cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
194
Views
0
Helpful
2
Replies

IP Access-List HELP

tckoon
Level 1
Level 1

Please refer to below configuration. I have no problem with the access-list 110. The problem is the access-list 120, when there is a host at 159.254.205.0/24 segment try to access to the web server at 159.254.207.128/27 segment, it block by access-list 120. I had permitted tcp any any with establish key word, when I show log, they are denied by access-list 120 !

Why ?

p/s : but I have no problem to ping both way !!

interface fasethernet 0

ip address 159.254.205.1 255.255.255.0

interface fasethernet 1

ip address 159.254.207.129 255.255.255.224

ip access-group 110 in

ip access-group 120 out

access-list 110 permit icmp any any

access-list 110 permit ip 159.254.207.128 0.0.0.31 159.254.205.100

access-list 110 permit ip 159.254.207.128 0.0.0.31 159.254.205.200

access-list 110 deny ip any any

access-list 120 permit icmp any any

access-list 120 permit tcp any any establish

access-list 120 permit udp any any

access-list 120 deny ip any any log

2 Replies 2

milan.kulik
Level 10
Level 10

Hi,

when the PC tries to connect to the web server, the TCP session is not established yet, so the it is blocked.

If you want to use established keyword, you should use it in the incoming access list.

See http://www.cisco.com/warp/public/105/ACLsamples.pdf for detailes.

Regards,

Milan

Thanks a lot, Milan

After I change the access-list as below and it work now.

interface fasethernet 0

ip address 159.254.205.1 255.255.255.0

interface fasethernet 1

ip address 159.254.207.129 255.255.255.224

ip access-group 110 in

access-list 110 permit icmp any any

access-list 110 permit tcp any any gt 1024 established

access-list 110 permit ip 159.254.207.128 0.0.0.31 159.254.205.100

access-list 110 permit ip 159.254.207.128 0.0.0.31 159.254.205.200

access-list 110 deny ip any any

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco