Acl's being altered by router upon entering them

Answered Question
Feb 12th, 2008
User Badges:

Hi All,


I'm setting up a number of vpn/ipsec tunnels on a cisco 876.

When I enter the necessary acl's, I get no error, but when I check my running config, the router seems to have altered the acl.


Here's what happens:

Router(config)#access-list 111 remark *** Tunnel naar Takman Ommen ***

Router(config)#access-list 111 permit ip 192.168.26.0 255.255.255.0 192.168.28.0 255.255.255.0

Router(config)#end

Router#sh access-l

Extended IP access list 111

10 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0


Running the Version 12.4(15)T1.


Config attached.



Correct Answer by royalblues about 9 years 5 months ago

I have seen this behavior and as said above it is due to the use of subnet masks instead of inverse wildcard masks while defining the access-list


These are common errors particularly if you are used to work on PIX/ASA where we do not use inverse masks


HTH

Narayan

Correct Answer by Mohamed Sobair about 9 years 5 months ago

Hi,


Simply you are not matching any specific criteria here, looking at your config:-


permit ip 192.168.26.0 255.255.255.0 192.168.28.0 255.255.255.0


you are saying (I dont care about 192.168.26 at your ACL), its not a subnet mask equation, but rather its a wildcard bits match.


The correct one as bellow:


access-list 111 permit ip 192.168.26.0 0.0.0.255 192.168.28.0 0.0.0.255


HTH

Mohamed

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Mohamed Sobair Tue, 02/12/2008 - 04:45
User Badges:
  • Gold, 750 points or more

Hi,


Simply you are not matching any specific criteria here, looking at your config:-


permit ip 192.168.26.0 255.255.255.0 192.168.28.0 255.255.255.0


you are saying (I dont care about 192.168.26 at your ACL), its not a subnet mask equation, but rather its a wildcard bits match.


The correct one as bellow:


access-list 111 permit ip 192.168.26.0 0.0.0.255 192.168.28.0 0.0.0.255


HTH

Mohamed

Correct Answer
royalblues Tue, 02/12/2008 - 05:24
User Badges:
  • Green, 3000 points or more

I have seen this behavior and as said above it is due to the use of subnet masks instead of inverse wildcard masks while defining the access-list


These are common errors particularly if you are used to work on PIX/ASA where we do not use inverse masks


HTH

Narayan

beheer@support.net Tue, 02/12/2008 - 05:27
User Badges:

Briljant, On the money. I spend way to much time on ASA's.


Thank a million for putting me in my place :-)

Actions

This Discussion