ACL

Unanswered Question
Aug 10th, 2007

Can anyone help me write an acl to allow tftp access between these subnets:

10.1.21.0

10.1.33.0

10.1.31.0

10.1.45.0

10.1.34.0

10.1.41.0

10.1.42.0

10.1.44.0

and this box - 10.1.255.250

Thanks so much!!

Becky

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Fri, 08/10/2007 - 11:49

Hi Becky

A little more informatin would help but assuming that all the above networks have a Class C subnet mask

access-list 101 permit udp 10.1.21.0 255.255.255.0 host 10.1.255.250 eq tftp

access-list 101 permit udp 10.1.31.0 255.255.255.0 host 10.1.255.250 eq tftp

etc...

Then you need to apply it to the interface that is connected to the 10.1.255.250 subnet eg

int fa0/1

ip access-group 101 out

You apply it in an outbound direction.

One thing to be aware of is that there is an implicit deny at the end of any access-list so if you apply this access-list the ONLY traffic allowed onto that subnet (10.1.255.0/24) is tftp traffic from those subnets to that specific host which is maybe not what you want.

This has given you an idea of how to do access-lists etc. but before you try and implement anything could you could back with the full set of requirements ie.

1) subnets masks

2) what other traffic you would like to allow/deny onto the 10.1.255.0/24 subnet.

Jon

mccullrrcisco Fri, 08/10/2007 - 14:15

Hi Jon,

The reason I am asking is because I have a Wireless Lan Solution Engine (10.1.255.250)and am trying to backup the config of my Access Points and when trying to run the Archive Job, it fails stating that I should make sure tftp traffic is allowed between the WLSE and the APs.

Becky

sundar.palaniappan Fri, 08/10/2007 - 14:24

Becky,

I believe Jon accidentally put the subnet mask instead of the wildcard mask in the ACL and I don't know if that's the configuration you used which would have resulted in communication failure with the TFTP server. Reconfigure like this.

access-list 101 permit udp 10.1.21.0 0.0.0.255 host 10.1.255.250 eq tftp

access-list 101 permit udp 10.1.31.0 0.0.0.255 host 10.1.255.250 eq tftp

HTH

Sundar

Jon Marshall Fri, 08/10/2007 - 15:02

Hi Sundar

Yep, my mistake. I just finished posting a message on the firewalling forum, wish they would standardise pix and IOS access-lists :).

Apologies Becky, rather basic error to make.

Jon

Actions

This Discussion