Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
470
Views
0
Helpful
6
Replies

ACL Exception for Subnet

claya
Level 1
Level 1

‎02-23-2021 04:50 PM

I have a Cisco ISR with a massive ACL. Right now have device A (at 204.77.x.n) unreachable outside of its own subnet (say 204.77.x.n/16), but I would like to reach device A from an outside subnet (say 10.10.10.1/24). How could I accomplish this?

 

Here are my current relevant ACL entries:

access-list 2011 deny ip any host 204.77.x.n
access-list 2011 deny ip host 204.77.x.n any
access-list 2021 deny tcp any host 204.77.x.n eq telnet
access-list 2021 deny tcp host 204.77.x.n any eq telnet

Labels:
0 Helpful
6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

‎02-24-2021 12:18 AM

not sure how your network in terms of syntax

 

example as below should be top of denying to permit. (make sure correct the line numbers)

access-list 2011 permit ip host 204.77.x.n 10.10.10.1/24

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame

‎02-24-2021 01:28 AM

 

Why do you have two different acls and what direction are they applied in ? 

 

Also you are denying IP in the first acl so what is the second acl actually doing ? 

 

Jon

0 Helpful

Georg Pauwen
VIP
VIP

‎02-24-2021 01:37 AM

Hello,

 

it would indeed be helpful to see the entire ACL, and to know which interface (and direction) the ACL is applied to.

 

Either way, if the ACL is applied to the interface belonging to the 204.77.0.0/16 subnet, the below two entries need to be added to the top of the ACL:

 

interface GigabitEthernet0/0
ip address 204.77.0.1 255.255.0.0
ip access-group 2011 in
!
access-list 2011 permit ip host 204.77.0.1 10.10.10.0 0.0.0.255
access-list 2011 permit ip 10.10.10.0 0.0.0.255 host 204.77.0.1

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Georg Pauwen

‎02-24-2021 01:41 AM

 

Georg

 

That's why I wanted to see the acl(s) as the second line in your solution is redundant ie. if the acl is applied inbound traffic can never have a source IP in the 10.10.10.x range. 

 

I suspect this could be why the acl is so large. 

 

Jon

0 Helpful

Georg Pauwen
VIP
VIP
In response to Jon Marshall

‎02-24-2021 05:26 AM

Jon,

 

good point. Based on the partial ACL posted, it is probably applied inbound AND outbound. I guess we need to wait for a response from OP...

0 Helpful

paul driver
VIP
VIP

‎02-25-2021 12:31 AM - edited ‎02-25-2021 12:39 AM

Hello
You will need in the acls  the most specific ace above the others ace’s to allow communication.

as others have mentioned we need to understand how these acls are applied as the order of the aces in the acl are most relevant Also what ports do you wish for those two host to communicate -In the example below ive allowed tcp/udp and notice the aces in bold are above the others aces the acl.

example:
access-list 2021 permit ip host 10.10.10.1 host 204.77x.n

access-list 2021 deny tcp any host 204.77.x.n eq telnet

access-list 2011 deny ip any host 204.77.x.n

 

access-list 2021 permit ip host 204.77.x.n host 10.10.10.1

access-list 2021 deny tcp host 204.77.x.n any eq telnet

access-list 2011 deny ip host 204.77.x.n any

Edited: forgot to ask are you using NAT


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card