01-03-2017 05:29 AM
Dear Team ,
I have a mpls network 0f 59 branches i am sitting on a core router 2900
i want to block a server with ip 192.168.1.85 accessing for all branches excluding 10.10.9.0 network
and other branches ip ranges from 10.10.0.0 255.255.0.0
i have applied th acceslist policy but its not working
i have made two different polices and applied one by one
1)
access-list 110 deny ip any host 192.168.1.85
access-list 110 permit ip 10.10.9.0 0.0.0.255 host 192.168.1.85
access-list 110 permit ip any any
2)
access-list 120 permit ip host 192.168.1.85 10.10.9.0 0.0.0.255
access-list 120 deny ip host 192.168.1.85 any
access-list 120 permit ip any any
output
10 permit ip host 192.168.1.85 10.10.9.0 0.0.0.255 (288332 matches)
20 deny ip host 192.168.1.85 any (10011 matches)
30 permit ip any any (1960357 matches)
please check and let me know any changes is required
Solved! Go to Solution.
01-03-2017 05:54 AM
Hi the access-list 120 looks right your allowing it speak to 10.9 but blocking it speaking to anyone else that what you want yes , your getting deny hits , so what exactly is not working ? is the acl applied in and out ?
01-03-2017 05:54 AM
Hi the access-list 120 looks right your allowing it speak to 10.9 but blocking it speaking to anyone else that what you want yes , your getting deny hits , so what exactly is not working ? is the acl applied in and out ?
01-05-2017 03:47 AM
Dear Sir,
I have applied the acl in and out its working now the problem is that
i have two interfaces lan and wan by default traffic goes by wan so i was not getting ping reply
to 1.85 from 10.09 if i ping 1.85 taking source 10.10.9.1 interface its work
thank you for your valuable response
01-05-2017 04:32 AM
the acl is applied on the wan interface yes ?
im not exactly sure what your saying the acl work's yes but if you ping from source of 10.10.9.1 to 192.168.1.85 it works yes ? and you don't want this , you only want to be able to ping from 192.168.1.85 to 10.10.9.1 ?
if that right then you need to add a reverse acl in blocking traffic coming back from the source but that could break the flow allowing one way but not the other depending on what its doing
example
10 permit ip host 192.168.1.85 10.10.9.0 0.0.0.255 (288332 matches)
15 deny ip host 10.10.9.1 host 192.168.1.85
20 deny ip host 192.168.1.85 any (10011 matches)
30 permit ip any any (1960357 matches)
11-07-2017 10:29 PM
access-list 101 permit ip 192.168.22.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 101 permit ip 192.168.22.0 0.0.0.255 192.168.32.0 0.0.0.255
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443
access-list 101 permit icmp any any echo-reply
access-list 101 deny ip any any
interface GigabitEthernet0/1.20
ip access-group 101 out
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: