AccessList

Navaz Wattoo · ‎12-25-2014

I configured the below acl and only permit 192.168.0.0 and 172.168.20.42 and 172.16.20.97.

access-list 100 permit icmp 192.168.10.0 0.0.0.255 any

access-list 100 permit tcp 192.168.10.0 0.0.0.255 any
access-list 100 permit udp 192.168.10.0 0.0.0.255 any
access-list 100 permit ip 192.168.10.0 0.0.0.255 any

access-list 100 permit icmp host 172.16.20.42 any
access-list 100 permit tcp host 172.16.20.42 any
access-list 100 permit udp host 172.16.20.42 any
access-list 100 permit ip host 172.16.20.42 any

access-list 100 permit icmp host 172.16.20.97 any time-range Test
access-list 100 permit tcp host 172.16.20.97 any time-range Test
access-list 100 permit udp host 172.16.20.97 any time-range Test
access-list 100 permit ip host 172.16.20.97 any time-range Test
!
time-range Test
periodic weekdays 8:30 to 18:00
periodic Saturday 8:30 to 15:00
!
interface Vlan11
description DB SERVERS
ip address 192.168.11.254 255.255.255.0
ip access-group 100 out
!

Requirement:-
Now i want to permit all host for a specific machine like 192.168.11.18 that are exist in vlan11.

Navaz

Eugene Khabarov · ‎12-25-2014

It's simple:

access-list 100 permit ip any host 192.168.11.18

Navaz Wattoo · ‎12-25-2014

I configured but its not working. please check this.

access-list 100 permit icmp host 172.16.10.166 any
access-list 100 permit tcp host 172.16.10.166 any
access-list 100 permit udp host 172.16.10.166 any
access-list 100 permit ip host 172.16.10.166 any
access-list 100 permit icmp 192.168.10.0 0.0.0.255 any
access-list 100 permit tcp 192.168.10.0 0.0.0.255 any
access-list 100 permit udp 192.168.10.0 0.0.0.255 any
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 100 permit icmp host 172.16.31.24 any
access-list 100 permit tcp host 172.16.31.24 any
access-list 100 permit udp host 172.16.31.24 any
access-list 100 permit ip host 172.16.31.24 any
access-list 100 permit icmp host 172.16.31.26 any
access-list 100 permit tcp host 172.16.31.26 any
access-list 100 permit udp host 172.16.31.26 any
access-list 100 permit ip host 172.16.31.26 any
access-list 100 permit icmp host 172.16.31.31 any
access-list 100 permit tcp host 172.16.31.31 any
access-list 100 permit udp host 172.16.31.31 any
access-list 100 permit ip host 172.16.31.31 any
access-list 100 permit icmp host 172.16.71.37 any
access-list 100 permit tcp host 172.16.71.37 any
access-list 100 permit udp host 172.16.71.37 any
access-list 100 permit ip host 172.16.71.37 any
access-list 100 permit icmp host 172.16.31.25 any
access-list 100 permit tcp host 172.16.31.25 any
access-list 100 permit udp host 172.16.31.25 any
access-list 100 permit ip host 172.16.31.25 any
access-list 100 permit icmp host 172.16.31.45 any
access-list 100 permit tcp host 172.16.31.45 any
access-list 100 permit udp host 172.16.31.45 any
access-list 100 permit ip host 172.16.31.45 any
access-list 100 permit icmp host 172.16.71.32 any
access-list 100 permit tcp host 172.16.71.32 any
access-list 100 permit udp host 172.16.71.32 any
access-list 100 permit ip host 172.16.71.32 any
access-list 100 permit icmp host 172.16.71.33 any
access-list 100 permit tcp host 172.16.71.33 any
access-list 100 permit udp host 172.16.71.33 any
access-list 100 permit ip host 172.16.71.33 any
access-list 100 permit icmp host 172.16.83.5 any
access-list 100 permit tcp host 172.16.83.5 any
access-list 100 permit udp host 172.16.83.5 any
access-list 100 permit ip host 172.16.83.5 any
access-list 100 permit icmp host 172.16.83.1 any
access-list 100 permit tcp host 172.16.83.1 any
access-list 100 permit udp host 172.16.83.1 any
access-list 100 permit ip host 172.16.83.1 any
access-list 100 permit ip any host 192.168.11.18

Navaz

Eugene Khabarov · ‎12-25-2014

#show ip access-lists 100

You should see matches in specific ACEs.

