cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
362
Views
0
Helpful
2
Replies

Access-list Help

terrencepayet
Beginner
Beginner

Hi guys,

Just a quick question.

I have the below scenario:

int gi0/0.1 = 10.10.10.0/24

int gi0/0.2 = 10.10.11.0/24

int gi0/0.3 = 10.10.12.0/24

I have three vlan's configured as above. We've just created our site to site VPN with our remote office, and now we want to allow them access to only one server on network 10.10.10.0/24, let say the server is 10.10.10.10, how can i create an access list from source ip let say 172.16.45.0(remote office network) to our server 10.10.10.10.

Ive created an access-list and i've applied it to my server vlan interface as below, but i cannot access anything on server vlan after i've applied.

access-list 101 permit ip 172.16.45.0 0.0.0.255 host 10.10.10.10

int gi0/0.1 = ip access-group in

Can you guys shed some light.

Thanks,

TP

1 Accepted Solution

Accepted Solutions

zac.quinn
Beginner
Beginner

There is an implicit 'deny any any' at the end of an ACL so your ACL is in effect only allowing the remote office to access your server.  All other traffic to that interface will be denied.

As ACLs are processed in order top to bottom so you could add a deny remote office to any as the next ACL entry to block access by them to the remaining servers followed by a permit any any to restore access to everything else.

On the other hand you could permit all your other subnets to access the server subnet but this would require maintaining everytime you add a new subnet to the system.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#ts is a handy guide to acls

hth

Zac

View solution in original post

2 Replies 2

zac.quinn
Beginner
Beginner

There is an implicit 'deny any any' at the end of an ACL so your ACL is in effect only allowing the remote office to access your server.  All other traffic to that interface will be denied.

As ACLs are processed in order top to bottom so you could add a deny remote office to any as the next ACL entry to block access by them to the remaining servers followed by a permit any any to restore access to everything else.

On the other hand you could permit all your other subnets to access the server subnet but this would require maintaining everytime you add a new subnet to the system.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#ts is a handy guide to acls

hth

Zac

Hi Zac,

Thanks for the info.

Forgot about the implicit deny after each ACL

Regards,

Terence

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers