cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

463
Views
5
Helpful
7
Replies
Beginner

ACL works only for one rule.

When I configure one rule it works fine, when I add another rule then both rules doesn't work at all.

Both works perfect when I use them as first rule only.(everything is connected, both servers are configured as web servers.)

First rule: 

access-list 102 permit tcp host 192.168.1.1 host 192.168.2.2 eq www

Second rule:

access-list 101 permit icmp host 192.168.2.1 host 192.168.1.2 echo-reply

#access-list 101 permit icmp host 192.168.2.1 host 192.168.1.2 echo

 

tempsnip.png

 

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Advocate

Re: ACL works only for one rule.

Hi @GuyIttach133 ,

 

Try this:

access-list 102 permit tcp host 192.168.1.1 host 192.168.2.2 eq www

access-list 102 deny ip host 192.168.1.1 host 192.168.2.2

access-list 102 permit ip any any 

 

interface g1/1

ip access-group 102 in 

 

access-list 101 permit icmp host 192.168.2.1 host 192.168.1.2 echo-reply

access-list 101 permit icmp host 192.168.2.1 host 192.168.1.2 echo

access-list 101 deny ip host 192.168.2.1 host 192.168.1.2

accessc-list 101 permit ip any any 

 

interface g1/0

ip access-group 101 in 

 

Regards

 

View solution in original post

7 REPLIES 7
VIP Advisor

Re: ACL works only for one rule.

You can not apply 2 rules on the interface for same direction.

 

change like below you should be ok. ( test and advise.

 

 

First rule: 

access-list 102 permit tcp host 192.168.1.1 host 192.168.2.2 eq www

Second rule:

access-list 102 permit icmp host 192.168.2.1 host 192.168.1.2 echo-reply

#access-list 102 permit icmp host 192.168.2.1 host 192.168.1.2 echo

 

BB
*** Rate All Helpful Responses ***
Beginner

Re: ACL works only for one rule.

Still doesn't work for me.

what do I have to do so 192.168.1.1 can only browse in 192.168.2.2 http
and 192.168.2.1 can only do pings to 192.168.1.2?
i did what you've said, then configured both on interface Gig0/0 out and Gig0/1 in
VIP Advisor

Re: ACL works only for one rule.

Can you post the full configuration and expllain the direction of the interface you like to apply this ACL.

 

so we can suggest you better

 

show access-list (post the output also).

BB
*** Rate All Helpful Responses ***
Beginner

Re: ACL works only for one rule.

Added the typology.

 

ACL:

Extended:

1. Permit PC 192.168.1.1 to browse in 192.168.2.2 http and deny pinging him.

2. Permit PC 192.168.2.1 to ping 192.168.1.2 and deny browsing his http.

Standart:

1. Deny for PC 192.168.2.3 to communicate with any PC out of his LAN.

 

tempsnip.png

Highlighted
Enthusiast

Re: ACL works only for one rule.


1 ACL per Interface per Direction per Protocol
see https://learningnetwork.cisco.com/message/706374#706374
Advocate

Re: ACL works only for one rule.

Hi @GuyIttach133 ,

 

Try this:

access-list 102 permit tcp host 192.168.1.1 host 192.168.2.2 eq www

access-list 102 deny ip host 192.168.1.1 host 192.168.2.2

access-list 102 permit ip any any 

 

interface g1/1

ip access-group 102 in 

 

access-list 101 permit icmp host 192.168.2.1 host 192.168.1.2 echo-reply

access-list 101 permit icmp host 192.168.2.1 host 192.168.1.2 echo

access-list 101 deny ip host 192.168.2.1 host 192.168.1.2

accessc-list 101 permit ip any any 

 

interface g1/0

ip access-group 101 in 

 

Regards

 

View solution in original post

Beginner

Re: ACL works only for one rule.

God bless you man, thanks.
I probably missed the last rules u added.

CreatePlease to create content
Content for Community-Ad