acl configuration

dotansplus · ‎12-22-2014

Hello everyone,

I have a doubt about the ACL configuring in my ASA

I have this acl witch it means that 10.10.11.2 can do www to the host 10.10.10.1

access-list 100 extended permit tcp host 10.10.11.2 host 10.10.10.1 eq www

and

access-list 100 extended permit tcp host 10.10.10.1 eq www host 10.10.11.2 (hitcnt=31)

witch it means that the host 10.10.10.1 can make www to the host 10.10.11.2

the host 10.10.10.1 can't do www to the host 10.10.11.2, but the host 10.10.11.2 can do, and the second ACL have hits.

is ti right?

Thanks.

nspasov · ‎01-06-2015

If you want to allow hosts 10.10.10.1 to hit 10.10.11.2 on www then you should change the syntax to:

access-list 100 extended permit tcp host 10.10.10.1 host 10.10.11.2 eq www

Your original syntax:

access-list 100 extended permit tcp host 10.10.10.1 eq www host 10.10.11.2

By placing the "eq www" after the source IP, you are telling the ASA that the source port is 80/www. Instead, you want the destination port to be "80/www" and as a result, you need to place is after the destination IP.

Also, you can always use the "packet-tracer" command to see exactly what is blocking your traffic :)

Thank you for rating helpful posts!

Thank you for rating helpful posts!