cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
381
Views
4
Helpful
7
Replies
Highlighted
Beginner

ACL problem to a specific network

hello,

I'm implementing ACL's on my company's , but I came across a problem.

I want to filter the protocols that go to the network of printers, allowing only PING, 9100, 161 (snmp) and web access only to a specific network.

Everything works except web access.

CONFIG:

access-list 109 remark +++ VLAN9 restrict traffic Printers Network IN +++
access-list 109 permit icmp any any echo
access-list 109 permit icmp any any echo-reply
access-list 109 permit tcp any eq 9100 any established
access-list 109 permit tcp 172.20.30.0 0.0.0.255 any eq www established
access-list 109 permit tcp 172.20.30.0 0.0.0.255 any eq 443 established
access-list 109 deny ip any any

interface Vlan9
description --- Estadio Impressoras ---
ip address 172.20.9.253 255.255.255.0
ip access-group 109 in
standby 9 ip 172.20.9.254
standby 9 priority 150
standby 9 preempt
end

i have test acl with "access-list 109 permit ip 172.20.30.0 0.0.0.255 any "

but the machines on network 172.20.30.0/24 does not have web access!!

best regards

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Hi,

It's possible to have an ACL for IN and OUT.

Firstly, I would suggest that you remove the "established" off the end of the ACL lines, and then try again in an "OUT" direction only.

View solution in original post

7 REPLIES 7
Highlighted
Beginner

Hi,

Have you attempted to change the direction of the ACL on VLAN9;

"ip access-group 109 out"

An access-list applied outbound to a VLAN interface filters traffic going TO devices on that VLAN.

An access-list applied inbound to a VLAN filters traffic coming FROM devices on that VLAN.

Highlighted

I've changed de direction of acl but not working... 

Its possible have a acl in and other out!? 

access-list 109 remark +++ VLAN9 restrict traffic Printers Network IN +++
access-list 109 permit icmp any any echo
access-list 109 permit icmp any any echo-reply
access-list 109 permit tcp any eq 9100 any established
access-list 109 deny ip any any

access-list 209 remark +++ VLAN9 restrict traffic Printers Network out +++
access-list 209 permit icmp any any echo
access-list 209 permit icmp any any echo-reply
access-list 209 permit tcp any eq 80 172.20.30.0 0.0.0.255 

access-list 209 permit tcp any eq 443 172.20.30.0 0.0.0.255 

access-list 209 deny ip any any

What Config you recommend?! 

Highlighted

Hi,

It's possible to have an ACL for IN and OUT.

Firstly, I would suggest that you remove the "established" off the end of the ACL lines, and then try again in an "OUT" direction only.

View solution in original post

Highlighted

Just to add, you are completing your ACL's with a "deny" any. To my knowledge, ACL's already end with a hidden implicit deny.

Highlighted

i know that, but is an best pratique...

"Although all access lists end with an implicit deny statement, we recommend use of an explicit deny statement (for example, deny ip any any). On most platforms, you can display the count of packets denied by issuing the show access-listcommand, thus finding out more information about who your access list is disallowing. Only packets denied by explicit deny statements are counted, which is why the explicit deny statement will yield more complete data for you."

Highlighted

You are most welcome.

Please mark the question as answered/resolved.

Highlighted

works.

thnk you :)

you safe my day ehehe

Content for Community-Ad