https://community.cisco.com/t5/network-security/need-help-with-acl-src-dest-problem/m-p/3702319#M902008 <P>you are definitley using it correct in source/destination in your ACE's:</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3650/software/release/3se/security/configuration_guide/b_sec_3se_3650_cg/b_sec_3se_3650_cg_chapter_01010.html#concept_339DA61A054C4243B014617049EF5C09" target="_blank">https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3650/software/release/3se/security/configuration_guide/b_sec_3se_3650_cg/b_sec_3se_3650_cg_chapter_01010.html#concept_339DA61A054C4243B014617049EF5C09</A></P> <P>&nbsp;</P> <P>is it just NTP thta breaks or other traffic in the ACL as well?</P> Thu, 06 Sep 2018 17:14:46 GMT Dennis Mink 2018-09-06T17:14:46Z https://community.cisco.com/t5/network-security/need-help-with-acl-src-dest-problem/m-p/3702226#M902003 <P>I have a working ACL. It is applied inbound on the switch port with a server attached. However, the logic is confusing me, as if I switch src/dest around, it no longer works.</P> <P>&nbsp;</P> <P>Setup:</P> <P>3650 Switch, server on port g1/0/7. Switch trunked to a pair of 9k's in VPC mode</P> <P>NTP server is 10.0.0.2</P> <P>NTP client is 192.168.2.1</P> <P>192.168.1.0 is a management network</P> <P>ACL applied as so: ip access-group NTP_Working in on g1/0/7</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>ACL working:</P> <P><EM>ip access-list extended NTP_Working</EM><BR /><EM> permit udp host 10.0.0.2 eq ntp host 192.168.2.1</EM><BR /><EM> permit tcp host 10.0.0.2 eq www 192.168.1.0 0.0.0.255</EM><BR /><EM> permit tcp host 10.0.0.2 eq 443 192.168.1.0 0.0.0.255</EM><BR /><EM> permit icmp host 10.0.0.2 192.168.1.0 0.0.0.255 echo-reply</EM></P> <P>&nbsp;</P> <P>ACL Not working (just flipped source/dest):</P> <P><EM>ip access-list extended NTP_Not_Working</EM><BR /><EM> permit udp host 192.168.2.1 eq ntp host 192.168.2.1</EM><BR /><EM> permit tcp 192.168.1.0 0.0.0.255 eq www host 10.0.0.2</EM><BR /><EM> permit tcp 192.168.1.0 0.0.0.255 host 10.0.0.2 eq 443 </EM><BR /><EM> permit icmp 192.168.1.0 0.0.0.255 host 10.0.0.2 echo-reply</EM></P> <P>&nbsp;</P> <P>All my logic is allow xx from source to destination. But taht is not working here.</P> Fri, 21 Feb 2020 16:12:20 GMT https://community.cisco.com/t5/network-security/need-help-with-acl-src-dest-problem/m-p/3702226#M902003 Jeff Ferrell 2020-02-21T16:12:20Z https://community.cisco.com/t5/network-security/need-help-with-acl-src-dest-problem/m-p/3702318#M902005 <P>you are definitely using it&nbsp;correct in source/destination order of ACE:</P> <P>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3650/software/release/3se/security/configuration_guide/b_sec_3se_3650_cg/b_sec_3se_3650_cg_chapter_01010.html#concept_339DA61A054C4243B014617049EF5C09" target="_blank">https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3650/software/release/3se/security/configuration_guide/b_sec_3se_3650_cg/b_sec_3se_3650_cg_chapter_01010.html#concept_339DA61A054C4243B014617049EF5C09</A></P> <P>&nbsp;</P> <P>is it just NTP that beaks or all the other traffic in the ACL as well?</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 06 Sep 2018 17:13:28 GMT https://community.cisco.com/t5/network-security/need-help-with-acl-src-dest-problem/m-p/3702318#M902005 Dennis Mink 2018-09-06T17:13:28Z https://community.cisco.com/t5/network-security/need-help-with-acl-src-dest-problem/m-p/3702319#M902008 <P>you are definitley using it correct in source/destination in your ACE's:</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3650/software/release/3se/security/configuration_guide/b_sec_3se_3650_cg/b_sec_3se_3650_cg_chapter_01010.html#concept_339DA61A054C4243B014617049EF5C09" target="_blank">https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3650/software/release/3se/security/configuration_guide/b_sec_3se_3650_cg/b_sec_3se_3650_cg_chapter_01010.html#concept_339DA61A054C4243B014617049EF5C09</A></P> <P>&nbsp;</P> <P>is it just NTP thta breaks or other traffic in the ACL as well?</P> Thu, 06 Sep 2018 17:14:46 GMT https://community.cisco.com/t5/network-security/need-help-with-acl-src-dest-problem/m-p/3702319#M902008 Dennis Mink 2018-09-06T17:14:46Z https://community.cisco.com/t5/network-security/need-help-with-acl-src-dest-problem/m-p/3702330#M902010 <P>All traffic listed breaks, ie: www access and pings.&nbsp;</P> <P>&nbsp;</P> <P>Which ACL do you say looks good, the one labeled working or not working?</P> <P>&nbsp;</P> <P>Thanks!</P> Thu, 06 Sep 2018 17:27:28 GMT https://community.cisco.com/t5/network-security/need-help-with-acl-src-dest-problem/m-p/3702330#M902010 Jeff Ferrell 2018-09-06T17:27:28Z