Troubleshooting guide
Troubleshooting TCP/IP
5-91
9. If packets pass normally, perform steps 1 to 7 on any other routers in the path
until all access lists are enabled and packets are forwarded properly.
Access List and Filter Misconfigurations
Application errors that drop host connections are frequently caused by
misconfigured access lists or other filters.
Follow these steps to fix access lists or other filters:
1. Use the show running-config command in Privileged EXEC mode to check
each router in the path. Discover if there are IP access lists configured on the
BSR.
2. If IP access lists are enabled on the BSR, disable them using the appropriate
commands. An access list may be filtering traffic from a TCP or UDP1 port.
For example, to disable input access list 80, enter the following command in
Router Interface configuration mode:
RDN(config-if)#no ip access-group 80 in
3. After disabling all the access lists on the BSR, determine whether the
application operates normally.
If the application operates normally, an access list is probably blocking traffic.
4. To isolate the problem list, enable access lists one at a time until the
application no longer functions. Check the problem access list to determine
whether it is filtering traffic from any TCP or UDP ports.
5. If the access list denies specific TCP or UDP ports, make sure that it does not
deny the port used by the application in question (such as TCP port 23 for
Telnet).
6. Enter explicit permit statements for the ports the applications use. The
following commands allow DNS and NTP2 requests and replies:
RDN(config-if)#access-list <list number> permit udp 0.0.0.0
255.255.255.255 0.0.0.0 255.255.255.255 eq 53
RDN(config-if)#access-list <list number> permit udp 0.0.0.0
255.255.255.255 0.0.0.0 255.255.255.255 eq 123