Navaz Wattoo · ‎12-26-2014

These are the output

DHA-Core-SW#sh ip access-lists 100
Extended IP access list 100
10 permit icmp host 172.16.10.166 any
20 permit tcp host 172.16.10.166 any
30 permit udp host 172.16.10.166 any
40 permit ip host 172.16.10.166 any
50 permit icmp 192.168.10.0 0.0.0.255 any (2380 matches)
60 permit tcp 192.168.10.0 0.0.0.255 any (83159 matches)
70 permit udp 192.168.10.0 0.0.0.255 any (4424 matches)
80 permit ip 192.168.10.0 0.0.0.255 any
90 permit icmp host 172.16.31.24 any
100 permit tcp host 172.16.31.24 any (36 matches)
110 permit udp host 172.16.31.24 any
120 permit ip host 172.16.31.24 any
130 permit icmp host 172.16.31.26 any
140 permit tcp host 172.16.31.26 any
150 permit udp host 172.16.31.26 any
160 permit ip host 172.16.31.26 any
170 permit icmp host 172.16.31.31 any
180 permit tcp host 172.16.31.31 any (321 matches)
190 permit udp host 172.16.31.31 any
200 permit ip host 172.16.31.31 any
210 permit icmp host 172.16.71.37 any
220 permit tcp host 172.16.71.37 any
230 permit udp host 172.16.71.37 any
240 permit ip host 172.16.71.37 any
250 permit icmp host 172.16.31.25 any
260 permit tcp host 172.16.31.25 any (229 matches)
270 permit udp host 172.16.31.25 any
280 permit ip host 172.16.31.25 any
290 permit icmp host 172.16.31.45 any
300 permit tcp host 172.16.31.45 any (34 matches)
310 permit udp host 172.16.31.45 any
320 permit ip host 172.16.31.45 any
330 permit icmp host 172.16.71.32 any
340 permit tcp host 172.16.71.32 any (50 matches)
350 permit udp host 172.16.71.32 any
360 permit ip host 172.16.71.32 any
370 permit icmp host 172.16.71.33 any
380 permit tcp host 172.16.71.33 any
390 permit udp host 172.16.71.33 any
400 permit ip host 172.16.71.33 any
410 permit icmp host 172.16.83.5 any
420 permit tcp host 172.16.83.5 any (295 matches)
430 permit udp host 172.16.83.5 any
440 permit ip host 172.16.83.5 any
450 permit icmp host 172.16.83.1 any (27 matches)
460 permit tcp host 172.16.83.1 any (216 matches)
470 permit udp host 172.16.83.1 any (2 matches)
480 permit ip host 172.16.83.1 any
490 permit ip any host 192.168.11.18 (31 matches)

Navaz

Eugene Khabarov · ‎12-26-2014

So as you can see rule 490 - there is match and it works fine.

Post your full config and scheme if you have any more issues

Navaz Wattoo · ‎12-26-2014

interface Vlan39

description DB-SERVERS

ip address 192.168.11.254 255.255.255.0

ip access-group 100 out

!

interface Vlan40

ip address 172.16.10.254 255.255.255.0 secondary

ip address 192.168.10.254 255.255.255.0

no ip redirects

ip policy route-map bypassproxy

ip route 10.1.1.0 255.255.255.0 192.168.13.249

access-list 1 permit 172.16.31.18

access-list 1 permit 172.16.130.0 0.0.0.255

access-list 1 permit 172.16.131.0 0.0.0.255

access-list 1 permit 172.16.132.0 0.0.0.255

access-list 1 permit 172.16.71.0 0.0.0.255

access-list 1 permit 172.16.100.0 0.0.0.255

access-list 1 permit 172.16.133.0 0.0.0.255

access-list 2 permit 172.16.131.0 0.0.0.255

access-list 2 permit 172.16.140.0 0.0.0.255

access-list 2 permit 172.16.150.0 0.0.0.255

access-list 2 permit 172.16.120.0 0.0.0.255

access-list 2 permit 172.16.100.0 0.0.0.255

access-list 100 permit icmp host 172.16.10.166 any

access-list 100 permit tcp host 172.16.10.166 any

access-list 100 permit udp host 172.16.10.166 any

access-list 100 permit ip host 172.16.10.166 any

access-list 100 permit icmp 192.168.10.0 0.0.0.255 any

access-list 100 permit tcp 192.168.10.0 0.0.0.255 any

access-list 100 permit udp 192.168.10.0 0.0.0.255 any

access-list 100 permit ip 192.168.10.0 0.0.0.255 any

access-list 100 permit icmp host 172.16.31.24 any

access-list 100 permit tcp host 172.16.31.24 any

access-list 100 permit udp host 172.16.31.24 any

access-list 100 permit ip host 172.16.31.24 any

access-list 100 permit icmp host 172.16.31.26 any

access-list 100 permit tcp host 172.16.31.26 any

access-list 100 permit udp host 172.16.31.26 any

access-list 100 permit ip host 172.16.31.26 any

access-list 100 permit icmp host 172.16.31.31 any

access-list 100 permit tcp host 172.16.31.31 any

access-list 100 permit udp host 172.16.31.31 any

access-list 100 permit ip host 172.16.31.31 any

access-list 100 permit icmp host 172.16.71.37 any

access-list 100 permit tcp host 172.16.71.37 any

access-list 100 permit udp host 172.16.71.37 any

access-list 100 permit ip host 172.16.71.37 any

access-list 100 permit icmp host 172.16.31.25 any

access-list 100 permit tcp host 172.16.31.25 any

access-list 100 permit udp host 172.16.31.25 any

access-list 100 permit ip host 172.16.31.25 any

access-list 100 permit icmp host 172.16.31.45 any

access-list 100 permit tcp host 172.16.31.45 any

access-list 100 permit udp host 172.16.31.45 any

access-list 100 permit ip host 172.16.31.45 any

access-list 100 permit icmp host 172.16.71.32 any

access-list 100 permit tcp host 172.16.71.32 any

access-list 100 permit udp host 172.16.71.32 any

access-list 100 permit ip host 172.16.71.32 any

access-list 100 permit icmp host 172.16.71.33 any

access-list 100 permit tcp host 172.16.71.33 any

access-list 100 permit udp host 172.16.71.33 any

access-list 100 permit ip host 172.16.71.33 any

access-list 100 permit icmp host 172.16.83.5 any

access-list 100 permit tcp host 172.16.83.5 any

access-list 100 permit udp host 172.16.83.5 any

access-list 100 permit ip host 172.16.83.5 any

access-list 100 permit icmp host 172.16.83.1 any

access-list 100 permit tcp host 172.16.83.1 any

access-list 100 permit udp host 172.16.83.1 any

access-list 100 permit ip host 172.16.83.1 any

access-list 100 permit ip any host 192.168.11.18

access-list 180 permit tcp host 172.16.199.11 any eq www

access-list 180 permit tcp host 172.16.199.10 any eq www

access-list 180 permit tcp host 172.16.71.10 any eq www

access-list 180 permit tcp host 172.16.71.0 any eq www

access-list 180 permit tcp host 172.16.72.0 any eq www

access-list 180 permit tcp host 172.16.73.0 any eq www

access-list 180 permit tcp host 172.16.81.0 any eq www

access-list 180 permit tcp host 172.16.82.0 any eq www

access-list 180 permit tcp host 172.16.83.0 any eq www

access-list 180 permit tcp host 172.16.84.0 any eq www

access-list 180 permit tcp host 172.16.11.0 any eq www

access-list 180 permit tcp host 172.16.12.0 any eq www

access-list 180 permit tcp host 172.16.13.0 any eq www

access-list 180 permit tcp host 172.16.14.0 any eq www

access-list 180 permit tcp host 172.16.21.0 any eq www

access-list 180 permit tcp host 172.16.22.0 any eq www

access-list 180 permit tcp host 172.16.23.0 any eq www

access-list 180 permit tcp host 172.16.24.0 any eq www

access-list 180 permit tcp host 172.16.31.0 any eq www

access-list 180 permit tcp host 172.16.32.0 any eq www

access-list 180 permit tcp host 172.16.33.0 any eq www

access-list 180 permit tcp host 172.16.34.0 any eq www

access-list 180 permit tcp host 172.16.100.0 any eq www

access-list 180 permit tcp host 172.16.130.0 any eq www

access-list 180 permit tcp host 172.16.131.0 any eq www

access-list 180 permit tcp host 172.16.132.0 any eq www

access-list 180 permit tcp host 172.16.31.59 any eq ftp

access-list 180 permit tcp host 172.16.41.0 any eq www

access-list 181 permit ip any host 174.142.165.146

access-list 181 permit ip any host 202.142.160.2

access-list 181 permit ip any host 202.141.224.34

access-list 181 permit ip any host 8.8.8.8

access-list 181 permit tcp host 172.16.31.59 any eq ftp

access-list 181 permit tcp host 172.16.71.40 any eq ftp

access-list 199 permit ip host 172.16.199.80 any

access-list 199 permit ip host 172.16.199.40 any

access-list 199 permit ip host 172.16.199.39 any

access-list 199 permit tcp host 172.16.199.10 any eq www

!

route-map ptcl permit 10

match ip address 2 22 1

set ip default next-hop 172.16.120.241

!

route-map bypassproxy permit 180

match ip address 180

set ip next-hop 10.1.1.103

!

route-map bypassproxy permit 181

match ip address 181

set ip next-hop 192.168.13.249

!

route-map bypassproxy permit 199

match ip address 199

set ip next-hop 192.168.13.249

!

Navaz

Eugene Khabarov · ‎12-26-2014

please remove your confidential information from config here (community, passwords etc.)

Navaz Wattoo · ‎12-26-2014

Please do theneedful solution. its not working

Navaz