Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
367
Views
5
Helpful
3
Replies

Why does this ACL command work but this other one not work?

Go to solution
John Robinson IV
Level 1
Level 1

‎09-15-2022 07:51 AM

Scenario: Interface Vlan 200 has an An ACL on it with this command (these names are made up so bear with me).

 

 

 

ip access-group ACL-Block-Stuff-IN in

 

 

 

We want data to travel to remote server at 2.2.2.2 to an endpoint at 192.168.1.237 as well as from that endpoint back to the server over port 9000.

Here's part of the ACL

 

 

Extended IP access list ACL-Block-Stuff-IN
10 permit icmp any any echo
20 permit icmp any any echo-reply
30 deny ip any 10.0.0.0 0.0.0.255 
40 deny ip any 172.16.0.0 0.15.255.255
50 deny ip any 172.38.0.0 0.0.255.255
60 permit ip 192.168.1.0 0.0.0.255 any

 

 

 With this ACL ping works, and data over port 9000 can go into the vlan interface subnet, but there is no reply from the device, even though "Any" should be allowed

Now this is the altered ACL which explicitly allows that traffic over that port. 

 

 

Extended IP access list ACL-Block-Stuff-IN
10 permit icmp any any echo
20 permit icmp any any echo-reply
25 permit tcp host 192.168.1.237 eq 9000 host 2.2.2.2
30 deny ip any 10.0.0.0 0.0.0.255 
40 deny ip any 172.16.0.0 0.15.255.255
50 deny ip any 172.38.0.0 0.0.255.255
60 permit ip 192.168.1.0 0.0.0.255 any

 

 

This of course, works. I've dumbed down the ACLs quite a bit and provided fake IPs but this is generally what they look like. I know why the second works. There is an explicit allowance for that IP to reach that host over that port (9000 in this case). 

My confusion and question is why the first doesn't allow for replies even though "192.168.1.0/24" is allowed to reach "ANY" IP under on line 60. Shouldn't data flow to and from it freely (sans the previous deny statements) with that command? I'm confused why it does not, but when I explicitly allow it, it works. 

I know this seems like a basic ACL question but its one of those things that some clarity would help a great deal on. Thank you. 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
John Robinson IV
Level 1
Level 1
In response to MHM Cisco World

‎09-15-2022 11:48 AM

No, it works when like this. However, I found the issue. It actually turned out to be something so silly. 

there is a deny for the private addresses in the 172.16.x.x range

the original IPs actually has a 170.30.x.x. IP (not the made up 2.2.2.2 I used for this example). I overlooked that the 170.30.x.x falls in the private IP range that is denied, which is why the second one worked (notice that the statement is above the denies)

For shame. 

View solution in original post

3 Replies 3

Go to solution
MHM Cisco World
VIP
VIP

‎09-15-2022 07:58 AM 

25 permit tcp host 192.168.1.237 eq 9000 host 2.2.2.2

I think the server is use 9000 not the client and the client use unknown port, 
so you need to change the port form be source to be destination

0 Helpful

Go to solution
John Robinson IV
Level 1
Level 1
In response to MHM Cisco World

‎09-15-2022 11:48 AM

No, it works when like this. However, I found the issue. It actually turned out to be something so silly. 

there is a deny for the private addresses in the 172.16.x.x range

the original IPs actually has a 170.30.x.x. IP (not the made up 2.2.2.2 I used for this example). I overlooked that the 170.30.x.x falls in the private IP range that is denied, which is why the second one worked (notice that the statement is above the denies)

For shame. 

Go to solution
MHM Cisco World
VIP
VIP
In response to John Robinson IV

‎09-15-2022 11:57 AM

Glad your issue solve.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card