Access-list problem

Unanswered Question
Dec 31st, 2008
User Badges:

hi friends ,

I wrote an access-list that permit only 2 hosts from the specified network. and apply this list to interface inbound . the first host are accessible but the second not.

Who can help me ?


the list definition :

ip access-list extended site2internal

permit tcp 172.25.0.0 0.0.255.255 host 172.20.1.2 eq www

permit ip 172.25.0.0 0.0.255.255 host 172.20.0.20

deny ip any 172.20.0.0 0.0.255.255

permit ip any any


172.20.1.2 accessible

172.20.0.20 not-accessible

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Wed, 12/31/2008 - 02:03
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Reza,


are the two hosts


172.20.1.2 accessible

172.20.0.20 not-accessible


in the same ip subnet ?


you need to verify also routing in the return path


Hope to help

Giuseppe


Reza Rezazadeh Wed, 12/31/2008 - 02:43
User Badges:

Hi Giuseppe ,

Yes to hosts are in a same subnet , 255.255.0.0.

the routing are correct.

ip route 172.20.0.0 255.255.0.0 GigabitEthernet0/1.1


This hosts are accessible from other subnets, that no access-list are applied.


Best Regards

Reza Rezazadeh Fri, 01/02/2009 - 23:08
User Badges:

Hi everyone,

My problem exist , I try to develop the access-list but only one host are accessible :


ip access-list extended site2internal

permit tcp 172.25.0.0 0.0.255.255 host 172.20.1.2 eq www

permit ip 172.25.0.0 0.0.255.255 host 172.20.0.20

permit tcp 172.25.0.0 0.0.255.255 host 172.20.0.23 eq ftp

permit tcp 172.25.0.0 0.0.255.255 host 172.20.0.6 eq domain

deny ip any 172.20.0.0 0.0.255.255

permit ip any any


With this configuration I intend from subnet 172.25.0.0 to 172.20.0.0 only hosts : 172.20.0.20 , 172.20.0.23 , 172.20.0.20 , 172.20.0.6 , 172.20.1.2 with appropriate port number are accessible.

But only host 172.20.1.2 are accessible and other not.

How can help me to solve this ?

Best Regards

Reza Rezazadeh Sat, 01/03/2009 - 00:05
User Badges:

I thought that the problem is with 172.20.0.x hosts, hosts that the third octet is "zero" . how can I correct this ?

glen.grant Sat, 01/03/2009 - 03:31
User Badges:
  • Purple, 4500 points or more

Shouldn't matter if its a zero subnet. I would verify the layer 3 subnet definition is 255.255.0.0 . If yes also verify on the clients that the mask is is the same 255.255.0.0 . If the acl is in the exact order you posted I don't see anything to keep it from working.

Actions

This Discussion