Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
436
Views
0
Helpful
3
Replies

Acl's being altered by router upon entering them

Go to solution
beheer
Level 1
Level 1

‎02-12-2008 04:36 AM - edited ‎03-03-2019 08:40 PM

Hi All,

I'm setting up a number of vpn/ipsec tunnels on a cisco 876.

When I enter the necessary acl's, I get no error, but when I check my running config, the router seems to have altered the acl.

Here's what happens:

Router(config)#access-list 111 remark *** Tunnel naar Takman Ommen ***

Router(config)#access-list 111 permit ip 192.168.26.0 255.255.255.0 192.168.28.0 255.255.255.0

Router(config)#end

Router#sh access-l

Extended IP access list 111

10 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0

Running the Version 12.4(15)T1.

Config attached.

Labels:
Preview file
6 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Mohamed Sobair
Level 7
Level 7

‎02-12-2008 04:45 AM

Hi,

Simply you are not matching any specific criteria here, looking at your config:-

permit ip 192.168.26.0 255.255.255.0 192.168.28.0 255.255.255.0

you are saying (I dont care about 192.168.26 at your ACL), its not a subnet mask equation, but rather its a wildcard bits match.

The correct one as bellow:

access-list 111 permit ip 192.168.26.0 0.0.0.255 192.168.28.0 0.0.0.255

HTH

Mohamed

View solution in original post

0 Helpful

Go to solution
royalblues
Level 10
Level 10
In response to Mohamed Sobair

‎02-12-2008 05:24 AM

I have seen this behavior and as said above it is due to the use of subnet masks instead of inverse wildcard masks while defining the access-list

These are common errors particularly if you are used to work on PIX/ASA where we do not use inverse masks

HTH

Narayan

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Mohamed Sobair
Level 7
Level 7

‎02-12-2008 04:45 AM

Hi,

Simply you are not matching any specific criteria here, looking at your config:-

permit ip 192.168.26.0 255.255.255.0 192.168.28.0 255.255.255.0

you are saying (I dont care about 192.168.26 at your ACL), its not a subnet mask equation, but rather its a wildcard bits match.

The correct one as bellow:

access-list 111 permit ip 192.168.26.0 0.0.0.255 192.168.28.0 0.0.0.255

HTH

Mohamed

0 Helpful

Go to solution
royalblues
Level 10
Level 10
In response to Mohamed Sobair

‎02-12-2008 05:24 AM

I have seen this behavior and as said above it is due to the use of subnet masks instead of inverse wildcard masks while defining the access-list

These are common errors particularly if you are used to work on PIX/ASA where we do not use inverse masks

HTH

Narayan

0 Helpful

Go to solution
beheer
Level 1
Level 1
In response to royalblues

‎02-12-2008 05:27 AM

Briljant, On the money. I spend way to much time on ASA's.

Thank a million for putting me in my place :-)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card