Cisco - Internetwork Operating System (IOS)

Two common access-list pitfalls

The first common access-list problem I have seen is not allowing some ICMP
(Internet Control Message Protocol) traffic through a gateway firewall. For
example, you just configured an access-list on your DSL link for your home
router. All of the sudden, when you send big transmissions like a large email
attachment, you find your connections timing out or closing unexpectedly.
Unsure, you take the access-list off and the problem goes away. When you put
the access-list back on, the problem reappears. You ask yourself what happened
as you review the access-list. Well, the problem is as simple as not permitting
ICMP through your list.

As I say in Cisco IOS in a Nutshell, people often think of ICMP as the hacker's
tool. But in reality, it plays a very important role. In the problem I just
described, it sounds like an MTU (Maximum Transmission Unit) or source-quench
problem, which means the ICMP information isn't getting through the access-list.
Either way, add the following commands to your access-list and your problems
might go away:

    ! allow pings into the network
    access-list 110 permit icmp any any echo
    ! allow ping responses
    access-list 110 permit icmp any any echo-reply
    ! allow ICMP source-quench 
    access-list 110 permit icmp any any source-quench
    ! allow path MTU discovery
    access-list 110 permit icmp any any packet-too-big
    ! allow time-exceeded, which is useful for traceroute
    access-list 110 permit icmp any any time-exceeded
    ! deny all other ICMP packets
    access-list 110 deny icmp any any

A second common access-list pitfall is when people forget to allow DNS
(Domain Name Servers) from their internal network to the provider's DNS
servers. Mainly this is a problem on home or small office routers where you
might not have an internal DNS server running.

The following command allows DNS access from your hosts to the outside DNS
server. In this example, our outside DNS servers are 172.16.1.1 and 172.30.1.1:

    access-list 110 permit udp host 172.16.1.1 eq domain any gt 1023
    access-list 110 permit udp host 172.30.1.1 eq domain any gt 1023