access list does not work

network770 · ‎10-18-2011

I have a vlan that I only want to permit Internet access, and block all traffic to all other vlans, this is what i have:

interface Vlan10

description guest

ip address 10.60.6.1 255.255.255.0

ip access-group OUT in

end

ip access-list extended OUT

deny ip 10.60.6.0 0.0.0.255 172.18.65.0 0.0.0.255

permit ip any any

I want 10.60.6.0 not to have access to 172.18.65.0 and only have access to the Internet. but with the setup above when i ping

172.18.65.0 from 10.60.6.1 being the source the pings go through and the permit ip any any counter increments. Why?

Richard Burts · ‎10-18-2011

You are encountering a behavior that has been in place for a very long time but is not so clearly documented. An access list assigned to filter traffic outbound on an interface will not filter traffic that was generated by the router itself. If the interface address is the source address of the packet then an outbound access list will not filter it. If you test from a device connected in that vlan then you should find that the access list does exactly what you expect it to do.

HTH

Rick

HTH

Rick

smitesh kharecha · ‎10-18-2011

Hi,

Use extended access-list.

example for testing first will be

access-list 101 deny icmp 10.60.6.0 0.0.0.255 172.18.65.0 0.0.0.255 echo

access-list 101 deny icmp 10.60.6.0 0.0.0.255 172.18.65.0 0.0.0.255 echo-reply

and then check if your ping with source address.

If, it works then, remove the test access-list and add the following

access-list 101 deny tcp http

access-list 101 deny tcp ftp

etc..

don't forget to add permit all in the end.

Regards,

Smitesh

Latchum Naidu · ‎10-18-2011

Hi,

If you are trying to ping 172.18.65.0 from source interface 10.60.6.1 ping will be success as the router L3 interface can be able to ping any other L3 interface.

Try to ping from any host in 10.60.6.0 to 172.18.65.0 it wont ping as per your access-list defined.

Please rate the helpful posts.
Regards,
Naidu.