12-25-2014 03:06 AM - edited 03-07-2019 10:00 PM
I configured the below acl and only permit 192.168.0.0 and 172.168.20.42 and 172.16.20.97.
access-list 100 permit icmp 192.168.10.0 0.0.0.255 any
access-list 100 permit tcp 192.168.10.0 0.0.0.255 any
access-list 100 permit udp 192.168.10.0 0.0.0.255 any
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 100 permit icmp host 172.16.20.42 any
access-list 100 permit tcp host 172.16.20.42 any
access-list 100 permit udp host 172.16.20.42 any
access-list 100 permit ip host 172.16.20.42 any
access-list 100 permit icmp host 172.16.20.97 any time-range Test
access-list 100 permit tcp host 172.16.20.97 any time-range Test
access-list 100 permit udp host 172.16.20.97 any time-range Test
access-list 100 permit ip host 172.16.20.97 any time-range Test
!
time-range Test
periodic weekdays 8:30 to 18:00
periodic Saturday 8:30 to 15:00
!
interface Vlan11
description DB SERVERS
ip address 192.168.11.254 255.255.255.0
ip access-group 100 out
!
Requirement:-
Now i want to permit all host for a specific machine like 192.168.11.18 that are exist in vlan11.
12-25-2014 07:30 AM
It's simple:
access-list 100 permit ip any host 192.168.11.18
12-25-2014 09:45 PM
I configured but its not working. please check this.
access-list 100 permit icmp host 172.16.10.166 any
access-list 100 permit tcp host 172.16.10.166 any
access-list 100 permit udp host 172.16.10.166 any
access-list 100 permit ip host 172.16.10.166 any
access-list 100 permit icmp 192.168.10.0 0.0.0.255 any
access-list 100 permit tcp 192.168.10.0 0.0.0.255 any
access-list 100 permit udp 192.168.10.0 0.0.0.255 any
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 100 permit icmp host 172.16.31.24 any
access-list 100 permit tcp host 172.16.31.24 any
access-list 100 permit udp host 172.16.31.24 any
access-list 100 permit ip host 172.16.31.24 any
access-list 100 permit icmp host 172.16.31.26 any
access-list 100 permit tcp host 172.16.31.26 any
access-list 100 permit udp host 172.16.31.26 any
access-list 100 permit ip host 172.16.31.26 any
access-list 100 permit icmp host 172.16.31.31 any
access-list 100 permit tcp host 172.16.31.31 any
access-list 100 permit udp host 172.16.31.31 any
access-list 100 permit ip host 172.16.31.31 any
access-list 100 permit icmp host 172.16.71.37 any
access-list 100 permit tcp host 172.16.71.37 any
access-list 100 permit udp host 172.16.71.37 any
access-list 100 permit ip host 172.16.71.37 any
access-list 100 permit icmp host 172.16.31.25 any
access-list 100 permit tcp host 172.16.31.25 any
access-list 100 permit udp host 172.16.31.25 any
access-list 100 permit ip host 172.16.31.25 any
access-list 100 permit icmp host 172.16.31.45 any
access-list 100 permit tcp host 172.16.31.45 any
access-list 100 permit udp host 172.16.31.45 any
access-list 100 permit ip host 172.16.31.45 any
access-list 100 permit icmp host 172.16.71.32 any
access-list 100 permit tcp host 172.16.71.32 any
access-list 100 permit udp host 172.16.71.32 any
access-list 100 permit ip host 172.16.71.32 any
access-list 100 permit icmp host 172.16.71.33 any
access-list 100 permit tcp host 172.16.71.33 any
access-list 100 permit udp host 172.16.71.33 any
access-list 100 permit ip host 172.16.71.33 any
access-list 100 permit icmp host 172.16.83.5 any
access-list 100 permit tcp host 172.16.83.5 any
access-list 100 permit udp host 172.16.83.5 any
access-list 100 permit ip host 172.16.83.5 any
access-list 100 permit icmp host 172.16.83.1 any
access-list 100 permit tcp host 172.16.83.1 any
access-list 100 permit udp host 172.16.83.1 any
access-list 100 permit ip host 172.16.83.1 any
access-list 100 permit ip any host 192.168.11.18
12-25-2014 11:49 PM
#show ip access-lists 100
You should see matches in specific ACEs.
12-26-2014 05:46 AM
These are the output
DHA-Core-SW#sh ip access-lists 100
Extended IP access list 100
10 permit icmp host 172.16.10.166 any
20 permit tcp host 172.16.10.166 any
30 permit udp host 172.16.10.166 any
40 permit ip host 172.16.10.166 any
50 permit icmp 192.168.10.0 0.0.0.255 any (2380 matches)
60 permit tcp 192.168.10.0 0.0.0.255 any (83159 matches)
70 permit udp 192.168.10.0 0.0.0.255 any (4424 matches)
80 permit ip 192.168.10.0 0.0.0.255 any
90 permit icmp host 172.16.31.24 any
100 permit tcp host 172.16.31.24 any (36 matches)
110 permit udp host 172.16.31.24 any
120 permit ip host 172.16.31.24 any
130 permit icmp host 172.16.31.26 any
140 permit tcp host 172.16.31.26 any
150 permit udp host 172.16.31.26 any
160 permit ip host 172.16.31.26 any
170 permit icmp host 172.16.31.31 any
180 permit tcp host 172.16.31.31 any (321 matches)
190 permit udp host 172.16.31.31 any
200 permit ip host 172.16.31.31 any
210 permit icmp host 172.16.71.37 any
220 permit tcp host 172.16.71.37 any
230 permit udp host 172.16.71.37 any
240 permit ip host 172.16.71.37 any
250 permit icmp host 172.16.31.25 any
260 permit tcp host 172.16.31.25 any (229 matches)
270 permit udp host 172.16.31.25 any
280 permit ip host 172.16.31.25 any
290 permit icmp host 172.16.31.45 any
300 permit tcp host 172.16.31.45 any (34 matches)
310 permit udp host 172.16.31.45 any
320 permit ip host 172.16.31.45 any
330 permit icmp host 172.16.71.32 any
340 permit tcp host 172.16.71.32 any (50 matches)
350 permit udp host 172.16.71.32 any
360 permit ip host 172.16.71.32 any
370 permit icmp host 172.16.71.33 any
380 permit tcp host 172.16.71.33 any
390 permit udp host 172.16.71.33 any
400 permit ip host 172.16.71.33 any
410 permit icmp host 172.16.83.5 any
420 permit tcp host 172.16.83.5 any (295 matches)
430 permit udp host 172.16.83.5 any
440 permit ip host 172.16.83.5 any
450 permit icmp host 172.16.83.1 any (27 matches)
460 permit tcp host 172.16.83.1 any (216 matches)
470 permit udp host 172.16.83.1 any (2 matches)
480 permit ip host 172.16.83.1 any
490 permit ip any host 192.168.11.18 (31 matches)
12-26-2014 05:48 AM
So as you can see rule 490 - there is match and it works fine.
Post your full config and scheme if you have any more issues
12-26-2014 06:16 AM
interface Vlan39
description DB-SERVERS
ip address 192.168.11.254 255.255.255.0
ip access-group 100 out
!
interface Vlan40
ip address 172.16.10.254 255.255.255.0 secondary
ip address 192.168.10.254 255.255.255.0
no ip redirects
ip policy route-map bypassproxy
ip route 10.1.1.0 255.255.255.0 192.168.13.249
access-list 1 permit 172.16.31.18
access-list 1 permit 172.16.130.0 0.0.0.255
access-list 1 permit 172.16.131.0 0.0.0.255
access-list 1 permit 172.16.132.0 0.0.0.255
access-list 1 permit 172.16.71.0 0.0.0.255
access-list 1 permit 172.16.100.0 0.0.0.255
access-list 1 permit 172.16.133.0 0.0.0.255
access-list 2 permit 172.16.131.0 0.0.0.255
access-list 2 permit 172.16.140.0 0.0.0.255
access-list 2 permit 172.16.150.0 0.0.0.255
access-list 2 permit 172.16.120.0 0.0.0.255
access-list 2 permit 172.16.100.0 0.0.0.255
access-list 100 permit icmp host 172.16.10.166 any
access-list 100 permit tcp host 172.16.10.166 any
access-list 100 permit udp host 172.16.10.166 any
access-list 100 permit ip host 172.16.10.166 any
access-list 100 permit icmp 192.168.10.0 0.0.0.255 any
access-list 100 permit tcp 192.168.10.0 0.0.0.255 any
access-list 100 permit udp 192.168.10.0 0.0.0.255 any
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 100 permit icmp host 172.16.31.24 any
access-list 100 permit tcp host 172.16.31.24 any
access-list 100 permit udp host 172.16.31.24 any
access-list 100 permit ip host 172.16.31.24 any
access-list 100 permit icmp host 172.16.31.26 any
access-list 100 permit tcp host 172.16.31.26 any
access-list 100 permit udp host 172.16.31.26 any
access-list 100 permit ip host 172.16.31.26 any
access-list 100 permit icmp host 172.16.31.31 any
access-list 100 permit tcp host 172.16.31.31 any
access-list 100 permit udp host 172.16.31.31 any
access-list 100 permit ip host 172.16.31.31 any
access-list 100 permit icmp host 172.16.71.37 any
access-list 100 permit tcp host 172.16.71.37 any
access-list 100 permit udp host 172.16.71.37 any
access-list 100 permit ip host 172.16.71.37 any
access-list 100 permit icmp host 172.16.31.25 any
access-list 100 permit tcp host 172.16.31.25 any
access-list 100 permit udp host 172.16.31.25 any
access-list 100 permit ip host 172.16.31.25 any
access-list 100 permit icmp host 172.16.31.45 any
access-list 100 permit tcp host 172.16.31.45 any
access-list 100 permit udp host 172.16.31.45 any
access-list 100 permit ip host 172.16.31.45 any
access-list 100 permit icmp host 172.16.71.32 any
access-list 100 permit tcp host 172.16.71.32 any
access-list 100 permit udp host 172.16.71.32 any
access-list 100 permit ip host 172.16.71.32 any
access-list 100 permit icmp host 172.16.71.33 any
access-list 100 permit tcp host 172.16.71.33 any
access-list 100 permit udp host 172.16.71.33 any
access-list 100 permit ip host 172.16.71.33 any
access-list 100 permit icmp host 172.16.83.5 any
access-list 100 permit tcp host 172.16.83.5 any
access-list 100 permit udp host 172.16.83.5 any
access-list 100 permit ip host 172.16.83.5 any
access-list 100 permit icmp host 172.16.83.1 any
access-list 100 permit tcp host 172.16.83.1 any
access-list 100 permit udp host 172.16.83.1 any
access-list 100 permit ip host 172.16.83.1 any
access-list 100 permit ip any host 192.168.11.18
access-list 180 permit tcp host 172.16.199.11 any eq www
access-list 180 permit tcp host 172.16.199.10 any eq www
access-list 180 permit tcp host 172.16.71.10 any eq www
access-list 180 permit tcp host 172.16.71.0 any eq www
access-list 180 permit tcp host 172.16.72.0 any eq www
access-list 180 permit tcp host 172.16.73.0 any eq www
access-list 180 permit tcp host 172.16.81.0 any eq www
access-list 180 permit tcp host 172.16.82.0 any eq www
access-list 180 permit tcp host 172.16.83.0 any eq www
access-list 180 permit tcp host 172.16.84.0 any eq www
access-list 180 permit tcp host 172.16.11.0 any eq www
access-list 180 permit tcp host 172.16.12.0 any eq www
access-list 180 permit tcp host 172.16.13.0 any eq www
access-list 180 permit tcp host 172.16.14.0 any eq www
access-list 180 permit tcp host 172.16.21.0 any eq www
access-list 180 permit tcp host 172.16.22.0 any eq www
access-list 180 permit tcp host 172.16.23.0 any eq www
access-list 180 permit tcp host 172.16.24.0 any eq www
access-list 180 permit tcp host 172.16.31.0 any eq www
access-list 180 permit tcp host 172.16.32.0 any eq www
access-list 180 permit tcp host 172.16.33.0 any eq www
access-list 180 permit tcp host 172.16.34.0 any eq www
access-list 180 permit tcp host 172.16.100.0 any eq www
access-list 180 permit tcp host 172.16.130.0 any eq www
access-list 180 permit tcp host 172.16.131.0 any eq www
access-list 180 permit tcp host 172.16.132.0 any eq www
access-list 180 permit tcp host 172.16.31.59 any eq ftp
access-list 180 permit tcp host 172.16.41.0 any eq www
access-list 181 permit ip any host 174.142.165.146
access-list 181 permit ip any host 202.142.160.2
access-list 181 permit ip any host 202.141.224.34
access-list 181 permit ip any host 8.8.8.8
access-list 181 permit tcp host 172.16.31.59 any eq ftp
access-list 181 permit tcp host 172.16.71.40 any eq ftp
access-list 199 permit ip host 172.16.199.80 any
access-list 199 permit ip host 172.16.199.40 any
access-list 199 permit ip host 172.16.199.39 any
access-list 199 permit tcp host 172.16.199.10 any eq www
!
route-map ptcl permit 10
match ip address 2 22 1
set ip default next-hop 172.16.120.241
!
route-map bypassproxy permit 180
match ip address 180
set ip next-hop 10.1.1.103
!
route-map bypassproxy permit 181
match ip address 181
set ip next-hop 192.168.13.249
!
route-map bypassproxy permit 199
match ip address 199
set ip next-hop 192.168.13.249
!
12-26-2014 06:16 AM
please remove your confidential information from config here (community, passwords etc.)
12-26-2014 10:20 PM
Please do theneedful solution. its not working
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide