08-05-2011 07:43 AM - edited 03-04-2019 01:11 PM
Hello,
I'm learning as I go and am having some problems with an ACL:
Extended IP access list 120
permit tcp 172.17.0.0 0.0.0.255 host 172.16.1.7 eq 15871
deny ip 172.17.0.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 172.17.0.0 0.0.0.255 172.16.0.0 0.15.255.255
deny ip 172.17.0.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip any any
Extended IP access list 130
permit tcp host 172.16.1.192 host 172.17.0.10 eq 4899
permit ip any any
I need to be able to access a server 172.17.0.10 on port 4899 from workstation 172.16.1.192. My ACL's are listed above (obviously!). It's not working as it is. My suspiscion is the deny ip 172.17.0.0 0.0.0.255 172.16.0.0 0.15.255.255 in ACL 120. But that is required as we cant have users from the 172.17 network seeing/accessing the 172.16 network.
Any help would be appreciated.
Thanks in advance.
Solved! Go to Solution.
08-05-2011 08:00 AM
No problem.
Couple of things -
1) acl 130 isn't really needed because you only have permits and the acl ends with a "permit ip any any" so it's not really doing anything
2) your actual problem is with acl 120. Your suspicion is correct. You need to modify your acl ie.
Extended IP access list 120
permit tcp 172.17.0.0 0.0.0.255 host 172.16.1.7 eq 15871
deny ip 172.17.0.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 172.17.0.0 0.0.0.255 172.16.0.0 0.15.255.255
deny ip 172.17.0.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip any any
should be -
Extended IP access list 120
permit tcp 172.17.0.0 0.0.0.255 host 172.16.1.7 eq 15871
permit tcp host 172.17.0.10 eq 4489 host 172.16.1.192 <-- add this line
deny ip 172.17.0.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 172.17.0.0 0.0.0.255 172.16.0.0 0.15.255.255
deny ip 172.17.0.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip any any
note also it needs to be inserted before the 3rd line which denies traffic from 172.17.0.0/24 to 172.16.1.0/24
Jon
08-05-2011 07:45 AM
Bit difficult to say without knowing where these acls are applied (ie. what interfaces and what interface does that IP have) and which direction ie. inbound or outbound.
Please fill in the details
Jon
08-05-2011 07:55 AM
Knew I forgot something,,,
interface Ethernet0
ip address 172.16.1.1 255.255.255.0
ip access-group 130 in
no ip directed-broadcast
media-type 10BaseT
!
interface Ethernet1
ip address 172.17.0.1 255.255.255.0
ip access-group 120 in
no ip directed-broadcast
media-type 10BaseT
Thank you!
08-05-2011 08:00 AM
No problem.
Couple of things -
1) acl 130 isn't really needed because you only have permits and the acl ends with a "permit ip any any" so it's not really doing anything
2) your actual problem is with acl 120. Your suspicion is correct. You need to modify your acl ie.
Extended IP access list 120
permit tcp 172.17.0.0 0.0.0.255 host 172.16.1.7 eq 15871
deny ip 172.17.0.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 172.17.0.0 0.0.0.255 172.16.0.0 0.15.255.255
deny ip 172.17.0.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip any any
should be -
Extended IP access list 120
permit tcp 172.17.0.0 0.0.0.255 host 172.16.1.7 eq 15871
permit tcp host 172.17.0.10 eq 4489 host 172.16.1.192 <-- add this line
deny ip 172.17.0.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 172.17.0.0 0.0.0.255 172.16.0.0 0.15.255.255
deny ip 172.17.0.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip any any
note also it needs to be inserted before the 3rd line which denies traffic from 172.17.0.0/24 to 172.16.1.0/24
Jon
08-05-2011 08:12 AM
Thank you so much!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide