cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Choose one of the topics below for SD-WAN Resources to help you on your journey with SD-WAN

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.

175
Views
0
Helpful
1
Replies
Highlighted
Beginner

Why is the following ACL not getting any hits?

Why is the IN3 ACL getting no hits? Even the, deny ip any any, statement is getting no matches.

 

ip access-list extended IN3
permit icmp any host 199.9.9.9 echo
permit tcp 207.190.2.96 0.0.0.15 any eq www
deny tcp 207.190.2.96 0.0.0.15 host 195.5.5.254 eq telnet
permit tcp 207.190.2.96 0.0.0.15 195.5.5.0 0.0.0.255 eq telnet
permit udp 207.190.1.0 0.0.0.3 host 199.9.9.9 eq syslog
permit tcp 207.190.1.0 0.0.0.3 207.190.2.96 0.0.0.15 eq 22
deny ip any any

 

 

 

interface Multilink1
ip address 207.190.1.1 255.255.255.252
ppp authentication chap callin
ppp multilink
ppp multilink group 1

 

interface Serial0/0/0
ip address 208.190.2.1 255.255.255.252
ip access-group 102 out
clock rate 128000
!
interface Serial0/0/1
ip address 207.190.2.1 255.255.255.252
ip access-group 101 out

 

 

 

Everyone's tags (1)
1 REPLY 1
Beginner

Re: Why is the following ACL not getting any hits?

Hi, 

 

Just a guess, and not sure of the platform/sw you are using, but you may need to put on "log" command at the end of each of the entries to see matches:

 

https://www.cisco.com/c/en/us/about/security-center/access-control-list-logging.html

 

https://learningnetwork.cisco.com/thread/6505

 

Is traffic getting through for say the "deny tcp 207.190.2.96 0.0.0.15 host 195.5.5.254 eq telnet"?

 

If not then the ACL is working, you just need to add log at end of the statements

 

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards