cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
366
Views
0
Helpful
4
Replies

Access-list will not engage properly in 3750

hobbe
Level 7
Level 7

I have a 3750 with Ios version 12.2.35.se5 where the access-list will not engage properly.

I found something on the bugfix for the ios version but the access-list is only 41 rows. so it should not apply. and there is nothing on the type of hardware.

here is the access-list

IA = Ip Adress

NA = Network Address

WCM = Wildcard mask

Port = a tcp/udp port or range

Extended IP access list 120

10 permit tcp host IA gt PORT host IA eq PORT

20 permit tcp host IA gt PORT host IA eq PORT

30 permit tcp host IA gt PORT host IA eq PORT

40 permit tcp host IA gt PORT host IA eq PORT

50 permit tcp host IA gt PORT host IA eq PORT

60 permit tcp host IA gt PORT host IA eq PORT

70 permit tcp host IA gt PORT host IA eq PORT

80 permit tcp host IA gt PORT host IA eq PORT

90 permit tcp host IA gt PORT host IA eq PORT

100 permit tcp host IA gt PORT host IA eq PORT

110 permit tcp host IA gt PORT host IA eq PORT

120 permit tcp host IA gt PORT host IA eq PORT

130 permit tcp host IA gt PORT host IA eq PORT

140 permit tcp host IA gt PORT host IA eq PORT

150 permit tcp host IA gt PORT host IA eq PORT

160 permit tcp host IA gt PORT host IA eq PORT

170 permit tcp host IA gt PORT host IA eq PORT

180 permit tcp host IA gt PORT host IA eq PORT

190 permit tcp host IA host IA eq PORT

200 permit tcp host IA host IA eq PORT

210 permit ip host IA NA WCM

220 permit ip host IA NA WCM

230 permit tcp NA WCM NA WCM eq PORT

240 permit tcp NA WCM NA WCM eq PORT

250 permit tcp NA WCM NA WCM eq PORT

260 permit tcp NA WCM NA WCM eq PORT

270 permit tcp NA WCM NA WCM eq PORT

280 permit tcp NA WCM NA WCM eq PORT

290 permit tcp NA WCM NA WCM eq PORT

300 permit tcp NA WCM NA WCM eq PORT

310 permit tcp NA WCM NA WCM eq PORT

320 permit tcp NA WCM NA WCM eq PORT

330 permit tcp NA WCM NA WCM eq PORT

340 permit tcp NA WCM eq PORT NA WCM gt PORT

350 permit tcp NA WCM eq PORT NA WCM gt PORT

360 permit tcp NA WCM eq PORT NA WCM gt PORT

370 permit tcp NA WCM eq PORT NA WCM gt PORT

380 permit tcp NA WCM eq PORT NA WCM gt PORT

390 deny ip IP NA WCM any

Is it me ?

am I missing something or is it a bug in the system ?

There is no errormessage when i enter the access-list to the switch.

it just dont take.

4 Replies 4

cisco_lad2004
Level 5
Level 5

are you using Enhanced Image ?

Please post Sh ver.

Sam

TORBJORN

You have hidden so much detail that it is hard to know what the problem is. But I do have some observations and some suggestions:

- I am not clear in your description whether the problem is that the access list is not working at all, or whether things that work without the access list do not work when you apply the access list. Perhaps you can clarify what the problem really is?

- you show us the access list but provide no information about how the access list is applied. Can you give us specifics about how the access list is applied? Until the access list is applied it will have no effect.

- I notice that almost all the permit statements are to permit various TCP traffic. There are only 2 statements that permit ip and they permit traffic from specific host(s) to certain limited destinations. This will not allow things like ping to work - at least for most of your network. And it is likely that it will not permit DNS to work - at least for most of your network. So perhaps the problem is overly restrictive logic in the access list.

HTH

Rick

HTH

Rick

Hi rburts

The access-list is applied on a interface with the command "ip access-group 120 in"

in an Layer three routed interface with an IP. This applies the access-list on inbound traffic to that interface.

If we take away the access-list with the command "no access-list 120" the communication works.

when we add it only some hosts can use it even though the lines are the same fx

IP A wants to reach IP Z - it works

same line exactly (except for the IP B ip) for IP B to reach the IP Z does not work.

Example.

permit tcp host 192.168.1.1 gt 1234 host 192.168.2.1 eq 1234 "works"

permit tcp host 192.158.1.2 gt 1234 host 192.168.2.1 eq 1234 "does not work"

ICMP is not required nor desired, neither is DNS for other than the two hosts with ip permitted.

IP addresses used in examples are fictive.

Hope this clarifies things.

No its the preloaded IP-BASE

Cisco IOS Software, C3750 Software (C3750-IPBASE-M), Version 12.2(35)SE5, RELEASE SOFTWARE (fc1)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco