ACL issue on Cisco 860

Answered Question
Jul 23rd, 2009
User Badges:

Greetings:


I'm attempting to add the following access-list to the router and apply the access-group to the WAN facing interface:


access-list 150 permit ip 10.233.0.0 255.255.255.0 172.16.0.73 255.255.255.255

access-list 150 permit ip 10.233.0.0 255.255.255.0 172.16.5.30 255.255.255.255

access-list 150 permit ip 10.233.0.0 255.255.255.0 10.1.7.136 255.255.255.255

access-list 150 permit ip 10.233.0.0 255.255.255.0 10.1.7.137 255.255.255.255

access-list 150 permit ip 10.233.0.0 255.255.255.0 10.1.7.139 255.255.255.255

access-list 150 permit ip 10.233.0.0 255.255.255.0 10.1.4.43 255.255.255.255

access-list 150 permit ip 10.233.0.0 255.255.255.0 172.28.0.7 255.255.255.255

access-list 150 permit ip 10.233.0.0 255.255.255.0 172.28.0.75 255.255.255.255

access-list 150 permit ip 10.233.0.0 255.255.255.0 172.28.0.110 255.255.255.255

access-list 150 permit ip 10.233.0.0 255.255.255.0 172.28.0.111 255.255.255.255

access-list 150 permit ip 10.233.0.0 255.255.255.0 172.16.5.143 255.255.255.255

access-list 150 permit ip 10.233.0.0 255.255.255.0 172.16.5.142 255.255.255.255

access-list 150 permit ip 10.233.0.0 255.255.255.0 172.16.5.147 255.255.255.255


When I add access-list 150 to the configuration, save it, and check the running-config - this is all that shows:


access-list 150 permit ip 0.0.0.0 255.255.255.0 any


I've deleted access-list 150 and re-attempted to add it back with the same results.


Any ideas?

Correct Answer by Jerry Ye about 7 years 11 months ago

Oh, okay, not a problem. And glad that I can help here.


Regards,

jerry

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jerry Ye Thu, 07/23/2009 - 05:14
User Badges:
  • Cisco Employee,

Hi,


You ACL's network mask is configured wrong, the mask should be inverse mask. Assuming your network 10.233.0.0 is /24, the configuration should be something like this


access-list 150 ip 10.233.0.0 0.0.0.255 host 172.16.0.73


access-list 150 permit ip 10.233.0.0 0.0.0.255 host 172.16.5.147


To say that host address can be in the format of host x.x.x.x or x.x.x.x 0.0.0.0 .


Also what do you want to accomplish from the last one except the mask is wrong.


HTH,

jerry

iholdings Thu, 07/23/2009 - 05:42
User Badges:

Thanks for the prompt reply!!


That did the trick. This is actually a vendor's switch - so I was working off of their recommended ACL list.


Not sure about your last comment regarding what we want to accomplish with the last one ??

Jerry Ye Thu, 07/23/2009 - 05:56
User Badges:
  • Cisco Employee,

Hi,


I am refering to this ACL


access-list 150 permit ip 0.0.0.0 255.255.255.0 any


especially 0.0.0.0 255.255.255.0, what are your trying to accomplish here?


Regards,

jerry

iholdings Thu, 07/23/2009 - 06:01
User Badges:

Ah - when I pasted the (wrongly configured) list to the router - and saved the configuration - when I did a 'show running-config' that was the only entry for access-list 150 listed.


Now the correct list is there and applied to the WAN interface!


Thnaks Jerry for all of you hlp!!

Correct Answer
Jerry Ye Thu, 07/23/2009 - 06:05
User Badges:
  • Cisco Employee,

Oh, okay, not a problem. And glad that I can help here.


Regards,

jerry

Actions

This Discussion