Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
400
Views
0
Helpful
12
Replies

Access-list problem

dkblee
Level 1
Level 1

‎06-23-2004 02:22 AM - edited ‎03-02-2019 04:33 PM

hi!

any one could help on implementing acces-list on cisco 2600 router's subinterfaces? i tried to apply some access-list on the cisco 2600 router but it doesn't work especially for the 2 host that i added in. The way i applied the access-list in these sub interfaces is not the way taught in book but it work for all the statement except the 2 host that i added in. Pls help me on that. Thks!

Labels:
Preview file
3 KB
0 Helpful
12 Replies 12

Georg Pauwen
VIP
VIP

‎06-23-2004 02:39 AM

Hello,

there are 4 access lists in your attachment, which one is not working correctly ? Also, I do not see any host entries in any of the lists, which hosts are you referring to ?

Regards,

Georg

0 Helpful

dkblee
Level 1
Level 1
In response to Georg Pauwen

‎06-23-2004 05:14 AM

hi!

The statements :

permit 10.71.9.93

permit 10.71.9.88

for access-list 10 and 11 are not working, the rest of the statements is ok. The subinterfaces are actually for vlan. eg.

interface FastEthernet0/0.3 is for 10.71.10.X vlan

interface FastEthernet0/0.4 is for 10.71.11.X vlan

interface FastEthernet0/0 is for 10.71.9.X vlan

The 2 hosts above are supposed to be able to access 10.71.10.x and 10.71.11.x vlan.

One thing that i don't understand is that aren't that the source for all the interface above should be their own subnet host? eg. the source for 10.71.9.x subnet should only be 10.71.9.XX. if you noticed, the source for the access-list i created it can be other vlan ip but it work except the 2 permit host above. Pls help, thks!

0 Helpful

dkblee
Level 1
Level 1
In response to dkblee

‎06-23-2004 05:48 AM

some extra info, the reason you didn't see the host statement might because of i used the command sh access-list command, for the actual access-list command i tried with the host word in the stataments.

0 Helpful

Georg Pauwen
VIP
VIP
In response to dkblee

‎06-23-2004 06:26 AM

Hello,

as far as I can see, your access list 12 denies all traffic from 10.71.10.0 and 10.71.11.0. So I think that your traffic is allowed towards those subnets, but the return traffic is denied. Try to add a permit statement to access list 12 which allows a specific host from the 10.71.10.0 or 10.71.11.0 subnet.

Regards,

Georg

0 Helpful

dkblee
Level 1
Level 1
In response to Georg Pauwen

‎06-23-2004 08:04 AM

hi!

their requirement is to block all traffic from 10.71.10.0 and 10.71.11.0 from accessing 10.71.9.0(int fa0/0), but only 2 hosts(10.71.9.93, 10.71.9.88)from 10.71.9.0 vlan are allowed to access 10.71.11.0 and 10.71.10.0 vlan, whereas other 10.71.9.0 hosts are not allowed to access that 2 subnets. + hosts from 10.71.10.0 and 10.71.10.0 are not supposed to access each other.

To make it easier to understand. Basically, these 10.71.9.0, 10.71.10.0, 10.71.11.0 vlan are not supposed to access each other except the 10.71.12.0 vlan and only 10.71.9.93, 10.71.9.88 can access all the vlan.

according to your suggestion, "Try to add a permit statement to access list 12 which allows a specific host from the 10.71.10.0 or 10.71.11.0 subnet. "

that would allow host from that 2 subnets to access my 10.71.9.0 network, right? that doesn't seem to accomplish the requirements above. would appreciate if you can show some eg on one or 2 of the sub interfaces how my requirements can be met. Thks for the help again.

0 Helpful

dkblee
Level 1
Level 1
In response to dkblee

‎06-23-2004 08:08 AM

some typo mistake on the first paragraph (end of the paragraph). It should be

"+ hosts from 10.71.10.0 and 10.71.11.0 are not supposed to access each other. " instead of

"+ hosts from 10.71.10.0 and 10.71.10.0 are not supposed to access each other. "

0 Helpful

dkblee
Level 1
Level 1
In response to Georg Pauwen

‎06-24-2004 05:58 AM

hi!

Can you help on my access-list problem that i posted yesterday? I got another extended access-list written trying to meet my requirement, but am not sure whether will that work or not. Pls correct me if there're wrong. need help on that. Thks!

0 Helpful

dkblee
Level 1
Level 1
In response to Georg Pauwen

‎06-27-2004 07:12 AM

hi! anyone can help on my access-list probkem?

0 Helpful

rwcrowe
Level 1
Level 1

‎06-23-2004 08:37 AM

The problem is that for access-list 10 and 11 you are using standard access-lists instead of extended. You have:

permit 10.71.9.93

permit 10.71.9.88

and you have the access-list applied as out the FastE interfaces on subnet .10 and .11. This would allow packets sourced from host 10.71.9.93 and 10.71.9.88 out FastE0/0.3 and FastE0/0.4, but they are not sitting on those subnets, you need to allow the return traffic to host 10.71.9.93 and 10.71.9.88.

If you are going to keep it this way, you need to change from a standard access-list to an extended to match the return traffic:

10

permit ip any host 10.71.9.93 established

permit ip any host 10.71.9.88 established

11

permit ip any host 10.71.9.93 established

permit ip any host 10.71.9.88 established

* PS - also remember that the established command only works for TCP traffic, not UDP. So if you need UDP responses back to those 2 hosts you need to open up those ranges. And also, access-lists are NOT statefull.

0 Helpful

dkblee
Level 1
Level 1
In response to rwcrowe

‎06-23-2004 09:27 AM

hi!

Just ignore what i've configured using the standard access-list. If i'm changing to extended access-list as the config below, will it work? if there's any mistake pls correct me. Thks!

fa0/0 - .9 vlan outbound

=========================

access-list 111 permit ip 10.71.9.0 0.0.0.255 host 10.71.12.65

access-list 111 permit ip 10.71.9.0 0.0.0.255 host 10.71.12.68

access-list 111 permit ip host 10.71.9.93 10.71.10.0 0.0.0.255

access-list 111 permit ip host 10.71.9.93 10.71.11.0 0.0.0.255

access-list 111 permit ip host 10.71.9.88 10.71.10.0 0.0.0.255

access-list 111 permit ip host 10.71.9.88 10.71.11.0 0.0.0.255

access-list 111 deny ip any any

fa0/0.3 - .10 vlan outbound

===========================

access-list 112 permit ip 10.71.10.0 0.0.0.255 host 10.71.12.66

access-list 112 permit ip 10.71.10.0. 0.0.0.255 host 10.71.12.68

access-list 112 deny ip any any

fa0/0.4 - .11 vlan outbound

===========================

access-list 112 permit ip 10.71.11.0 0.0.0.255 host 10.71.12.67

access-list 112 permit ip 10.71.11.0. 0.0.0.255 host 10.71.12.68

access-list 112 deny ip any any

0 Helpful

dkblee
Level 1
Level 1
In response to rwcrowe

‎06-23-2004 09:40 AM

hi!

the above statements will permit access from .10 and .11 vlan to .9 vlan right? I wouldn't want them to access the .9 vlan, but only that two .9 hosts should be able to access .10 and .11. Never mind, pls check whether the previous config that i sent will that meet my requirements? thks!

0 Helpful

dkblee
Level 1
Level 1
In response to dkblee

‎06-23-2004 04:32 PM

hi!

need help on access-list above, anyone can help?thks!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents