09-22-2009 05:58 AM - edited 03-06-2019 07:50 AM
Greetings:
Confused. When I created the following ACL:
access-list 150 permit ip 10.233.0.0 0.0.0.255 host 172.16.5.30
access-list 150 permit ip 10.233.0.0 0.0.0.255 host 10.1.7.136
access-list 150 permit ip 10.233.0.0 0.0.0.255 host 10.1.7.137
access-list 150 permit ip 10.233.0.0 0.0.0.255 host 10.1.7.139
access-list 150 permit ip 10.233.0.0 0.0.0.255 host 10.1.4.43
access-list 150 permit ip 10.233.0.0 0.0.0.255 host 172.28.0.7
access-list 150 permit ip 10.233.0.0 0.0.0.255 host 172.28.0.75
access-list 150 permit ip 10.233.0.0 0.0.0.255 host 172.28.0.110
access-list 150 permit ip 10.233.0.0 0.0.0.255 host 172.28.0.111
access-list 150 permit ip 10.233.0.0 0.0.0.255 host 172.16.5.143
access-list 150 permit ip 10.233.0.0 0.0.0.255 host 172.16.5.142
access-list 150 permit ip 10.233.0.0 0.0.0.255 host 172.16.5.147
access-list 150 deny ip any any
and apply it to the WAN interface as:
ip access-group 150 in
I cannot ping the 10.233.x.x network and they can't ping the router's WAN ip (10.223.0.7)
As soon as I remove the ACL - normal connectivity resumes - but no protection using acl-150.
What am I missing? Thanks
09-22-2009 06:29 AM
Hi, iholdings
>>I cannot ping the 10.233.x.x network
>>access-list 150 deny ip any any
you deny ip any any , so the packets which source address no in the host list(172.x-10.x) will be dropped,
you ping 10.233.0.x from other peer, the icmp return from 10.233.0.x will be dropped, packet analizer will capture the icmp type 3 code 13 packets.
09-22-2009 06:36 AM
So I have the access-group applied correctly on the right interface and the right direction - but need to adjust the acl 150 - how?
I simply need to allow 10.223.x.x access to the listed hosts under acl 150 - but disallow all other access to networks behind the LAN interface. Thanks.
09-22-2009 08:29 AM
before the line deny ip any any, add on a line for permit icmp any any:
access-list 150 permit ip 10.233.0.0 0.0.0.255 host 172.16.5.147
access-list 150 permit icmp any any
access-list 150 deny ip any any
09-22-2009 09:13 AM
That did the trick!! Thanks
09-22-2009 09:18 AM
Great, this post can be marked resolved then.
09-22-2009 07:25 AM
>>I cannot ping the 10.233.x.x network --- 10.233.x.x or 10.233.0.x, ?? x.x will widen the range.
if you put the access-list under the routers interface 10.223.0.x 255.255.255.0 inbound, then you ping from the device which the Ip address not in the listed hosts, then it will be denied, if you ping from the device which the ip address in the listed host, it will be allowed,
09-22-2009 07:29 AM
>>they can't ping the router's WAN ip (10.223.0.7)
add one entry
access-list 150 permit ip 10.233.0.0 0.0.0.255 host 10.223.0.7
hope it work
Yang
09-22-2009 09:15 AM
Yang,
That worked. Thank for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide