Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
367
Views
0
Helpful
2
Replies

Access-list Help

Go to solution
terrencepayet
Beginner
Beginner

‎03-08-2012 08:41 PM - edited ‎03-07-2019 05:27 AM

Hi guys,

Just a quick question.

I have the below scenario:

int gi0/0.1 = 10.10.10.0/24

int gi0/0.2 = 10.10.11.0/24

int gi0/0.3 = 10.10.12.0/24

I have three vlan's configured as above. We've just created our site to site VPN with our remote office, and now we want to allow them access to only one server on network 10.10.10.0/24, let say the server is 10.10.10.10, how can i create an access list from source ip let say 172.16.45.0(remote office network) to our server 10.10.10.10.

Ive created an access-list and i've applied it to my server vlan interface as below, but i cannot access anything on server vlan after i've applied.

access-list 101 permit ip 172.16.45.0 0.0.0.255 host 10.10.10.10

int gi0/0.1 = ip access-group in

Can you guys shed some light.

Thanks,

TP

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
zac.quinn
Beginner
Beginner

‎03-09-2012 01:28 AM

There is an implicit 'deny any any' at the end of an ACL so your ACL is in effect only allowing the remote office to access your server.  All other traffic to that interface will be denied.

As ACLs are processed in order top to bottom so you could add a deny remote office to any as the next ACL entry to block access by them to the remaining servers followed by a permit any any to restore access to everything else.

On the other hand you could permit all your other subnets to access the server subnet but this would require maintaining everytime you add a new subnet to the system.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#ts is a handy guide to acls

hth

Zac

View solution in original post

0 Helpful
2 Replies 2

Go to solution
zac.quinn
Beginner
Beginner

‎03-09-2012 01:28 AM

There is an implicit 'deny any any' at the end of an ACL so your ACL is in effect only allowing the remote office to access your server.  All other traffic to that interface will be denied.

As ACLs are processed in order top to bottom so you could add a deny remote office to any as the next ACL entry to block access by them to the remaining servers followed by a permit any any to restore access to everything else.

On the other hand you could permit all your other subnets to access the server subnet but this would require maintaining everytime you add a new subnet to the system.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#ts is a handy guide to acls

hth

Zac

0 Helpful

Go to solution
terrencepayet
Beginner
Beginner
In response to zac.quinn

‎03-09-2012 02:15 AM

Hi Zac,

Thanks for the info.

Forgot about the implicit deny after each ACL

Regards,

Terence

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents