ACL Range Syntax

tkropp · ‎02-09-2004

I'm trying to create and extended IP Access-list and limit the amount of necessary lines by adding the range command.

The syntax takes, but does not permit the allowed TCP Ports we need. (TAC hasn't been much help)

Router = 7206NPE-G1, IOS 12.1(19)E2

syntax

!

access-list 112 permit tcp any 172.16.12.0 0.0.0.255 range 46000 46030

!

The command above takes, but I'm logging denials for 46001, 2, 3, etc.(all within the range) I could use the GT operand, but why doesn't this work? I'm browsing documents for syntax specifics.

Thanks - Tim

thisisshanky · ‎02-09-2004

Tim,

So are you getting log messages which indicate ports within the range 46000-46030 are being denied ? Can you paste those syslog messages ? Can you also give some more information about the protocol you are using ? How is this access-list applied to the interface ? A snapshot of the ACL config would help!

Have you tested the following - add individual access-list statement permitting ports 46000, 46001...46030 ?

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

tkropp · ‎02-10-2004

>So are you getting log messages which indicate >ports within the range 46000-46030 are being >denied ?

Yes

>Can you paste those syslog messages ?

No - in order to do so, I'd have to deny a major component of our trading system.

>Can you also give some more information about the >protocol you are using ?

TCP/IP based communications, running on an HP Platform called RTR.

>How is this access-list applied to the interface ?

It is applied outbound on our Egress FE ints. See Config below.

Int Fast E 0/0

ip access-group 112 out

Int Fast E 0/1

ip access-group 112 out

Int Fast E 1/0

ip access-group 155 in

Int Fast E1/1

ip access-group 155 in

!

! // I'm not going to list all of the

! // lines for the 112 -- its huge.

access-list 112 permit ip any 224.0.0.0 0.0.0.255

access-list 112 permit icmp any any

access-list 112 permit eigrp 10.55.10.0 0.0.0.255 10.55.10.0 0.0.0.255

access-list 112 permit eigrp 10.55.20.0 0.0.0.255 10.55.20.0 0.0.0.255

access-list 112 permit tcp any eq 20220 172.16.0.0 0.0.255.255

access-list 112 permit tcp any 172.16.11.0 0.0.0.255 eq 14711

access-list 112 permit tcp any 172.16.12.0 0.0.0.255 eq 14711

access-list 112 permit tcp any 172.16.13.0 0.0.0.255 eq 46000

access-list 112 permit tcp any 172.16.13.0 0.0.0.255 eq 46001

access-list 112 permit tcp any 172.16.13.0 0.0.0.255 eq 46002

access-list 112 permit tcp any 172.16.13.0 0.0.0.255 eq 46003

access-list 112 permit tcp any 172.16.13.0 0.0.0.255 eq 46004

access-list 112 permit tcp any 172.16.13.0 0.0.0.255 eq 46005

access-list 112 permit tcp any 172.16.13.0 0.0.0.255 eq 46006

access-list 112 permit tcp any 172.16.23.0 0.0.0.255 eq 46000

access-list 112 permit tcp any 172.16.23.0 0.0.0.255 eq 46001

access-list 112 permit tcp any 172.16.23.0 0.0.0.255 eq 46002

access-list 112 permit tcp any 172.16.23.0 0.0.0.255 eq 46003

access-list 112 permit tcp any 172.16.23.0 0.0.0.255 eq 46004

access-list 112 permit tcp any 172.16.23.0 0.0.0.255 eq 46005

access-list 112 permit tcp any 172.16.23.0 0.0.0.255 eq 46006

access-list 112 permit tcp any 172.16.21.0 0.0.0.255 eq 14711

access-list 112 permit tcp any 172.16.22.0 0.0.0.255 eq 14711

............

access-list 112 deny ip any any log

! END

ACL 155 is a simple host permission acl, for us to audit who is, and isn't approved by SEC to connect.

ACL 112 is applied outbound - - coming into our Dist/Core where the HP-RTR servers are mentioned. Spoke sites connect to these.

tkropp · ‎02-10-2004

FYI - We currently have no syslog server - bad, I know, but Ciscoworks is not in my camp, wish it was.

libincisco · ‎02-09-2004

is your port range from 46000 to 46030 source port?

Pr0xy · ‎02-09-2019

I'm having the same issue. When I use one port per line, everything works fine but when I try to consolidate the list using port ranges and push the ACL to the router, I get reports that traffic is no longer flowing for those IPs/ports. I revert back to the previous ACL and everything comes back online.

I'll use the IPs provided by the author of this post as an example however the syntax is the same:

NOTE: This is an ACL out - going from the 12 VLAN to the 20 VLAN, internal traffic only)

config t

int vlan 12

ip access-list SERVERS-OUT

statistics per-entry

! These entries work fine

permit tcp 172.16.12.30/32 172.16.20.11/32 eq 46000

permit tcp 172.16.12.30/32 172.16.20.11/32 eq 46001

permit tcp 172.16.12.30/32 172.16.20.11/32 eq 46002

permit tcp 172.16.12.30/32 172.16.20.11/32 eq 46003

permit tcp 172.16.12.30/32 172.16.20.11/32 eq 46000

permit tcp 172.16.20.11/32 eq 46001 172.16.12.30/32

permit tcp 172.16.20.11/32 eq 46002 172.16.12.30/32

permit tcp 172.16.20.11/32 eq 46003 172.16.12.30/32

! END These entries work fine

! These entries do not allow traffic to flow

permit tcp 172.16.12.30/32 172.16.20.11/32 range 46000 46003

permit tcp 172.16.20.11/32 range 46000 46003 172.16.12.30/32

! END This entry does not allow traffic to flow

fergus · ‎04-28-2019

Me too.

My config contains:

ip access-list extended Vlan22_ACL
! both directions (Inbound and outbound) 212.58.63.32/28 and 212.58.63.96/28.
 permit tcp host 192.168.47.94    212.58.63.32 0.0.0.16 range 5060 5061 log
 permit tcp host 192.168.47.94    212.58.63.96 0.0.0.16 range 5060 5061 log

Which results in:

%SEC-6-IPACCESSLOGP: list Vlan22_ACL denied tcp 192.168.47.94(63962) -> 212.58.63.98(5061), 1 packet

fergus · ‎04-28-2019

Doh, spotted mistake! In my case it was the incorrect mask on the dest address range! 15 not 16