Sanity check

Unanswered Question
Jun 15th, 2007

Sorry for a silly question, I just want to make sure this is order for me to open up everything on a subnet all I need to do on my access-list is change from:

permit tcp host host


permit ip host host

and this will not block anything no ports or anything wide open

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Richard Burts Fri, 06/15/2007 - 07:52


Yes, the first version of the access list would permit TCP traffic (but not UDP, ICMP, etc) and the second version of the access list will permit any IP traffic between those hosts - no port restrictions or anything - wide open for those hosts.



wgranada1 Fri, 06/15/2007 - 07:55

Thank you Rick for answering my question having a rsync issue between those two devices where rsync just hangs but I can telnet, ping and ssh to it anyways thank you!!!

r.repas Fri, 06/15/2007 - 08:41


I see one of the hosts is using private addressing and the other public. Is NAT involved? If so, perhaps an rsync initiated by the outside host can't get through the NAT. You should be able to overcome this with a static NAT translation.

Also, are you using encryption for rsync? Perhaps it's using ESP or AHP (ala' IPSec). You may need to explicitly permit those protocols in your ACL as well.

BTW, some older versions of IOS even required ICMP to be explicitly permitted. Newer versions permit ICMP when you permit the IP suite as a whole.

Thanks, Robin.

wgranada1 Fri, 06/15/2007 - 08:52

Hi Robin;

I believe this is a static NAT but let me double check this to ensure, maybe you've seen this before here is the error message I get:

ieschi1: Connection timed out

rsync: connection unexpectedly closed (0 bytes read so far)

rsync error: error in rsync protocol data stream (code 12) at io.c(342)

Thank you in advance for you help!!!


This Discussion