06-29-2009 10:44 AM - edited 03-06-2019 06:30 AM
I have a router R0 , RO's f0/0 connects to a server 10.1.1.2 and R0 also use the F0/0 as a gre tunnel's source interface . this tunnel's destination is the R3's f0/0 . and 1 smtp server 192.168.1.3 connects to router R3. the server 10.1.1.2 need to connect to the server 192.168.1.3's TCP port 25. and i put a acl on R0's f0/0
int f0/0
ip access-group snmp in
ip access-list extended snmp
permit tcp host 10.1.1.2 host 192.168.1.3 eq 25
there is no other ACL between this 2 servers.
but the server 10.1.1.2 still can not access server 192.168.1.3 by using tcp port 25.
since the tunnel 0 also use f0/0 as source interface , i guess maybe i need to add one more line for ACL snmp
permit tcp host 192.168.1.3 eq 25 host 10.1.1.2.
Please help me for this issue. if my guess is wrong , what is the right sloution .
06-29-2009 11:22 AM
Hello Yang,
you are right
the ACL should be written has:
permit tcp host 192.168.1.3 eq 25 host 10.1.1.2
I would test this with the following:
just remove the ACL you have applied on the tunnel interface.
Test it without any ACL.
In these conditions can server 10.1.1.2 connect to 192.168.1.3?
Try with the modified ACL and see the behaviour.
your original ACL should match with traffic sent out the tunnel if R0 sees tunnel0 as the outgoing interface to reach 192.168.1.3
Hope to help
Giuseppe
06-30-2009 05:24 AM
I can not test it since i need to submit change request before i change ACL.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: