ACL

Unanswered Question
Aug 10th, 2007
User Badges:

Can anyone help me write an acl to allow tftp access between these subnets:

10.1.21.0

10.1.33.0

10.1.31.0

10.1.45.0

10.1.34.0

10.1.41.0

10.1.42.0

10.1.44.0


and this box - 10.1.255.250


Thanks so much!!

Becky

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Fri, 08/10/2007 - 11:49
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Becky


A little more informatin would help but assuming that all the above networks have a Class C subnet mask


access-list 101 permit udp 10.1.21.0 255.255.255.0 host 10.1.255.250 eq tftp

access-list 101 permit udp 10.1.31.0 255.255.255.0 host 10.1.255.250 eq tftp

etc...



Then you need to apply it to the interface that is connected to the 10.1.255.250 subnet eg


int fa0/1

ip access-group 101 out


You apply it in an outbound direction.


One thing to be aware of is that there is an implicit deny at the end of any access-list so if you apply this access-list the ONLY traffic allowed onto that subnet (10.1.255.0/24) is tftp traffic from those subnets to that specific host which is maybe not what you want.


This has given you an idea of how to do access-lists etc. but before you try and implement anything could you could back with the full set of requirements ie.


1) subnets masks

2) what other traffic you would like to allow/deny onto the 10.1.255.0/24 subnet.


Jon

mccullrrcisco Fri, 08/10/2007 - 14:15
User Badges:

Hi Jon,


The reason I am asking is because I have a Wireless Lan Solution Engine (10.1.255.250)and am trying to backup the config of my Access Points and when trying to run the Archive Job, it fails stating that I should make sure tftp traffic is allowed between the WLSE and the APs.


Becky

sundar.palaniappan Fri, 08/10/2007 - 14:24
User Badges:
  • Green, 3000 points or more

Becky,


I believe Jon accidentally put the subnet mask instead of the wildcard mask in the ACL and I don't know if that's the configuration you used which would have resulted in communication failure with the TFTP server. Reconfigure like this.


access-list 101 permit udp 10.1.21.0 0.0.0.255 host 10.1.255.250 eq tftp

access-list 101 permit udp 10.1.31.0 0.0.0.255 host 10.1.255.250 eq tftp


HTH


Sundar

Jon Marshall Fri, 08/10/2007 - 15:02
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Sundar


Yep, my mistake. I just finished posting a message on the firewalling forum, wish they would standardise pix and IOS access-lists :).


Apologies Becky, rather basic error to make.


Jon

Actions

This Discussion