Buy or Renew
Buy or Renew
COMING SOON: Umbrella and Secure Access release notes are coming to Cisco Community. The community will be in read-only August 16 – 19. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3572
Views
0
Helpful
19
Replies

Cisco Access List Help

Go to solution
Chris Whiteley
Level 1
Level 1

‎02-18-2013 01:13 PM - edited ‎03-07-2019 11:46 AM

Hey All,

I am trying to setup access lists on my switch and I keep making mistakes and now I am even more confused now than ever. Here is what I have and what I am trying to protect.

Internal Network - 10.0.0.0/18 (10.0.0.0 - 10.0.63.255)

DHCP from Cisco 3550 DHCP pool addresses - 172.0.0.0/23

My Cisco asa will sit on the network at 10.0.13.2 (VLAN13)

I want to deny traffic from 172.0.0.0/23 to everything on the internal network except the 10.0.13.2 address

I want to also deny all traffic from the internal network out to the 172.x.x.x network.

Here is what I currently have

access-list 198 deny ip any 172.0.0.0 0.0.7.255

access-list 198 permit ip any any

access-list 199 deny ip any 10.0.12.0 0.0.0.255

access-list 199 deny ip 10.0.14.0 0.0.0.255 10.0.63.0 0.0.0.255

access-list 199 permit ip any any

Then on my vlans I have

Inside access VLAN 4

ip helper address 10.x.x.x

access-group 198 in

Outside Access VLAN 6

access-group 199 in

From the 10.x.x.x address space I cannot ping the 172.x.x.x address space, however I can ping from the 172.x.x.x into the 10.x.x.x address space.

Any help would be much apprecaited. Thanks!

Message was edited by: Chris Whiteley

Labels:
0 Helpful
19 Replies 19

Go to solution
Chris Whiteley
Level 1
Level 1
In response to nkarthikeyan

‎02-21-2013 03:26 PM

So just so I am clear...on the actual trunk port itself, use the access list?

0 Helpful

Go to solution
nkarthikeyan
Level 7
Level 7
In response to Chris Whiteley

‎02-21-2013 09:59 PM

Yes... You are correct....

By

Karthik

0 Helpful

Go to solution
Sakun Sharma
Level 1
Level 1
In response to nkarthikeyan

‎02-24-2013 08:52 PM

Your SVI shouldn't ping from any of internal VLAN's.

As any packet coming from 172.x network will go from VLAN480 where access-list will drop the packet before routing.

You can do onething, by 'show ip access-list 198' command, we can check, which statement ping is matching, or its not maching, by seeing no of times statement has been matched.

Based on that evluation, we can conclude something.

0 Helpful

Go to solution
Chris Whiteley
Level 1
Level 1
In response to Sakun Sharma

‎02-25-2013 10:42 AM

It returned about 24,000 results on the access list 198

0 Helpful

Go to solution
Sakun Sharma
Level 1
Level 1
In response to Chris Whiteley

‎02-25-2013 09:55 PM

For each statement in your access-list 198, it will some match statement. For example,

1. ip access-list 198 permit ip 172.0.0.0 0.0.1.255 host 10.0.13.2 (match 150)

2. ip access-list 198 deny ip 172.0.0.0 0.0.1.255 10.0.0.0 0.0.63.255 (match 200)

3. ip access-list 198 permit ip any any (match 500)

So, for above we can see that by 150 packets were forwarded matching statement 1, 200 dropped matching statement 2 and 500 packet forwared matching statement 3.

Noting down these initial count, again ping from 172.x network to any 10.x network. After that again see the match counts, if none of the count is increasing, means packet is not coming to this interface and is being forwarded from somewhere else, also if some counter is increased you can see by which statement it is being forwared or why it is not matching our statement number 2.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card