Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1199
Views
5
Helpful
4
Replies

problem facing in Access list on cisco 2900

Go to solution
shaikhaltamash291
Level 1
Level 1

‎01-03-2017 05:29 AM

Dear Team ,

I have a mpls network 0f 59  branches i am sitting on a core router 2900

i want to block a server with ip 192.168.1.85 accessing for all branches excluding 10.10.9.0 network

and other branches ip ranges from 10.10.0.0 255.255.0.0 

i have applied th acceslist policy but its not working 

i have made two different polices and applied one by one

1)

access-list 110 deny ip any host 192.168.1.85
access-list 110 permit ip 10.10.9.0 0.0.0.255 host 192.168.1.85
access-list 110 permit ip any any

2)

access-list 120 permit ip host 192.168.1.85 10.10.9.0 0.0.0.255
access-list 120 deny ip host 192.168.1.85 any
access-list 120 permit ip any any

output

10 permit ip host 192.168.1.85 10.10.9.0 0.0.0.255 (288332 matches)
20 deny ip host 192.168.1.85 any (10011 matches)
30 permit ip any any (1960357 matches)

please check and let me know any changes is required 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mark Malone
VIP Alumni
VIP Alumni

‎01-03-2017 05:54 AM

Hi the access-list 120 looks right your allowing it speak to 10.9  but blocking it speaking to anyone else that what you want yes , your getting deny hits  , so what exactly is not working ? is the acl applied in and out ?

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Mark Malone
VIP Alumni
VIP Alumni

‎01-03-2017 05:54 AM

Hi the access-list 120 looks right your allowing it speak to 10.9  but blocking it speaking to anyone else that what you want yes , your getting deny hits  , so what exactly is not working ? is the acl applied in and out ?

0 Helpful

Go to solution
shaikhaltamash291
Level 1
Level 1
In response to Mark Malone

‎01-05-2017 03:47 AM

Dear Sir,

I have applied the acl in and out its working now the problem is that 

i have two  interfaces lan and wan by default traffic goes by wan so i was not getting ping reply

to 1.85 from 10.09 if i ping 1.85 taking source 10.10.9.1 interface its work

thank you for your valuable response 

0 Helpful

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to shaikhaltamash291

‎01-05-2017 04:32 AM

the acl is applied on the wan interface yes ?

im not exactly sure what your saying the acl work's yes but if you ping from  source of 10.10.9.1 to 192.168.1.85 it works yes ? and you don't want this , you only want to be able to ping from 192.168.1.85 to 10.10.9.1 ?

if that right then you need to add a reverse acl in blocking traffic coming back from the source but that could break the flow allowing one way but not the other depending on what  its doing

example

10 permit ip host 192.168.1.85 10.10.9.0 0.0.0.255 (288332 matches)

15 deny ip host 10.10.9.1 host 192.168.1.85
20 deny ip host 192.168.1.85 any (10011 matches)
30 permit ip any any (1960357 matches)

Go to solution
Thaguest thaguest
Level 1
Level 1

‎11-07-2017 10:29 PM

access-list 101 permit ip 192.168.22.0 0.0.0.255 192.168.12.0 0.0.0.255

access-list 101 permit ip 192.168.22.0 0.0.0.255 192.168.32.0 0.0.0.255

access-list 101 permit tcp any any eq www

access-list 101 permit tcp any any eq 443

access-list 101 permit icmp any any echo-reply

access-list 101 deny ip any any

 

interface GigabitEthernet0/1.20

ip access-group 101 out

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents