01-11-2022 09:04 AM - edited 01-11-2022 12:47 PM
Hi Guys,
I need some help to allow traffic from 1 host into another host (different subnets) thru a ACL on the interface switch. for some reason all traffic get block even the one I permit.
Here is my configuration.
interface GigabitEthernet0/39
description msw01
switchport access vlan 40
switchport mode access
p access-group dev01-access in
My access list
ip access-list extended dev01-access
permit tcp host 10.224.61.186 host 10.224.62.19 eq 22
permit tcp host 10.224.61.186 host 10.224.62.19 eq 2401
interface GigabitEthernet0/39
ip access-group dev01-access in
Solved! Go to Solution.
01-11-2022 02:27 PM
Thanks for the additional information. If 10.224.62.19 is the server and is connected on G0/39 then I see what is the problem with your acl.
permit tcp host 10.224.61.186 host 10.224.62.19 eq 22
permit tcp host 10.224.61.186 host 10.224.62.19 eq 2401
This configuration identifies 10.224.62.19 as the destination but it should identify it as the source of the traffic. Reverse the order of the addresses and let us know if the behavior changes.
01-11-2022 09:17 AM
Hi
But, whithout the ACL, are you able to ping from one host to another?
01-11-2022 09:29 AM
Hi Flavio, yes ping is good,
01-11-2022 10:21 AM
And SSH session is closed with no problem?
I just trying to make sure that the problem is not something else.
01-11-2022 09:41 AM
you applied in direction, you have not mentioned what is the souce and destination IP, so that need to be clarified here to get bottom of the issue.
examples can be find here :
https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html
01-11-2022 09:45 AM
HI thanks BB
the source and dest,
source 10.224.61.186 destination 10.224.32.19 eq 22
01-11-2022 09:50 AM
Which direction or source located, based on that ACL should IN or OUT.
01-11-2022 10:04 AM
the direction is IN
the source try to connect thru SSh to the destination
01-11-2022 10:22 AM
I notice that G0/39 is an access port in vlan 40. Could you post the configuration of interface vlan 40? This would help us understand the issue better.
I am surprised that the access-group is applied on G0/39. I would have expected it to be applied on the vlan 40 interface. What happens if you assign the acl to the vlan interface rather than the access port?
01-11-2022 10:28 AM
Thanks Richard,
let me get it...
01-11-2022 10:34 AM
Hi Richard, here is the vlan configuration:
interface Vlan40
no ip address
no ip route-cache
no ip mroute-cache
if I apply the ACL in the VLAN interface how the traffic is impact?
01-11-2022 10:35 AM
Need some clarification :
So the IP belong to VLAN 40 - 10.224.61.186?
is this device connected to - interface GigabitEthernet0/39 and intiating SSH connection to 10.224.32.19 eq 22
with out ACL - ip access-group dev01-access in - is the SSH works ?
01-11-2022 10:41 AM
BB,
answering your questions:
10.224.61.186 no do not belong to vlan 40
without the ACL,... SSH works, the goal we just want to limit traffic host to host only via SSH. the rest of traffic drop or deny.
01-11-2022 10:49 AM
If the IP not belong to VLAN 40 and you do not have any config in VLAN 40 interface ?
10.224.61.186 - where is IP connected host on what port ? what VLAN it belong to.
10.224.32.19 - where is this device connected ? what VLAN it belong to ?
can you post show run complete or some network picture for us to understand your network. since the informaiton you have provide not helping us to determine the problem.
01-11-2022 11:06 AM
BB,
Unfortunately I can not post configuration here, both server are in the same subnet range and VLAN 40.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide