cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
396
Views
0
Helpful
4
Replies

ACL

mccullrrcisco
Level 1
Level 1

Can anyone help me write an acl to allow tftp access between these subnets:

10.1.21.0

10.1.33.0

10.1.31.0

10.1.45.0

10.1.34.0

10.1.41.0

10.1.42.0

10.1.44.0

and this box - 10.1.255.250

Thanks so much!!

Becky

4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

Hi Becky

A little more informatin would help but assuming that all the above networks have a Class C subnet mask

access-list 101 permit udp 10.1.21.0 255.255.255.0 host 10.1.255.250 eq tftp

access-list 101 permit udp 10.1.31.0 255.255.255.0 host 10.1.255.250 eq tftp

etc...

Then you need to apply it to the interface that is connected to the 10.1.255.250 subnet eg

int fa0/1

ip access-group 101 out

You apply it in an outbound direction.

One thing to be aware of is that there is an implicit deny at the end of any access-list so if you apply this access-list the ONLY traffic allowed onto that subnet (10.1.255.0/24) is tftp traffic from those subnets to that specific host which is maybe not what you want.

This has given you an idea of how to do access-lists etc. but before you try and implement anything could you could back with the full set of requirements ie.

1) subnets masks

2) what other traffic you would like to allow/deny onto the 10.1.255.0/24 subnet.

Jon

Hi Jon,

The reason I am asking is because I have a Wireless Lan Solution Engine (10.1.255.250)and am trying to backup the config of my Access Points and when trying to run the Archive Job, it fails stating that I should make sure tftp traffic is allowed between the WLSE and the APs.

Becky

Becky,

I believe Jon accidentally put the subnet mask instead of the wildcard mask in the ACL and I don't know if that's the configuration you used which would have resulted in communication failure with the TFTP server. Reconfigure like this.

access-list 101 permit udp 10.1.21.0 0.0.0.255 host 10.1.255.250 eq tftp

access-list 101 permit udp 10.1.31.0 0.0.0.255 host 10.1.255.250 eq tftp

HTH

Sundar

Hi Sundar

Yep, my mistake. I just finished posting a message on the firewalling forum, wish they would standardise pix and IOS access-lists :).

Apologies Becky, rather basic error to make.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco