cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
248
Views
0
Helpful
2
Replies
terrencepayet
Beginner

Access-list Help

Hi guys,

Just a quick question.

I have the below scenario:

int gi0/0.1 = 10.10.10.0/24

int gi0/0.2 = 10.10.11.0/24

int gi0/0.3 = 10.10.12.0/24

I have three vlan's configured as above. We've just created our site to site VPN with our remote office, and now we want to allow them access to only one server on network 10.10.10.0/24, let say the server is 10.10.10.10, how can i create an access list from source ip let say 172.16.45.0(remote office network) to our server 10.10.10.10.

Ive created an access-list and i've applied it to my server vlan interface as below, but i cannot access anything on server vlan after i've applied.

access-list 101 permit ip 172.16.45.0 0.0.0.255 host 10.10.10.10

int gi0/0.1 = ip access-group in

Can you guys shed some light.

Thanks,

TP

1 ACCEPTED SOLUTION

Accepted Solutions
zac.quinn
Beginner

There is an implicit 'deny any any' at the end of an ACL so your ACL is in effect only allowing the remote office to access your server.  All other traffic to that interface will be denied.

As ACLs are processed in order top to bottom so you could add a deny remote office to any as the next ACL entry to block access by them to the remaining servers followed by a permit any any to restore access to everything else.

On the other hand you could permit all your other subnets to access the server subnet but this would require maintaining everytime you add a new subnet to the system.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#ts is a handy guide to acls

hth

Zac

View solution in original post

2 REPLIES 2
zac.quinn
Beginner

There is an implicit 'deny any any' at the end of an ACL so your ACL is in effect only allowing the remote office to access your server.  All other traffic to that interface will be denied.

As ACLs are processed in order top to bottom so you could add a deny remote office to any as the next ACL entry to block access by them to the remaining servers followed by a permit any any to restore access to everything else.

On the other hand you could permit all your other subnets to access the server subnet but this would require maintaining everytime you add a new subnet to the system.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#ts is a handy guide to acls

hth

Zac

View solution in original post

Hi Zac,

Thanks for the info.

Forgot about the implicit deny after each ACL

Regards,

Terence