cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
607
Views
0
Helpful
4
Replies

is this a valid access-list?

CCDECCDE9
Level 1
Level 1

ip access-list  extended new

5 permit 10.32.52.6 0.0.0.0 172.27.200.100 0.0.0.0

6 deny  10.32.52.0 0.0.0.255 172.27.200.100 0.0.0.0

7 permit 10.32.52.0 0.0.0.255 172.27.200.100 0.0.0.0

Route-Map  newnew permit 5

match ip address new

set ip nex-hop 10.32.254.5

interface fa3/1

ip adress 100.100.100.1 255.255.255.252

ip policy route-map newnew

ip route 172.27.200.0 255.255.255.0 144.1.4.85

with the above config , the source 10.32.52.6 is able to ping 172.27.200.100 but 172.27.200.100 is not able to ping 10.32.52.6 . IF I USE the command " ip route 172.27.200.0 255.255.255.0 10.32.254.5" ping works both ways.I am trying to get this two way ping working using the route map matching above access-list and had no success....This config is being used on 4006 cisco switch....any ideas?

4 Replies 4

mcarnahan
Level 1
Level 1

It's hard to say without seeing the rest of the config....you don't show any info pertaining to the 10.32.54.0 network other than in the access list.  Do you have a route for that network, or is it on one of your interfaces?  And where is 144.1.4.85?  Is that an interface IP?

Also, line 7 of your access-list is never going to be applied as that traffic is denied by line 6 and I think you meant to specify the return traffic like this....

ip access-list  extended new

5 permit 10.32.52.6 0.0.0.0 172.27.200.100 0.0.0.0

6 deny  10.32.52.0 0.0.0.255 172.27.200.100 0.0.0.0

7 permit 172.27.200.100 0.0.0.0 10.32.52.0 0.0.0.255

That's the best I can do without seeing the rest of your config....

10.32.254.5  and 144.1.4.85 are vpn routers that are  part of vlan interfaces on this 4006 switchoo

172.27.200.0 is terminating on these two vpn routers for 2 different tunnels.10.32.0.0/16 is   behind 10.32.254.5 and 144,1,0.0/16 is behind 144.1.4.85

Rick Morris
Level 6
Level 6

Couple of things I see:

ip access-list  extended new

5 permit 10.32.52.6 0.0.0.0 172.27.200.100 0.0.0.0

6 deny  10.32.52.0 0.0.0.255 172.27.200.100 0.0.0.0

7 permit 10.32.52.0 0.0.0.255 172.27.200.100 0.0.0.0

You are denying the traffic then permitting it.  You will never get to the permit because the ACL is read top down and it will stop there.  So traffic from 10.32.52.0/24 to 172.27.200.100 is being denied.

You are only showing lines 5-7 what are lines 1-4, and are there any other lines after 7?

mcarnahan
Level 1
Level 1

If you want this route map to apply in both directions, then you have to apply the 'ip policy  route-map newnew' to the interface that is recieving the traffic from 172.27.200.100.  Try that and see....

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco