Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
647
Views
0
Helpful
2
Replies

Access-list trouble

Go to solution
benjamin_a
Level 1
Level 1

‎02-12-2013 06:37 AM - edited ‎03-07-2019 11:39 AM

Hi

I have 2 network X1 and X2, I have been trying to make a access-list that deny all trafic fra the X2 network to the X1 network, but the X2 network have to have connection to the internet.

My access list is working, but just to well because the host on the X2 network cant get any ip address from the X2 dhcp pool, and I cant see why, if I remove my access lists then the pool is working, but the the X2 network can access the X1 network and that is not great.

Here is some of my running config:

Building configuration...

Current configuration : 6025 bytes

!

dot11 syslog

ip source-route

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 10.0.0.1

ip dhcp excluded-address 10.0.0.2

ip dhcp excluded-address 10.0.0.3

ip dhcp excluded-address 10.0.0.4

ip dhcp excluded-address 10.0.0.5

!

ip dhcp pool x1

   network 10.0.0.0 255.255.0.0

   dns-server 8.8.8.8 8.8.4.4

   default-router 10.0.0.1

!

ip dhcp pool x2

   network 172.168.1.0 255.255.255.0

   default-router 172.168.1.1

   dns-server 8.8.8.8 8.8.4.4

!

!

multilink bundle-name authenticated

!

interface FastEthernet0/0

description Link_To_Outside(xxxxx)

ip address dhcp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1.10

description x1

encapsulation dot1Q 10

ip address 10.0.0.1 255.255.0.0

ip nat inside

ip virtual-reassembly

!

interface FastEthernet0/1.20

description x2

encapsulation dot1Q 20

ip address 172.168.1.1 255.255.255.0

ip access-group 101 in

ip nat inside

ip virtual-reassembly

!

ip dns server

ip nat inside source list 1 interface FastEthernet0/0 overload

ip nat inside source list 101 interface FastEthernet0/0 overload

!

access-list 1 permit 10.0.0.0 0.0.255.255

access-list 101 deny   ip 172.168.1.0 0.0.0.255 10.0.0.0 0.0.255.255

access-list 101 permit ip 172.168.1.0 0.0.0.255 any

!

Hope anyone can help

/Benjamin

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ryan Newell
Cisco Employee
Cisco Employee

‎02-12-2013 06:50 AM

Hello Benjamin,

  You ACL is blocking the DCHP requests inbound. Please add statement in ACL 101 permitting UDP port 67. Something like below.

permit udp any any eq bootps

Regards,

Ryan

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Ryan Newell
Cisco Employee
Cisco Employee

‎02-12-2013 06:50 AM

Hello Benjamin,

  You ACL is blocking the DCHP requests inbound. Please add statement in ACL 101 permitting UDP port 67. Something like below.

permit udp any any eq bootps

Regards,

Ryan

0 Helpful

Go to solution
benjamin_a
Level 1
Level 1
In response to Ryan Newell

‎02-12-2013 11:34 AM

Hi Ryan

Thanks for your support, now i got it working

To others that have some similar problem, here is what my access lists ended up looking like:

access-list 1 permit 10.0.0.0 0.0.255.255

access-list 101 permit udp any any eq bootps

access-list 101 deny   ip 172.168.1.0 0.0.0.255 10.0.0.0 0.0.255.255

access-list 101 permit ip 172.168.1.0 0.0.0.255 any

/Benjamin

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card