02-13-2013 10:54 PM - edited 03-07-2019 11:42 AM
Switch Config: (3750x IP Services)
interface Vlan515
ip address 10.15.15.1 255.255.255.248
ip access-group vlan515 in
ip access-list extended vlan515
permit ip 10.15.15.0 0.0.0.7 10.10.10.0 0.0.0.255
permit ip 10.15.15.0 0.0.0.7 host 10.15.15.1
ip route 0.0.0.0 0.0.0.0 10.10.10.61 (To Internet Server)
After appling above ACL on SVI, msn messenger and teamviewer is unable to connect. Both get connected once removed ACL from SVI. snapshots are quoted for reference purpose
Without ACL, msn messenger is working well. Tracert in absence of ACL is mentioned below
C:\>tracert www.msn.com
Tracing route to us.co1.cb3.glbdns.microsoft.com [131.253.13.140]
over a maximum of 30 hops:
1 1 ms 1 ms 1 ms 10.15.15.1
2 * * * Request timed out.
3 * * * Request timed out.
With ACL, Msn Live messenger is not working. Tracert is refer below
C:\>tracert www.msn.com
Tracing route to us.co1.cb3.glbdns.microsoft.com [131.253.13.140]
over a maximum of 30 hops:
1 10.15.15.1 reports: Destination net unreachable.
Trace complete.
Advice pls
02-13-2013 11:29 PM
You have implicit deny at the end of acl. Its not just msn, if you try browsing i think your internet wont be working.
02-14-2013 12:04 AM
browsing is ok, as it is going via proxy..only msn is not operational..
02-14-2013 12:30 AM
for MSN to work you need to open the corresponding ports. To my knowledge the base-functionality will work with tcp/443 and tcp/1863:
permit tcp 10.15.15.0 0.0.0.7 any eq 443
permit tcp 10.15.15.0 0.0.0.7 any eq 1863
A more detailed list is available at Microsoft
http://support.microsoft.com/kb/927847/en-us
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
02-14-2013 01:55 AM
0.0.0.0 0.0.0.0 10.10.10.61 and internet server (10.10.10.61) is allowed in ACL then why do we need to
allow other ports in ACL...all related connections should be handled by 10.10.10.61.
The reason behind we have no issue in browsing with same ports
02-14-2013 02:25 AM
0.0.0.0 0.0.0.0 10.10.10.61 and internet server (10.10.10.61) is allowed in ACL
not in the ACL you was showing in your post. Please show your actual ACL-config.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
02-14-2013 03:16 AM
ip access-list extended vlan515
permit ip 10.15.15.0 0.0.0.7 10.10.10.0 0.0.0.255 (10.10.10.61 comes under this ACE)
permit ip 10.15.15.0 0.0.0.7 host 10.15.15.1
02-14-2013 03:24 AM
Sorry, you are right. After reading it the fifth time I saw that it's really 10.10.10.0 ...
Is your MSN really using that proxy?
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
02-14-2013 04:20 AM
I tried with and without proxy (10.10.10.61) as well but status is same, msn not connected
02-14-2013 04:41 AM
Anything in the Proxy-Log?
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
02-14-2013 06:08 AM
no error found in proxy log
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide