Access-List

Unanswered Question
Oct 18th, 2007
User Badges:

I'm not sure if I'm in the right place but I have a problem with ACL. I have a user who is using VmWare and I gave him a network address of 10.17.0.0/16. I can get to anything on the 10.17.0.X network but nothing else. Here is my acl:interface Vlan17

description "SBU_LABMGR_VM_VLAN"

ip address 10.17.0.1 255.255.0.0

ip access-group SBU_LABMGR_VM_VLAN-IN in


ip access-list extended SBU_LABMGR_VM_VLAN-IN

permit ip 10.17.0.0 0.0.255.255 10.0.7.0 0.0.0.255

permit ip 10.17.0.0 0.0.255.255 10.1.7.0 0.0.0.255

permit ip 10.17.0.0 0.0.255.255 10.1.8.0 0.0.0.255

permit ip 10.17.0.0 0.0.255.255 10.4.7.0 0.0.0.255

permit ip 10.17.1.0 0.0.0.255 10.1.7.0 0.0.0.255

permit ip 10.17.0.0 0.0.255.255 host 10.1.15.75

permit ip 10.17.0.0 0.0.255.255 host 10.1.20.25

deny ip 10.17.0.0 0.0.255.255 10.0.0.0 0.255.255.255

deny ip 10.17.0.0 0.0.255.255 172.16.0.0 0.15.255.255

deny ip 10.17.0.0 0.0.255.255 192.168.0.0 0.0.0.255

permit ip any any


is there any thing wrong with this access-list


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
gojericho0 Thu, 10/18/2007 - 09:21
User Badges:
  • Bronze, 100 points or more

deny ip 10.17.0.0 0.0.255.255 10.0.0.0 0.255.255.255


Do you want them denied to everything on the 10 network?


Can you ping the next hop after the gateway?


Is there any other access list on the default gateway or a firewall that could be blocking traffic?


Is VLAN17 entered in all correct VLAN databases and allowed to traverse all trunk links if it is not terminated at the gateway?


Is NAT,PAT or a proxy setup to access the internet?



damrut5763 Thu, 10/18/2007 - 09:32
User Badges:

Yes I want denied them denied to everything on the 10 network except 10.1.7.X, 10.0.7.X and everything else I have in the permit ACL.

2) There is no firewall blocking traffic

3) Vlan 17 is entered correctly in the database can ping 10.17.0.X network can't get to 10.17.1.X/0.0.255.255 or above.

gojericho0 Thu, 10/18/2007 - 10:17
User Badges:
  • Bronze, 100 points or more

"Vlan 17 is entered correctly in the database can ping 10.17.0.X network can't get to 10.17.1.X/0.0.255.255 or above"


So you can't ping anything in the 10.17.1.x and above?


Since VLAN17 int = 10.17.0.1 255.255.0.0 can I assume 10.17.1.x are part of the same network segment and vlan membership?


Can you ping 10.17.1.x from VLAN17 interface?

damrut5763 Thu, 10/18/2007 - 10:20
User Badges:

Thank you for your assistance the problem was with the virtual server gateway. Everything is working!

Actions

This Discussion