Solved: Access-List Assistance

TheJax2009 · ‎08-05-2011

Hello,

I'm learning as I go and am having some problems with an ACL:

Extended IP access list 120

permit tcp 172.17.0.0 0.0.0.255 host 172.16.1.7 eq 15871

deny ip 172.17.0.0 0.0.0.255 10.0.0.0 0.255.255.255

deny ip 172.17.0.0 0.0.0.255 172.16.0.0 0.15.255.255

deny ip 172.17.0.0 0.0.0.255 192.168.0.0 0.0.255.255

permit ip any any

Extended IP access list 130

permit tcp host 172.16.1.192 host 172.17.0.10 eq 4899

permit ip any any

I need to be able to access a server 172.17.0.10 on port 4899 from workstation 172.16.1.192. My ACL's are listed above (obviously!). It's not working as it is. My suspiscion is the deny ip 172.17.0.0 0.0.0.255 172.16.0.0 0.15.255.255 in ACL 120. But that is required as we cant have users from the 172.17 network seeing/accessing the 172.16 network.

Any help would be appreciated.

Thanks in advance.

Jon Marshall · ‎08-05-2011

No problem.

Couple of things -

1) acl 130 isn't really needed because you only have permits and the acl ends with a "permit ip any any" so it's not really doing anything

2) your actual problem is with acl 120. Your suspicion is correct. You need to modify your acl ie.

Extended IP access list 120

permit tcp 172.17.0.0 0.0.0.255 host 172.16.1.7 eq 15871

deny ip 172.17.0.0 0.0.0.255 10.0.0.0 0.255.255.255

deny ip 172.17.0.0 0.0.0.255 172.16.0.0 0.15.255.255

deny ip 172.17.0.0 0.0.0.255 192.168.0.0 0.0.255.255

permit ip any any

should be -

Extended IP access list 120

permit tcp 172.17.0.0 0.0.0.255 host 172.16.1.7 eq 15871

permit tcp host 172.17.0.10 eq 4489 host 172.16.1.192 <-- add this line

deny ip 172.17.0.0 0.0.0.255 10.0.0.0 0.255.255.255

deny ip 172.17.0.0 0.0.0.255 172.16.0.0 0.15.255.255

deny ip 172.17.0.0 0.0.0.255 192.168.0.0 0.0.255.255

permit ip any any

note also it needs to be inserted before the 3rd line which denies traffic from 172.17.0.0/24 to 172.16.1.0/24

Jon

View solution in original post

Jon Marshall · ‎08-05-2011

Bit difficult to say without knowing where these acls are applied (ie. what interfaces and what interface does that IP have) and which direction ie. inbound or outbound.

Please fill in the details

Jon

TheJax2009 · ‎08-05-2011

Knew I forgot something,,,

interface Ethernet0

ip address 172.16.1.1 255.255.255.0

ip access-group 130 in

no ip directed-broadcast

media-type 10BaseT

!

interface Ethernet1

ip address 172.17.0.1 255.255.255.0

ip access-group 120 in

no ip directed-broadcast

media-type 10BaseT

Thank you!

Jon Marshall · ‎08-05-2011

No problem.

Couple of things -

1) acl 130 isn't really needed because you only have permits and the acl ends with a "permit ip any any" so it's not really doing anything

2) your actual problem is with acl 120. Your suspicion is correct. You need to modify your acl ie.

Extended IP access list 120

permit tcp 172.17.0.0 0.0.0.255 host 172.16.1.7 eq 15871

deny ip 172.17.0.0 0.0.0.255 10.0.0.0 0.255.255.255

deny ip 172.17.0.0 0.0.0.255 172.16.0.0 0.15.255.255

deny ip 172.17.0.0 0.0.0.255 192.168.0.0 0.0.255.255

permit ip any any

should be -

Extended IP access list 120

permit tcp 172.17.0.0 0.0.0.255 host 172.16.1.7 eq 15871

permit tcp host 172.17.0.10 eq 4489 host 172.16.1.192 <-- add this line

deny ip 172.17.0.0 0.0.0.255 10.0.0.0 0.255.255.255

deny ip 172.17.0.0 0.0.0.255 172.16.0.0 0.15.255.255

deny ip 172.17.0.0 0.0.0.255 192.168.0.0 0.0.255.255

permit ip any any

note also it needs to be inserted before the 3rd line which denies traffic from 172.17.0.0/24 to 172.16.1.0/24

Jon

TheJax2009 · ‎08-05-2011

Thank you so much!