access-list question

Answered Question
Mar 26th, 2008

I want to configure router map that will forward all 172.23.0.0 traffic out to particular interface. Which acl will cover all of the 172.23.0.0 traffic?

access-list 122 permit tcp 172.23.0.0 0.0.255.255 10.0.0.0 eq any

access-list 122 permit ip 172.23.0.0 0.0.255.255 10.0.0.0

thanks for the help.

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 8 years 8 months ago

No it won't because you also have UDP ports, ICMP traffic etc. that are not covered by TCP. So if you want all traffic use "permit ip"

Also i meant to ask last time, do you want to do PBR for

all traffic from 172.23.0.0 0.0.255.255 to 10.0.0.0

or

all traffic from 172.23.0.0 0.0.255 255 to any IP address. If this one you need to modify your access-list

access-list 122 permit ip 172.23.0.0 0.0.255.255 any

HTH

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Wed, 03/26/2008 - 15:26

Hi

If you want all traffic from 172.23.0.0/16 to 10.0.0.0 then your second line but you need a subnet mask for 10.0.0.0 ie.

access-list 122 permit ip 172.23.0.0 0.0.255.255 10.0.0.0

or do you just want all TCP ports ?

HTH

Jon

bsudol79p Wed, 03/26/2008 - 15:35

I want to the acl to cover all traffic from 172.23.0.0, so I am kind of confused what the difference is between using the ip and tcp in this case. If I choose the access-list 122 permit tcp 172.23.0.0 0.0.255.255 10.0.0.0 0.0.0.255 eq any won't that be the same as

access-list 122 permit ip 172.23.0.0 0.0.255.255 10.0.0.0 0.0.0.255

Correct Answer
Jon Marshall Wed, 03/26/2008 - 15:42

No it won't because you also have UDP ports, ICMP traffic etc. that are not covered by TCP. So if you want all traffic use "permit ip"

Also i meant to ask last time, do you want to do PBR for

all traffic from 172.23.0.0 0.0.255.255 to 10.0.0.0

or

all traffic from 172.23.0.0 0.0.255 255 to any IP address. If this one you need to modify your access-list

access-list 122 permit ip 172.23.0.0 0.0.255.255 any

HTH

Jon

bsudol79p Wed, 03/26/2008 - 15:44

I just wanted to cover the 172.23.0.0 255.255.0 0 to 10.0.0.0 and not to any. Thanks for your help!!!!

Actions

This Discussion