ACL on 3900 series

evil_root · ‎12-27-2011

Hello.

I have some simple rules on 2 extended lists:

ip access-list extended FWIN

permit tcp any host 192.36.86.231 eq ftp-data ftp 22 www 443 516 666 671 672 2222

permit tcp any host 192.36.86.231 eq 4500 8008 8443

permit tcp any host 192.36.86.231 range 5900 5950

permit tcp any host 192.36.86.231 range 33434 33550

permit tcp any host 192.36.86.241 eq ftp-data ftp 22 www 1935 2195 3306 8888

permit tcp any host 192.36.86.241 range 8080 8090

permit tcp any host 192.36.86.241 range 33434 33550

ip access-list extended FWOUT

permit tcp host 192.36.86.231 any eq ftp-data ftp 22 www 443 516 666 671 672 2222

permit tcp host 192.36.86.231 any eq 4500 8008 8443

permit tcp host 192.36.86.231 any range 5900 5950

permit tcp host 192.36.86.231 any range 33434 33550

permit tcp host 192.36.86.241 any eq ftp-data ftp 22 www 1935 2195 3306 8888

permit tcp host 192.36.86.241 any range 8080 8090

permit tcp host 192.36.86.241 any range 33434 33550

On external interface, i have:

ip access-group FWIN in

ip access-group FWOUT out

The issue is that 192.36.86.231 can access internet, and 192.36.86.241 can not.

Is there a way to troubleshoot 192.36.86.241's connection/packets flow?

Thank you.

evil_root · ‎12-27-2011

Strange.

When i add `permit ip any host 192.36.86.241` to FWIN, all comes up.

Looks like something is wrong with the list, but what?