06-22-2017 10:53 AM - edited 03-08-2019 11:04 AM
Hello
Access-lists has been configured as per below matrix table and show command. But a PC in D01 cannot reach a PC in DMZ though it can reach dmz gateway
|
DESTINATION |
||||||||
D01 |
D02 |
D03 |
DMZ |
|
|
|
|
||
SOURCE |
D01 |
√ |
x |
x |
√ |
|
|
|
|
D02 |
x |
√ |
x |
√ |
|
|
|
|
|
D03 |
x |
x |
√ |
√ |
|
|
|
|
|
DMZ |
x |
x |
x |
√ |
|
|
|
|
CS-SW#show access-lists
Extended IP access list 100
10 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
20 permit ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.255 (28 match(es))
Extended IP access list 101
10 permit ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255
20 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
Extended IP access list 102
10 permit ip 192.168.20.0 0.0.0.255 192.168.20.0 0.0.0.255
Extended IP access list 103
20 permit ip 192.168.20.0 0.0.0.255 192.168.20.0 0.0.0.255
Note: All access lists has been applied in inbound direction
interface Vlan1 //D01
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
!
interface Vlan10 //D02
ip address 192.168.10.1 255.255.255.0
ip access-group 101 in
!
interface Vlan20 //DMZ
ip address 192.168.20.2 255.255.255.0
ip access-group 102 in
Kindly advise
06-22-2017 10:56 AM
"access-list 102 permit ip 192.168.20.0 0.0.0.255 192.168.1.0 0.0.0.255"
Jon
06-22-2017 11:11 AM
Hi Jon
I have added the suggested line but the challenge persist as per attached screen shot
Note:Access list 100 has a match hit as per below output and I can ping DMZ gateway
Extended IP access list 100
10 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
20 permit ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.255 (32 match(es))
Extended IP access list 101
10 permit ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255
20 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
Extended IP access list 102
10 permit ip 192.168.20.0 0.0.0.255 192.168.20.0 0.0.0.255
20 permit ip 192.168.20.0 0.0.0.255 192.168.1.0 0.0.0.255
06-22-2017 11:57 AM
That should have done it.
When you ping from 192.168.20.20 do you see any hits in acl 102 ?
Can you post configuration of the L3 device ?
Jon
06-22-2017 12:08 PM
There is no hit in acl 102
The hit is in ACL 100
CS-SW#
CS-SW con0 is now available
Press RETURN to get started.
CS-SW>en
CS-SW#xh
CS-SW#sh
CS-SW#show ruN
CS-SW#show ruNning-config
Building configuration...
Current configuration : 1885 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname CS-SW
!
!
!
!
!
!
!
ip routing
!
!
!
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
!
interface Vlan10
ip address 192.168.10.1 255.255.255.0
ip access-group 101 in
!
interface Vlan20
ip address 192.168.20.2 255.255.255.0
ip access-group 102 in
!
interface Vlan50
ip address 192.168.50.1 255.255.255.0
!
ip classless
!
ip flow-export version 9
!
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 102 permit ip 192.168.20.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 102 permit ip 192.168.20.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
06-22-2017 12:10 PM
Are the PCs connected to this switch ?
From 192.168.20.20 can you ping it's gateway ?
Jon
06-22-2017 12:49 PM
Yes the PC can ping its gateway
06-22-2017 01:02 PM
Can 192.168.20.20 ping 192.168.1.1 ?
If it can do you see a hit in acl 102 ?
If you do then double check firewall settings.
Jon
06-22-2017 11:59 AM
Can you also make sure you have disabled any firewall on the PCs.
Jon
06-22-2017 12:07 PM
Firewall is off
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide