cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

App not working after apply ACL

faamin011
Beginner
Beginner

Switch Config: (3750x IP Services)

interface Vlan515

ip address 10.15.15.1 255.255.255.248

ip access-group vlan515 in

ip access-list extended vlan515

permit ip 10.15.15.0 0.0.0.7 10.10.10.0 0.0.0.255

permit ip 10.15.15.0 0.0.0.7 host 10.15.15.1

ip route 0.0.0.0 0.0.0.0 10.10.10.61 (To Internet Server)

After appling above ACL on SVI, msn messenger and teamviewer is unable to connect. Both get connected once removed ACL from SVI. snapshots are quoted for reference purpose                  

Without ACL, msn messenger is working well. Tracert in absence of ACL is mentioned below

C:\>tracert www.msn.com

Tracing route to us.co1.cb3.glbdns.microsoft.com [131.253.13.140]

over a maximum of 30 hops:

  1     1 ms     1 ms     1 ms  10.15.15.1
  2     *        *        *     Request timed out.

3                       * * * Request timed out.

With ACL, Msn Live messenger is not working. Tracert is refer below

C:\>tracert www.msn.com

Tracing route to us.co1.cb3.glbdns.microsoft.com [131.253.13.140]

over a maximum of 30 hops:

  1  10.15.15.1  reports: Destination net unreachable.

Trace complete.

Advice pls

10 REPLIES 10

Jonn cos
Enthusiast
Enthusiast

You have implicit deny at the end of acl. Its not just msn, if you try browsing i think your internet wont be working.

browsing is ok, as it is going via proxy..only msn is not operational..

for MSN to work you need to open the corresponding ports. To my knowledge the base-functionality will work with tcp/443 and tcp/1863:

permit tcp 10.15.15.0 0.0.0.7 any eq 443

permit tcp 10.15.15.0 0.0.0.7 any eq 1863

A more detailed list is available at Microsoft

http://support.microsoft.com/kb/927847/en-us

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0.0.0.0 0.0.0.0 10.10.10.61 and internet server (10.10.10.61) is allowed in ACL then why do we need to
allow other ports in ACL...all related connections should be handled by 10.10.10.61.

The reason behind we have no issue in browsing with same ports

0.0.0.0 0.0.0.0 10.10.10.61 and internet server (10.10.10.61) is allowed in ACL

not in the ACL you was showing in your post. Please show your actual ACL-config.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

ip access-list extended vlan515

permit ip 10.15.15.0 0.0.0.7 10.10.10.0 0.0.0.255 (10.10.10.61 comes under this ACE)

permit ip 10.15.15.0 0.0.0.7 host 10.15.15.1

Sorry, you are right. After reading it the fifth time I saw that it's really 10.10.10.0 ...

Is your MSN really using that proxy?

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

I tried with and without proxy (10.10.10.61) as well but status is same, msn not connected

Anything in the Proxy-Log?

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

no error found in proxy log

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: