBR) with IP SLA Tracking - Auto Redirecting Traffic
We are planning to cover ACLs and Route-maps extensively, so I'd suggest you sign up for newsletter updates if you haven't disabled this feature in your Firewall.cx account.
Let us know if you need anything else.
Chris.
I'm assuming you've got two route-maps where ACL 101 applies to the first route-map and ACL 102 to the second.
It would greatly help if you provided the whole Route-Map configuration, so we can clearly understand your setup.
As a general rule-of-thumb, you need to keep in mind that we use the permit statements for the traffic we do NOT want to route through the router's default route (Dialer interface/Internet). In your case, the permit statement would be used for the RDP/Printing traffic.
Keep in mind that the DENY statement will explicitly route traffic via the default-route, however there is always an explicit (invisible) DENY at the end of every access-list, so you do not need to make use of the DENY statement it unless you really need to.
A typical example for the use of the DENY statement is the following example:
Route the whole 192.168.1.0/24 subnet via the second router except host 192.168.1.10 - which would translate to the following commands:
access-list 101 deny ip host 192.168.1.10 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
You can also check the following article that contains route-map and ACL configuration and can help provide an insight to your problem:
Configuring Policy-Based Routing (PBR) with IP SLA Tracking - Auto Redirecting Traffic
We are planning to cover ACLs and Route-maps extensively, so I'd suggest you sign up for newsletter updates if you haven't disabled this feature in your Firewall.cx account.
Let us know if you need anything else.
Chris.
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
Last edit: 10 years 1 month ago by Chris.
Time to create page: 0.089 seconds