cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
900
Views
4
Helpful
7
Replies

ACL problem to a specific network

Tiago Marques
Level 1
Level 1

hello,

I'm implementing ACL's on my company's , but I came across a problem.

I want to filter the protocols that go to the network of printers, allowing only PING, 9100, 161 (snmp) and web access only to a specific network.

Everything works except web access.

CONFIG:

access-list 109 remark +++ VLAN9 restrict traffic Printers Network IN +++
access-list 109 permit icmp any any echo
access-list 109 permit icmp any any echo-reply
access-list 109 permit tcp any eq 9100 any established
access-list 109 permit tcp 172.20.30.0 0.0.0.255 any eq www established
access-list 109 permit tcp 172.20.30.0 0.0.0.255 any eq 443 established
access-list 109 deny ip any any

interface Vlan9
description --- Estadio Impressoras ---
ip address 172.20.9.253 255.255.255.0
ip access-group 109 in
standby 9 ip 172.20.9.254
standby 9 priority 150
standby 9 preempt
end

i have test acl with "access-list 109 permit ip 172.20.30.0 0.0.0.255 any "

but the machines on network 172.20.30.0/24 does not have web access!!

best regards

1 Accepted Solution

Accepted Solutions

Hi,

It's possible to have an ACL for IN and OUT.

Firstly, I would suggest that you remove the "established" off the end of the ACL lines, and then try again in an "OUT" direction only.

View solution in original post

7 Replies 7

mattjones03
Level 1
Level 1

Hi,

Have you attempted to change the direction of the ACL on VLAN9;

"ip access-group 109 out"

An access-list applied outbound to a VLAN interface filters traffic going TO devices on that VLAN.

An access-list applied inbound to a VLAN filters traffic coming FROM devices on that VLAN.

I've changed de direction of acl but not working... 

Its possible have a acl in and other out!? 

access-list 109 remark +++ VLAN9 restrict traffic Printers Network IN +++
access-list 109 permit icmp any any echo
access-list 109 permit icmp any any echo-reply
access-list 109 permit tcp any eq 9100 any established
access-list 109 deny ip any any

access-list 209 remark +++ VLAN9 restrict traffic Printers Network out +++
access-list 209 permit icmp any any echo
access-list 209 permit icmp any any echo-reply
access-list 209 permit tcp any eq 80 172.20.30.0 0.0.0.255 

access-list 209 permit tcp any eq 443 172.20.30.0 0.0.0.255 

access-list 209 deny ip any any

What Config you recommend?! 

Hi,

It's possible to have an ACL for IN and OUT.

Firstly, I would suggest that you remove the "established" off the end of the ACL lines, and then try again in an "OUT" direction only.

Just to add, you are completing your ACL's with a "deny" any. To my knowledge, ACL's already end with a hidden implicit deny.

i know that, but is an best pratique...

"Although all access lists end with an implicit deny statement, we recommend use of an explicit deny statement (for example, deny ip any any). On most platforms, you can display the count of packets denied by issuing the show access-listcommand, thus finding out more information about who your access list is disallowing. Only packets denied by explicit deny statements are counted, which is why the explicit deny statement will yield more complete data for you."

You are most welcome.

Please mark the question as answered/resolved.

works.

thnk you :)

you safe my day ehehe

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: