cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
548
Views
5
Helpful
4
Replies

ACL issues

porressCisco
Level 1
Level 1

Hi,

I have the access list on my main switch as below and I can not figure out why I can not telnet on any port from 10.2.0.51 ip address to 10.2.26.63 ip address?

Could you help?

Thanks,

ip access-list extended "100"
10 remark "ACL-CURRICULUM"
10 permit icmp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 8
20 permit icmp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 0
30 permit igmp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
40 permit udp 0.0.0.0 255.255.255.255 eq 68 0.0.0.0 255.255.255.255 eq 67
50 permit udp 10.2.0.0 0.0.7.255 0.0.0.0 255.255.255.255 eq 53
60 permit ip 10.2.0.0 0.0.7.255 10.2.41.0 0.0.0.255
70 permit ip 10.2.0.0 0.0.7.255 10.2.24.0 0.0.0.255
80 permit ip 10.2.0.0 0.0.7.255 10.2.48.0 0.0.0.255
85 permit ip 10.2.0.0 0.0.7.255 10.2.47.0 0.0.0.255
90 permit ip 10.2.0.0 0.0.7.255 10.2.16.0 0.0.3.255
100 permit ip 10.2.0.0 0.0.7.255 10.2.32.0 0.0.1.255
120 permit ip 10.2.0.0 0.0.7.255 10.2.54.0 0.0.0.255
140 permit ip 10.2.0.192 0.0.0.63 10.2.44.0 0.0.0.255
150 permit ip 10.2.0.192 0.0.0.63 10.2.40.0 0.0.0.255
190 permit ip 10.2.0.0 0.0.0.63 0.0.0.0 255.255.255.255
exit

4 Replies 4

Mark Malone
VIP Alumni
VIP Alumni

Hi

i dont see telnet allowed and acls have an implicit deny at the bottom which is unseen , so you need to allow a rule for port 23 between the 2 subnets

Hi,

Thank you for your response.

I thought that because I have this:

190 permit ip 10.2.0.0 0.0.0.63 0.0.0.0 255.255.255.255

That would permit any protocol through in this case I have tried tcp port 25565 and 443 and 80

Non of them work to ip 10.2.26.63

Example: telnet 10.2.26.63 25565

ip access-list extended "26"
10 remark "vlan26"
10 permit icmp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 8
20 permit icmp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 0
30 permit udp 0.0.0.0 255.255.255.255 eq 68 0.0.0.0 255.255.255.255 eq 67
40 permit udp 10.2.26.0 0.0.0.255 10.2.0.8 0.0.0.1 eq 53
50 permit igmp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
60 permit tcp 10.2.26.0 0.0.0.255 10.2.0.8 0.0.0.0 eq 80
70 permit tcp 10.2.26.0 0.0.0.255 10.2.0.16 0.0.0.0 eq 8080
80 permit tcp 10.2.26.0 0.0.0.255 0.0.0.0 255.255.255.255 eq 80
90 permit tcp 10.2.26.0 0.0.0.255 0.0.0.0 255.255.255.255 eq 443
exit

Hi

this is the vty access-list yes thats where its applied ? specify the TCP  instead of IP and specify the port number

Heres an example with ssh off one of my boxes thats applied to vty , i have altered ips for security, we use ssh only as telnet is a security issue clear text passwords are visible in spans

line vty 0 4
 access-class 186 in vrf-also

Extended IP access list 186
    10 permit tcp host 172.x.x.x any eq 22 (5964 matches)
    20 permit tcp host 172.x.x.x any eq 22 (1070 matches)
    30 permit tcp host 172.x.x.x any eq 22 (50 matches)
    40 permit tcp host 172.x.x.x any eq 22

thank you for your help I managed to figure it out, I just added a permit tcp to any any on the port I needed on the destination vlan acl.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco

Ā