12-05-2016 07:08 AM - edited 03-08-2019 08:26 AM
hello,
I'm implementing ACL's on my company's , but I came across a problem.
I want to filter the protocols that go to the network of printers, allowing only PING, 9100, 161 (snmp) and web access only to a specific network.
Everything works except web access.
CONFIG:
access-list 109 remark +++ VLAN9 restrict traffic Printers Network IN +++
access-list 109 permit icmp any any echo
access-list 109 permit icmp any any echo-reply
access-list 109 permit tcp any eq 9100 any established
access-list 109 permit tcp 172.20.30.0 0.0.0.255 any eq www established
access-list 109 permit tcp 172.20.30.0 0.0.0.255 any eq 443 established
access-list 109 deny ip any any
interface Vlan9
description --- Estadio Impressoras ---
ip address 172.20.9.253 255.255.255.0
ip access-group 109 in
standby 9 ip 172.20.9.254
standby 9 priority 150
standby 9 preempt
end
i have test acl with "access-list 109 permit ip 172.20.30.0 0.0.0.255 any "
but the machines on network 172.20.30.0/24 does not have web access!!
best regards
Solved! Go to Solution.
12-05-2016 12:12 PM
Hi,
It's possible to have an ACL for IN and OUT.
Firstly, I would suggest that you remove the "established" off the end of the ACL lines, and then try again in an "OUT" direction only.
12-05-2016 10:11 AM
Hi,
Have you attempted to change the direction of the ACL on VLAN9;
"ip access-group 109 out"
An access-list applied outbound to a VLAN interface filters traffic going TO devices on that VLAN.
An access-list applied inbound to a VLAN filters traffic coming FROM devices on that VLAN.
12-05-2016 11:46 AM
I've changed de direction of acl but not working...
Its possible have a acl in and other out!?
access-list 109 remark +++ VLAN9 restrict traffic Printers Network IN +++
access-list 109 permit icmp any any echo
access-list 109 permit icmp any any echo-reply
access-list 109 permit tcp any eq 9100 any established
access-list 109 deny ip any any
access-list 209 remark +++ VLAN9 restrict traffic Printers Network out +++
access-list 209 permit icmp any any echo
access-list 209 permit icmp any any echo-reply
access-list 209 permit tcp any eq 80 172.20.30.0 0.0.0.255
access-list 209 permit tcp any eq 443 172.20.30.0 0.0.0.255
access-list 209 deny ip any any
What Config you recommend?!
12-05-2016 12:12 PM
Hi,
It's possible to have an ACL for IN and OUT.
Firstly, I would suggest that you remove the "established" off the end of the ACL lines, and then try again in an "OUT" direction only.
12-05-2016 12:15 PM
Just to add, you are completing your ACL's with a "deny" any. To my knowledge, ACL's already end with a hidden implicit deny.
12-06-2016 01:25 AM
i know that, but is an best pratique...
"Although all access lists end with an implicit deny statement, we recommend use of an explicit deny statement (for example, deny ip any any). On most platforms, you can display the count of packets denied by issuing the show access-listcommand, thus finding out more information about who your access list is disallowing. Only packets denied by explicit deny statements are counted, which is why the explicit deny statement will yield more complete data for you."
12-06-2016 02:30 AM
You are most welcome.
Please mark the question as answered/resolved.
12-06-2016 01:24 AM
works.
thnk you :)
you safe my day ehehe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide