topic Re: Access-List STOPS all traffic! in Network Access Control

Access-List STOPS all traffic!

bbravo — Sun, 10 Mar 2019 14:54:27 GMT

I'm a bit confused, I applied this access list on the LAN sub-interface (FA0/0.100) of my network and it seems to be stopping all traffic anyway, when I look at the logs I see that traffic originating from the LAN is being dropped even though is being explicitely permitted, I appreciate all you input!

access-list 105 permit eigrp any any

access-list 105 permit icmp any any

access-list 105 permit tcp 172.21.0.0 0.0.0.255 any eq www

access-list 105 permit tcp 172.21.0.0 0.0.0.255 any eq 563

access-list 105 permit udp 172.21.0.0 0.0.0.255 any eq netbios-ns

access-list 105 permit tcp 172.21.0.0 0.0.0.255 any eq 137

access-list 105 permit tcp 172.21.0.0 0.0.0.255 any eq 139

access-list 105 permit udp 172.21.0.0 0.0.0.255 any eq netbios-ss

access-list 105 permit tcp 172.21.0.0 0.0.0.255 any eq 8080

access-list 105 permit tcp 172.21.0.0 0.0.0.255 any eq domain

access-list 105 permit udp 172.21.0.0 0.0.0.255 any eq bootps

access-list 105 permit udp 172.21.0.0 0.0.0.255 any eq bootpc

access-list 105 permit tcp 172.21.0.0 0.0.0.255 any eq 546

access-list 105 permit tcp 172.21.0.0 0.0.0.255 any eq 547

access-list 105 permit udp 172.21.0.0 0.0.0.255 any eq 547

access-list 105 permit udp 172.21.0.0 0.0.0.255 any eq 546

access-list 105 permit tcp 172.21.0.0 0.0.0.255 any eq 127

access-list 105 permit tcp 172.21.0.0 0.0.0.255 any eq 445

access-list 105 permit tcp 172.21.0.0 0.0.0.255 any eq 6129

access-list 105 deny ip any any log

interface FastEthernet0/0.100

description *** My network VLAN ***

encapsulation isl 100

ip address 172.21.10.1 255.255.255.0

ip access-group 105 in

ip helper-address 172.16.0.21

no ip redirects

Re: Access-List STOPS all traffic!

gfullage — Wed, 14 Jul 2004 23:07:41 GMT

The subnet on this interface is 172.21.10.x, whereas your access-list is only permitting traffic from 172.21.0.x.

If you want to only allow 172.21.10.x in with this ACL, change all the occurrances of 172.21.0.0 to 172.21.10.0.

If you want to allow the whole b-class network of 172.21.x.x, then change all the occurrances of 0.0.0.255 to 0.0.255.255

Re: Access-List STOPS all traffic!

bbravo — Thu, 15 Jul 2004 12:51:43 GMT

Already tried that, actually the first line on my Access list was: 172.21.0.0 0.0.255.255 any

But that gave me the same result, I don't think I need to specify ACL for returning traffic (?) since they are part of the same connections, I even tried any any and same result...I appreciate your help thou...

Re: Access-List STOPS all traffic!

steve.busby — Thu, 15 Jul 2004 18:54:14 GMT

If you remove the ACL from the subinterface, does your traffic flow as you expect?

Re: Access-List STOPS all traffic!

bbravo — Thu, 15 Jul 2004 19:27:46 GMT

Yes it does, and looking at the logs I can see that traffic being dropped.

Re: Access-List STOPS all traffic!

gfullage — Fri, 16 Jul 2004 06:08:05 GMT

So send us those logs then for us to have a look at.