Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1090
Views
0
Helpful
5
Replies

Access-List STOPS all traffic!

bbravo
Level 1
Level 1

‎07-14-2004 11:35 AM - edited ‎03-10-2019 07:54 AM

I'm a bit confused, I applied this access list on the LAN sub-interface (FA0/0.100) of my network and it seems to be stopping all traffic anyway, when I look at the logs I see that traffic originating from the LAN is being dropped even though is being explicitely permitted, I appreciate all you input!

access-list 105 permit eigrp any any

access-list 105 permit icmp any any

access-list 105 permit tcp 172.21.0.0 0.0.0.255 any eq www

access-list 105 permit tcp 172.21.0.0 0.0.0.255 any eq 563

access-list 105 permit udp 172.21.0.0 0.0.0.255 any eq netbios-ns

access-list 105 permit tcp 172.21.0.0 0.0.0.255 any eq 137

access-list 105 permit tcp 172.21.0.0 0.0.0.255 any eq 139

access-list 105 permit udp 172.21.0.0 0.0.0.255 any eq netbios-ss

access-list 105 permit tcp 172.21.0.0 0.0.0.255 any eq 8080

access-list 105 permit tcp 172.21.0.0 0.0.0.255 any eq domain

access-list 105 permit udp 172.21.0.0 0.0.0.255 any eq bootps

access-list 105 permit udp 172.21.0.0 0.0.0.255 any eq bootpc

access-list 105 permit tcp 172.21.0.0 0.0.0.255 any eq 546

access-list 105 permit tcp 172.21.0.0 0.0.0.255 any eq 547

access-list 105 permit udp 172.21.0.0 0.0.0.255 any eq 547

access-list 105 permit udp 172.21.0.0 0.0.0.255 any eq 546

access-list 105 permit tcp 172.21.0.0 0.0.0.255 any eq 127

access-list 105 permit tcp 172.21.0.0 0.0.0.255 any eq 445

access-list 105 permit tcp 172.21.0.0 0.0.0.255 any eq 6129

access-list 105 deny ip any any log

!

interface FastEthernet0/0.100

description *** My network VLAN ***

encapsulation isl 100

ip address 172.21.10.1 255.255.255.0

ip access-group 105 in

ip helper-address 172.16.0.21

no ip redirects

Labels:
0 Helpful
5 Replies 5

gfullage
Cisco Employee
Cisco Employee

‎07-14-2004 04:07 PM

The subnet on this interface is 172.21.10.x, whereas your access-list is only permitting traffic from 172.21.0.x.

If you want to only allow 172.21.10.x in with this ACL, change all the occurrances of 172.21.0.0 to 172.21.10.0.

If you want to allow the whole b-class network of 172.21.x.x, then change all the occurrances of 0.0.0.255 to 0.0.255.255

0 Helpful

bbravo
Level 1
Level 1
In response to gfullage

‎07-15-2004 05:51 AM

Already tried that, actually the first line on my Access list was: 172.21.0.0 0.0.255.255 any

But that gave me the same result, I don't think I need to specify ACL for returning traffic (?) since they are part of the same connections, I even tried any any and same result...I appreciate your help thou...

0 Helpful

steve.busby
Level 5
Level 5
In response to bbravo

‎07-15-2004 11:54 AM

If you remove the ACL from the subinterface, does your traffic flow as you expect?

0 Helpful

bbravo
Level 1
Level 1
In response to steve.busby

‎07-15-2004 12:27 PM

Yes it does, and looking at the logs I can see that traffic being dropped.

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to bbravo

‎07-15-2004 11:08 PM

So send us those logs then for us to have a look at.

0 Helpful
Customers Also Viewed These Support Documents