Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

463
Views
5
Helpful
7
Replies
GuyIttach133
GuyIttach133 Beginner
Beginner
‎08-10-2019 12:20 PM
‎08-10-2019 12:20 PM

ACL works only for one rule.

When I configure one rule it works fine, when I add another rule then both rules doesn't work at all.

Both works perfect when I use them as first rule only.(everything is connected, both servers are configured as web servers.)

First rule: 

access-list 102 permit tcp host 192.168.1.1 host 192.168.2.2 eq www

Second rule:

access-list 101 permit icmp host 192.168.2.1 host 192.168.1.2 echo-reply

#access-list 101 permit icmp host 192.168.2.1 host 192.168.1.2 echo

 

tempsnip.png

 

Labels:
Everyone's tags (1)
0 Helpful
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
luis_cordova
luis_cordova Advocate
Advocate
‎08-10-2019 02:23 PM
‎08-10-2019 02:23 PM

Re: ACL works only for one rule.

Hi @GuyIttach133 ,

 

Try this:

access-list 102 permit tcp host 192.168.1.1 host 192.168.2.2 eq www

access-list 102 deny ip host 192.168.1.1 host 192.168.2.2

access-list 102 permit ip any any 

 

interface g1/1

ip access-group 102 in 

 

access-list 101 permit icmp host 192.168.2.1 host 192.168.1.2 echo-reply

access-list 101 permit icmp host 192.168.2.1 host 192.168.1.2 echo

access-list 101 deny ip host 192.168.2.1 host 192.168.1.2

accessc-list 101 permit ip any any 

 

interface g1/0

ip access-group 101 in 

 

Regards

 

View solution in original post

Reply
7 REPLIES 7
balaji.bandi
VIP Advisor balaji.bandi VIP Advisor
VIP Advisor
‎08-10-2019 12:33 PM
‎08-10-2019 12:33 PM

Re: ACL works only for one rule.

You can not apply 2 rules on the interface for same direction.

 

change like below you should be ok. ( test and advise.

 

 

First rule: 

access-list 102 permit tcp host 192.168.1.1 host 192.168.2.2 eq www

Second rule:

access-list 102 permit icmp host 192.168.2.1 host 192.168.1.2 echo-reply

#access-list 102 permit icmp host 192.168.2.1 host 192.168.1.2 echo

 

BB
*** Rate All Helpful Responses ***
0 Helpful
Reply
GuyIttach133
GuyIttach133 Beginner
Beginner
‎08-10-2019 01:05 PM
‎08-10-2019 01:05 PM

Re: ACL works only for one rule.

Still doesn't work for me.

what do I have to do so 192.168.1.1 can only browse in 192.168.2.2 http
and 192.168.2.1 can only do pings to 192.168.1.2?
i did what you've said, then configured both on interface Gig0/0 out and Gig0/1 in
0 Helpful
Reply
balaji.bandi
VIP Advisor balaji.bandi VIP Advisor
VIP Advisor
‎08-10-2019 01:51 PM
‎08-10-2019 01:51 PM

Re: ACL works only for one rule.

Can you post the full configuration and expllain the direction of the interface you like to apply this ACL.

 

so we can suggest you better

 

show access-list (post the output also).

BB
*** Rate All Helpful Responses ***
0 Helpful
Reply
GuyIttach133
GuyIttach133 Beginner
Beginner
‎08-11-2019 10:17 AM
‎08-11-2019 10:17 AM

Re: ACL works only for one rule.

Added the typology.

 

ACL:

Extended:

1. Permit PC 192.168.1.1 to browse in 192.168.2.2 http and deny pinging him.

2. Permit PC 192.168.2.1 to ping 192.168.1.2 and deny browsing his http.

Standart:

1. Deny for PC 192.168.2.3 to communicate with any PC out of his LAN.

 

tempsnip.png

0 Helpful
Reply
Highlighted
MartinLo
MartinLo Enthusiast
Enthusiast
‎08-10-2019 01:01 PM
‎08-10-2019 01:01 PM

Re: ACL works only for one rule.


1 ACL per Interface per Direction per Protocol
see https://learningnetwork.cisco.com/message/706374#706374
0 Helpful
Reply
luis_cordova
luis_cordova Advocate
Advocate
‎08-10-2019 02:23 PM
‎08-10-2019 02:23 PM

Re: ACL works only for one rule.

Hi @GuyIttach133 ,

 

Try this:

access-list 102 permit tcp host 192.168.1.1 host 192.168.2.2 eq www

access-list 102 deny ip host 192.168.1.1 host 192.168.2.2

access-list 102 permit ip any any 

 

interface g1/1

ip access-group 102 in 

 

access-list 101 permit icmp host 192.168.2.1 host 192.168.1.2 echo-reply

access-list 101 permit icmp host 192.168.2.1 host 192.168.1.2 echo

access-list 101 deny ip host 192.168.2.1 host 192.168.1.2

accessc-list 101 permit ip any any 

 

interface g1/0

ip access-group 101 in 

 

Regards

 

View solution in original post

Reply
GuyIttach133
GuyIttach133 Beginner
Beginner
‎08-10-2019 03:08 PM
‎08-10-2019 03:08 PM

Re: ACL works only for one rule.

God bless you man, thanks.
I probably missed the last rules u added.

0 Helpful
Reply
Latest Contents
Recent changes in SRIOV VF mapping in NFVIS GUI
Created by gosekar on 12-05-2019 06:59 PM
0
0
0
0
Starting from NFVIS 3.12 versions, the deploy option does not depict all the SR-IOV VFs(Virtual Functions) available in a physical interface. This change is introduced as (i) the number of VFs of ENCS platform on LANs side is increased to 24 and (ii) the... view more
Community Live- Getting to know Cisco SD-WAN
Created by ciscomoderator on 12-05-2019 12:41 PM
0
0
0
0
Community Live- Getting to know Cisco SD-WAN (Live event - formerly known as Webcast-  Wednesday December 11, 2019 at 10 am Pacific/ 1 pm Eastern / 7 pm Paris) This event will have place on Wednesday 11th, December 2019 at 10hrs PDT  Register to... view more
Fixed IP for each location
Created by MuhammadAfnan32526 on 12-05-2019 11:22 AM
1
0
1
0
Hi alli have 40 spots (40 Ethernet cables for computers coming out from switch) and i want each of these spots to have fix IP which means if i swap the computer the IP of certain spot remain the same.example : at spot 30 i have IP address of 192.168.22.40... view more
Cisco DNA Center appliance connected to Cisco Nexus 5K/7K/9K...
Created by Karthik Kumar Thatikonda on 12-04-2019 01:01 PM
0
5
0
5
Symptoms Cisco DNA Center nodes lost network connectivity. Cannot SSH to nodes. Cluster and Enterprise port connected to Cisco Nexus Switches. Diagnosis Cisco DNA Center kernel logs showing hung queue error messages. "sudo cat /var/log/kern.log" Work... view more
Cisco Digital Network Architecture Center Modules (Design M...
Created by Mohamed Alhenawy on 11-28-2019 09:51 AM
0
0
0
0
Cisco Digital Network Architecture Center Modules(Design Module)Wireless Part.In this article, we are going to talk about Cisco Digital Network Architecture Center design Module, Wireless Part.Cisco DNA Center gives us the flexibility and scalability to c... view more
CreatePlease to create content
Discussion
Blog
Document
Video
Content for Community-Ad