Re: IP Access-List HELP

tckoon · ‎07-08-2003

Please refer to below configuration. I have no problem with the access-list 110. The problem is the access-list 120, when there is a host at 159.254.205.0/24 segment try to access to the web server at 159.254.207.128/27 segment, it block by access-list 120. I had permitted tcp any any with establish key word, when I show log, they are denied by access-list 120 !

Why ?

p/s : but I have no problem to ping both way !!

interface fasethernet 0

ip address 159.254.205.1 255.255.255.0

interface fasethernet 1

ip address 159.254.207.129 255.255.255.224

ip access-group 110 in

ip access-group 120 out

access-list 110 permit icmp any any

access-list 110 permit ip 159.254.207.128 0.0.0.31 159.254.205.100

access-list 110 permit ip 159.254.207.128 0.0.0.31 159.254.205.200

access-list 110 deny ip any any

access-list 120 permit icmp any any

access-list 120 permit tcp any any establish

access-list 120 permit udp any any

access-list 120 deny ip any any log

milan.kulik · ‎07-08-2003

Hi,

when the PC tries to connect to the web server, the TCP session is not established yet, so the it is blocked.

If you want to use established keyword, you should use it in the incoming access list.

See http://www.cisco.com/warp/public/105/ACLsamples.pdf for detailes.

Regards,

Milan

tckoon · ‎07-08-2003

Thanks a lot, Milan

After I change the access-list as below and it work now.