Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3343
Views
10
Helpful
3
Replies

ACL

Go to solution
will75136
Level 1
Level 1

‎04-22-2020 04:16 PM

000.PNG3333.PNG

Hello experts, I have a question about ACL.

I have configured the first requirement like below on both R1 and R2.

!

access-list 101 deny tcp 192.168.2.0 0.0.0.255 host 192.168.1.3 eq www

Though it works, I found that my PC in 192.168.3.0 network could not ping 192.168.1.0 network either.

Is there something I miss?

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Martin L
VIP
VIP

‎04-22-2020 04:45 PM - edited ‎04-22-2020 04:57 PM

 

do you have permit ip any any ?

each ACL has impicit deny at the end of ACL; Such entry is not visible normally.   therefore, you need permit any Or permit ip any any Or specific network/host.  i,e permit icmp any any to ping , in your example, you may see access-list 101 deny ip any any as last entry.

if you want to ping or allow other traffic, add access-list 101 permit ip any any

 

Regards, ML
**Please Rate All Helpful Responses **

View solution in original post

Go to solution
Martin L
VIP
VIP
In response to will75136

‎04-22-2020 09:17 PM


Yes, ACL order is from top to the bottom but it can stop once the match is found. In your case, you have 3 lines, line 3 is never read because line 2 will match all traffic (everything). router will never get to line 3. you have to re-arrange order.

View solution in original post

3 Replies 3

Go to solution
Martin L
VIP
VIP

‎04-22-2020 04:45 PM - edited ‎04-22-2020 04:57 PM

 

do you have permit ip any any ?

each ACL has impicit deny at the end of ACL; Such entry is not visible normally.   therefore, you need permit any Or permit ip any any Or specific network/host.  i,e permit icmp any any to ping , in your example, you may see access-list 101 deny ip any any as last entry.

if you want to ping or allow other traffic, add access-list 101 permit ip any any

 

Regards, ML
**Please Rate All Helpful Responses **

Go to solution
will75136
Level 1
Level 1
In response to Martin L

‎04-22-2020 08:14 PM

Thank you, sir.

It works well.
Does ACL execute the access-list in order?
It seems everything after "permit ip any any" will be ignore, isn`t it? (I still can access the ftp server.)
!
ip access-group 101 out
access-list 101 deny tcp 192.168.2.0 0.0.0.255 host 192.168.1.3 eq www
access-list 101 permit ip any any
access-list 101 deny tcp 192.168.3.0 0.0.0.255 host 192.168.1.4 eq ftp
!
0 Helpful

Go to solution
Martin L
VIP
VIP
In response to will75136

‎04-22-2020 09:17 PM


Yes, ACL order is from top to the bottom but it can stop once the match is found. In your case, you have 3 lines, line 3 is never read because line 2 will match all traffic (everything). router will never get to line 3. you have to re-arrange order.
Customers Also Viewed These Support Documents