02-18-2013 01:13 PM - modifié 03-07-2019 11:46 AM
Hey All,
I am trying to setup access lists on my switch and I keep making mistakes and now I am even more confused now than ever. Here is what I have and what I am trying to protect.
Internal Network - 10.0.0.0/18 (10.0.0.0 - 10.0.63.255)
DHCP from Cisco 3550 DHCP pool addresses - 172.0.0.0/23
My Cisco asa will sit on the network at 10.0.13.2 (VLAN13)
I want to deny traffic from 172.0.0.0/23 to everything on the internal network except the 10.0.13.2 address
I want to also deny all traffic from the internal network out to the 172.x.x.x network.
Here is what I currently have
access-list 198 deny ip any 172.0.0.0 0.0.7.255
access-list 198 permit ip any any
access-list 199 deny ip any 10.0.12.0 0.0.0.255
access-list 199 deny ip 10.0.14.0 0.0.0.255 10.0.63.0 0.0.0.255
access-list 199 permit ip any any
Then on my vlans I have
Inside access VLAN 4
ip helper address 10.x.x.x
access-group 198 in
Outside Access VLAN 6
access-group 199 in
From the 10.x.x.x address space I cannot ping the 172.x.x.x address space, however I can ping from the 172.x.x.x into the 10.x.x.x address space.
Any help would be much apprecaited. Thanks!
Message was edited by: Chris Whiteley
Résolu ! Accéder à la solution.
le 02-21-2013 03:26 PM
So just so I am clear...on the actual trunk port itself, use the access list?
le 02-21-2013 09:59 PM
Yes... You are correct....
By
Karthik
le 02-24-2013 08:52 PM
Your SVI shouldn't ping from any of internal VLAN's.
As any packet coming from 172.x network will go from VLAN480 where access-list will drop the packet before routing.
You can do onething, by 'show ip access-list 198' command, we can check, which statement ping is matching, or its not maching, by seeing no of times statement has been matched.
Based on that evluation, we can conclude something.
le 02-25-2013 10:42 AM
It returned about 24,000 results on the access list 198
le 02-25-2013 09:55 PM
For each statement in your access-list 198, it will some match statement. For example,
1. ip access-list 198 permit ip 172.0.0.0 0.0.1.255 host 10.0.13.2 (match 150)
2. ip access-list 198 deny ip 172.0.0.0 0.0.1.255 10.0.0.0 0.0.63.255 (match 200)
3. ip access-list 198 permit ip any any (match 500)
So, for above we can see that by 150 packets were forwarded matching statement 1, 200 dropped matching statement 2 and 500 packet forwared matching statement 3.
Noting down these initial count, again ping from 172.x network to any 10.x network. After that again see the match counts, if none of the count is increasing, means packet is not coming to this interface and is being forwarded from somewhere else, also if some counter is increased you can see by which statement it is being forwared or why it is not matching our statement number 2.
Découvrez et enregistrez vos notes préférées. Revenez pour trouver les réponses d'experts, des guides étape par étape, des sujets récents et bien plus encore.
Êtes-vous nouveau ici? Commencez par ces conseils. Comment utiliser la communauté Guide pour les nouveaux membres