Damir Rajnovic writes:
>Thank's for everybody who explain me how to configure access rules, but....
>I apply following rules:
>acces-list 111 deny ip x.y.z.0 0.0.0.255 x.y.z.0 0.0.0.255
>acces-list 111 deny ip 127.0.0.0 0.255.255.255 x.y.z.0 0.0.0.255
>acces-list 111 permit tcp 0.0.0.0 255.255.255.255 x.y.z.0 0.0.0.255
The list should (probably) be:
access-list 111 deny ip x.y.z.0 0.0.0.255 0.0.0.0 255.255.255.255
access-list 111 deny ip 127.0.0.0 0.255.255.255 0.0.0.0 255.255.255.255
access-list 111 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
>interface s 0
>ip access-group 111 in
>and everything works well but after some time I lost all routes to all
>hosts inside CARNet. I can go to outside world, I can receive and send
>mail but I can't make telnet to some host inside CARNet.
The list you had was denying packets destined for x.y.z.0/24 that were
coming from x.y.z.0/24, which is not want you (necessarily) want to do.
Under no circumstances should a packet coming into your router have a
source address that is part of your internal network (assuming you have
a fairly simple setup). Also, there is an implied:
access-list 111 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
at the end of the access-list, so all packets that are everything except
tcp and destined for x.y.z.0/24 will get blocked. As I put up there, you
almost certainly want to put the 'permit all ip packets' entry in the
list (unless you want to deny all other packets except for the ones
I just mentioned).
Alec Peterson Panix Public Access UNIX and Internet
com New York City, NY