Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
578
Views
0
Helpful
9
Replies

ACL in an SVI challenge

chandogetrude
Level 1
Level 1

‎06-22-2017 10:53 AM - edited ‎03-08-2019 11:04 AM

Hello

Access-lists has been configured as per below matrix table and show command.  But a PC in D01 cannot reach a PC in DMZ though it can reach dmz gateway

 

DESTINATION

D01

D02

D03

DMZ

 

 

 

 

SOURCE

D01

x

x

 

 

 

 

D02

x

x

 

 

 

 

D03

x

x

 

 

 

 

DMZ

x

x

x

 

 

 

 

 

CS-SW#show access-lists

Extended IP access list 100

10 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255

20 permit ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.255 (28 match(es))

Extended IP access list 101

10 permit ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255

20 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

Extended IP access list 102

10 permit ip 192.168.20.0 0.0.0.255 192.168.20.0 0.0.0.255

Extended IP access list 103

20 permit ip 192.168.20.0 0.0.0.255 192.168.20.0 0.0.0.255

 

Note: All access lists has been applied in inbound direction

interface Vlan1    //D01

ip address 192.168.1.1 255.255.255.0

ip access-group 100 in

!

interface Vlan10  //D02

ip address 192.168.10.1 255.255.255.0

ip access-group 101 in

!

interface Vlan20  //DMZ

ip address 192.168.20.2 255.255.255.0

ip access-group 102 in

Kindly advise

Labels:
0 Helpful
9 Replies 9

Jon Marshall
Hall of Fame
Hall of Fame

‎06-22-2017 10:56 AM

"access-list 102 permit ip 192.168.20.0 0.0.0.255 192.168.1.0 0.0.0.255"

Jon

0 Helpful

chandogetrude
Level 1
Level 1
In response to Jon Marshall

‎06-22-2017 11:11 AM

Hi Jon

I have added the suggested line but the challenge persist as per attached screen shot

Note:Access list 100 has a match hit as per below output and I can ping DMZ gateway

Extended IP access list 100

10 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255

20 permit ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.255 (32 match(es))

Extended IP access list 101

10 permit ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255

20 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

Extended IP access list 102

10 permit ip 192.168.20.0 0.0.0.255 192.168.20.0 0.0.0.255

20 permit ip 192.168.20.0 0.0.0.255 192.168.1.0 0.0.0.255

Preview file
6 KB
0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to chandogetrude

‎06-22-2017 11:57 AM

That should have done it.

When you ping from 192.168.20.20 do you see any hits in acl 102 ?

Can you post configuration of the L3 device ?

Jon

0 Helpful

chandogetrude
Level 1
Level 1
In response to Jon Marshall

‎06-22-2017 12:08 PM

There is no hit in acl 102

The hit is in ACL 100

CS-SW#

CS-SW con0 is now available

Press RETURN to get started.

CS-SW>en

CS-SW#xh

CS-SW#sh

CS-SW#show ruN

CS-SW#show ruNning-config

Building configuration...

Current configuration : 1885 bytes

!

version 12.2

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname CS-SW

!

!

!

!

!

!

!

ip routing

!

!

!

!

!

!

!

!

!

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

!

!

interface FastEthernet0/1

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface FastEthernet0/2

!

interface FastEthernet0/3

!

interface FastEthernet0/4

!

interface FastEthernet0/5

!

interface FastEthernet0/6

!

interface FastEthernet0/7

!

interface FastEthernet0/8

!

interface FastEthernet0/9

!

interface FastEthernet0/10

!

interface FastEthernet0/11

!

interface FastEthernet0/12

!

interface FastEthernet0/13

!

interface FastEthernet0/14

!

interface FastEthernet0/15

!

interface FastEthernet0/16

!

interface FastEthernet0/17

!

interface FastEthernet0/18

!

interface FastEthernet0/19

!

interface FastEthernet0/20

!

interface FastEthernet0/21

!

interface FastEthernet0/22

!

interface FastEthernet0/23

!

interface FastEthernet0/24

!

interface GigabitEthernet0/1

!

interface GigabitEthernet0/2

!

interface Vlan1

ip address 192.168.1.1 255.255.255.0

ip access-group 100 in

!

interface Vlan10

ip address 192.168.10.1 255.255.255.0

ip access-group 101 in

!

interface Vlan20

ip address 192.168.20.2 255.255.255.0

ip access-group 102 in

!

interface Vlan50

ip address 192.168.50.1 255.255.255.0

!

ip classless

!

ip flow-export version 9

!

!

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 102 permit ip 192.168.20.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 102 permit ip 192.168.20.0 0.0.0.255 192.168.1.0 0.0.0.255

!

!

!

!

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

!

!

end

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to chandogetrude

‎06-22-2017 12:10 PM

Are the PCs connected to this switch ?

From 192.168.20.20 can you ping it's gateway ?

Jon

0 Helpful

chandogetrude
Level 1
Level 1
In response to Jon Marshall

‎06-22-2017 12:49 PM

Yes the PC can ping its gateway

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to chandogetrude

‎06-22-2017 01:02 PM

Can 192.168.20.20 ping 192.168.1.1 ?

If it can do you see a hit in acl 102 ?

If you do then double check firewall settings.

Jon

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to chandogetrude

‎06-22-2017 11:59 AM

Can you also make sure you have disabled any firewall on the PCs.

Jon

0 Helpful

chandogetrude
Level 1
Level 1
In response to Jon Marshall

‎06-22-2017 12:07 PM

Firewall is off

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card