Network: Cisco 2921. Two subnets. 192.168.1.0/24 and 2.0/24.
For some reason I can't get inter-subnet communication.
I bound an ACL with the following statements to the inbound interface of each subnet.
On Gi0/0 (1.0/24) I applied "access-list 101 permit ip 192.168.2.0 0.0.0.255 any" to the inbound interface.
On Gi0/1 (2.0/24) I applied "access-list 102 permit ip 192.168.1.0 0.0.0.255 any" to the inbound interface.
When I did these, DHCP stopped working, as did internet sometimes so I deleted them.
I did this in packet-tracer and it worked 100%. Why is it not working on the real router?
Running Config:
Current configuration : 2608 bytes
!
! Last configuration change at 15:22:51 UTC Mon Feb 18 2013
! NVRAM config last updated at 17:41:03 UTC Sun Feb 17 2013
! NVRAM config last updated at 17:41:03 UTC Sun Feb 17 2013
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 xxxxxx
enable password xxxxxx
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.2.1 192.168.2.99
ip dhcp excluded-address 192.168.2.1 192.168.2.50
!
ip dhcp pool DHCP_POOL
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 8.8.8.8
domain-name subnet2.local
!
!
ip name-server 8.8.8.8
ip name-server 8.8.4.4
multilink bundle-name authenticated
!
!
!
!
!
crypto pki token default removal timeout 0
!
!
voice-card 0
!
!
!
!
!
!
!
license udi pid CISCO2921/K9 sn FTX1703AHBN
hw-module pvdm 0/0
!
!
!
!
redundancy
!
!
ip ftp username xxxxxxx
ip ftp password xxxxx
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip access-group 5 out
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
ip address xxxxxxxxxxx 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/2 overload
ip nat inside source list 2 interface GigabitEthernet0/2 overload
ip route 0.0.0.0 0.0.0.0 108.162.28.169
ip route 192.168.1.0 255.255.255.0 GigabitEthernet0/0
ip route 192.168.2.0 255.255.255.0 GigabitEthernet0/1
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 3 permit 192.168.2.0 0.0.0.255
access-list 3 permit 192.168.1.0 0.0.0.255
access-list 4 permit 192.168.1.0 0.0.0.255
access-list 5 permit any
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
gatekeeper
shutdown
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password ********
login
transport input all
!
scheduler allocate 20000 1000
end
Best Answer
I believe you are mixing the concept of Inbound and Outbound in your ACL.
If Interface GigabitEthernet0/0 has the 192.168.1.0/24 subnet behind it, then to allow that traffic to go on the other interface you will add the following ACL on GigabitEthernet0/0 and vice versa.
The same thing could be achieved (and would be more secure) by restricting where the traffic can go.
If you use the above ACL, then both network behind both interfaces will only be able to talk to each other...that's it.
Then in the GigabitEthernet0/0 cofiguration:
And on the GigabitEthernet0/1:
Inbound and Outbound is always based on what interface the packet will hit first.
To better understand when dealing with ACL and the Inbound/Outbound issue, pretend you are the Router and/or Firewall.
Do you (the router) allow packets coming to you with IP 192.168.1.10 on YOUR interface Gi0/0?
Yes I do, ACLs on that interface allows it;
or
If you had your ACL set on Outbound, the question would be;
Do you allow packets from 192.168.1.10 to leave YOUR interface Gi0/0?
Once you allowed that traffic, you don't need to add ACLs on the destination interface when both of them are on the same device.