ACL command to enable just a subnetwork to access all hosts on others

OmoOba1 · ‎04-28-2025

I designed a network which allows only http traffic from all subnetworks and their hosts to the web server and deny access to anywhere else.

I then allow access from IT support network to everywhere (all subnetworks and web server).

Now I’m only able to reach the routers’ interfaces on the subnetworks, I am unable to reach their respective hosts.

Please support with how I can reach all the hosts in all subnetworks from IT network and not just the router interfaces

David Ruess · ‎04-28-2025

Hello,

Can you please provide configuration and/or a diagram to better illustrate your point?

Assuming you have used an ACL, did you apply it in the correct direction and are the statements accurate to include networks and wildcard masks?

-David

Jens Albrecht · ‎04-28-2025

If you have configured the access-list according to your description it might look like this:

allow only http traffic from all subnetworks and their hosts to the web server
deny access to anywhere else
allow access from IT support network to everywhere (all subnetworks and web server)

In this case the order of your statements needs to be changed.

The statements in any access-list are evaluated in sequential order top-down and as soon as the traffic matches a statement the deny/permit is executed and any further statements are NOT evaluated.

This means that the support IT traffic (3rd condition) does also meet the 2nd condition "access to anywhere else" and therefore gets denied. Permit statements after a general deny anything will never to evaluated by the device.

These are just assumptions based on the wording of your question.
For a more detailed check please do a "show access-list" and post the output so that we can have a closer look.

HTH!