Re: access-list checker

Sectech1 · ‎04-13-2023

This is the current ACL that is blocking this range.

410 deny ip any 10.250.0.0 0.0.255.255

I want to allow just 1 host from the above range to go through

Sectech1 · ‎04-13-2023

Hi Guys

I have access list that deny a range of IPs to the internet.

I want to allow individual host to internet to talk to a server in the internet. can you please help?

STD_NetWorld · ‎04-17-2023

@Sectech1 you can add allowed host entry on high priority on existing ACL, like

409 permit ip any <IP_you_Want_to_Allow> 0.0.0.0

if still you facing issue, i would request please share output of below commands

sh ip access-list
sh run | Sec access-list

Rich R · ‎04-13-2023

You should probably read and understand these pages to get a basic understanding of how ACLs work:
https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html
https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html
And if you search you'll find hundreds of examples and videos.

In this case you just need to insert a line before 410 with:
"permit ip host <ip address> any" or maybe "permit ip any host <ip address>" depending on where your ACL is configured and which direction you're filtering the traffic.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

paul driver · ‎04-13-2023

Hello
So then you would need to amend that access-list to permit that single host and to do that an additional access-list control entry (ace) needs to be added and serviced before that 410 deny ace

example:
ip access-list extended xxx
409 permit ip any host 10.250.x.x

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Joseph W. Doherty · ‎04-13-2023

Paul's provided the direct answer.

To be clear, the x.x in 10.250.x.x would be any specific/one address, from 10.250.0.0 to 10.250.255.255. I.e. although for a /16, the useable range is 10.250.0.1 to 10.250.255.254, the new ACE matches one address within the /8 address block range.

Paul also shows the new ACE with a sequence number of 209.

First, it's possible 209 is being used. Second, what's important is the new permit ACE is before the current deny ACE. Third, having the two ACEs, back to back, is helpful from a maintenance standpoint.

MHM Cisco World · ‎04-13-2023

what direction of this ACL ?