02-18-2013 01:13 PM - edited 03-07-2019 11:46 AM
Hey All,
I am trying to setup access lists on my switch and I keep making mistakes and now I am even more confused now than ever. Here is what I have and what I am trying to protect.
Internal Network - 10.0.0.0/18 (10.0.0.0 - 10.0.63.255)
DHCP from Cisco 3550 DHCP pool addresses - 172.0.0.0/23
My Cisco asa will sit on the network at 10.0.13.2 (VLAN13)
I want to deny traffic from 172.0.0.0/23 to everything on the internal network except the 10.0.13.2 address
I want to also deny all traffic from the internal network out to the 172.x.x.x network.
Here is what I currently have
access-list 198 deny ip any 172.0.0.0 0.0.7.255
access-list 198 permit ip any any
access-list 199 deny ip any 10.0.12.0 0.0.0.255
access-list 199 deny ip 10.0.14.0 0.0.0.255 10.0.63.0 0.0.0.255
access-list 199 permit ip any any
Then on my vlans I have
Inside access VLAN 4
ip helper address 10.x.x.x
access-group 198 in
Outside Access VLAN 6
access-group 199 in
From the 10.x.x.x address space I cannot ping the 172.x.x.x address space, however I can ping from the 172.x.x.x into the 10.x.x.x address space.
Any help would be much apprecaited. Thanks!
Message was edited by: Chris Whiteley
Solved! Go to Solution.
02-21-2013 03:26 PM
So just so I am clear...on the actual trunk port itself, use the access list?
02-21-2013 09:59 PM
Yes... You are correct....
By
Karthik
02-24-2013 08:52 PM
Your SVI shouldn't ping from any of internal VLAN's.
As any packet coming from 172.x network will go from VLAN480 where access-list will drop the packet before routing.
You can do onething, by 'show ip access-list 198' command, we can check, which statement ping is matching, or its not maching, by seeing no of times statement has been matched.
Based on that evluation, we can conclude something.
02-25-2013 10:42 AM
It returned about 24,000 results on the access list 198
02-25-2013 09:55 PM
For each statement in your access-list 198, it will some match statement. For example,
1. ip access-list 198 permit ip 172.0.0.0 0.0.1.255 host 10.0.13.2 (match 150)
2. ip access-list 198 deny ip 172.0.0.0 0.0.1.255 10.0.0.0 0.0.63.255 (match 200)
3. ip access-list 198 permit ip any any (match 500)
So, for above we can see that by 150 packets were forwarded matching statement 1, 200 dropped matching statement 2 and 500 packet forwared matching statement 3.
Noting down these initial count, again ping from 172.x network to any 10.x network. After that again see the match counts, if none of the count is increasing, means packet is not coming to this interface and is being forwarded from somewhere else, also if some counter is increased you can see by which statement it is being forwared or why it is not matching our statement number 2.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide