Re: ACL Range Syntax

tkropp · ‎02-10-2004

I'm trying to use this:

access-list 112 permit tcp any 172.16.23.0 0.0.0.255 range 46000 46030

!

on a 7206 router. I know the range command works fine on PIX, however, this is not working on the router, the command takes, but TCP ports within the specified range are being denied.

My question is simple:

Does anyone know what the syntax specifics are when dealing with the RANGE option in Router ACL's?

THanks,

Tim

pkajekar · ‎02-10-2004

Hi,

The syntax is correct ! In the above ACE, you are permiting traffic from any host to the 172.16.23.0 network provided the destination port is between 46000 and 46030. Could you recheck if it is indeed being denied. Also, have you applied this access-list in the correct direction ?

Cheers,

~preetham

tkropp · ‎02-12-2004

Yes, its applied in the correct direction (outbound to our internal network). The command does take, however the denies are being logged. A colleague mentioned having to specify the range, with another option. However I'm not having any luck with the documentation.

I may just end up putting the GT operand in the meantime. Just curious if anyone else had run into this situation where the range operand wasn't working.

-Tim

karthikv · ‎02-12-2004

Tim,

Everything looks fine in your ACE and it sure should work. Why dont you raise a case with Cisco TAC (technical assistance center), a TAC engineer would help you out. Meanwhile, you could try using the following ACEs -

access-list 112 deny tcp any 172.16.23.0 0.0.0.255 lt 46000

access-list 112 deny tcp any 172.16.23.0 0.0.0.255 gt 46030

access-list 112 permit tcp any 172.16.23.0 0.0.0.255 log

and check to see if they are being permitted.

-Karthik