cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
481
Views
0
Helpful
2
Replies

Funky ACL issue.

Emperor2000
Level 1
Level 1

Hello iam moving from a pix 515e to a 2951 router with fireawall featureset.

Ive begun to move the ACLs that where in the pix. However some of the rules are allowed to

be typed in bur when i look at the ACL afterwards they are not what i typed in.

For instance i can typ in

access-list 115 permit tcp any 192.x.85.168 255.255.255.248 eq www  log
access-list 115 permit tcp any 192.x.85.168 255.255.255.248 eq domain  log

access-list 115 permit udp any 192.x.85.168 255.255.255.248 eq domain log

But when i look at the rule i se that it states the following.

access-list 115 permit tcp any 0.0.0.0 255.255.255.248 eq www log

access-list 115 permit tcp any 0.0.0.0 255.255.255.248 eq domain log

access-list 115 permit udp any 0.0.0.0 255.255.255.248 eq domain log

The ACL is on the "external" interface of the router but the actual subnet lies on another interface (DMZ)

The external interface has NAT outside on it since there is private subnets on other interfaces.

Although the DMZ network is on public IPs so no mention of nat on that interface.

Could anyone please advice on what im doing wrong? Iam poundering if it has anythng to do with NAT or that it has anything to do with the subent configuration in the ACL.

Message was edited by: Gustav Uhlander

2 Replies 2

ajay chauhan
Level 7
Level 7

You should use wildcard mask while configuring ACL on routers/switches.

Statement of yours-

access-list 115 permit tcp any 192.x.85.168 255.255.255.248 eq www  log

                  Should be

access-list 115 permit tcp any 192.168.85.168 0.0.0.7 eq www  log

Thanks

Ajay

mvsheik123
Level 7
Level 7

Hello,

Router ACLs use wildcard mask instead of subnet mask.Try by replacing 255.255.255.248 with 0.0.0.7on router.

hth

MS

Review Cisco Networking for a $25 gift card