Access List Question

Answered Question
Sep 1st, 2009
User Badges:

Hi folks -


I have a vendor machine in our network that we assigned a static IP address to. This machine just needs access to the Internet and nothing on our network.


So I created the following access list and applied it to the port that this machine is connected to. The machine is connected to a Cisco 3560 switch. It's using 4.2.2.2 for DNS.


Extended IP access list 111

10 permit tcp host 172.16.34.78 any eq www

14 permit tcp host 172.16.34.78 any eq domain

15 permit icmp host 172.16.34.78 any

20 deny ip host 172.16.34.78 any


This machine is unable to connect to the Internet. I can ping 4.2.2.2 from the machine but 4.2.2.2 is not resolving any of the domain names on the Internet.


When I remove the access-l applied to the port, machine can get to the Internet just fine.


This is how the access-l was applied to the port:

ip access-group 111 in


So I am not sure where am I going wrong.


Can anyone help??


Thanks!

Correct Answer by Edison Ortiz about 7 years 6 months ago

You won't see hit count on a switch as the ACL is processed in hardware. Hit count are found on software based devices like routers.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Edison Ortiz Tue, 09/01/2009 - 07:52
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

The internet is composed by thousand of TCP|UDP ports not just www and domain. What happens if this host goes to a https site? What happens if they need to ftp a file?


What you need to do is block all local subnets in your network and have a permit ip host any at the end, similar to:


access-list 111 deny ip host 172.16.34.78 [local subnets...]

access-list 111 permit ip host 172.16.34.78 any


__


Edison.

ksarin123_2 Tue, 09/01/2009 - 08:06
User Badges:

Thanks for your prompt response. I will make that change and see if it works.


On another note, how do I see the hit count on the access list. Sometimes I see the hit count by default and sometimes I don't.


Thanks again!

Correct Answer
Edison Ortiz Tue, 09/01/2009 - 08:11
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

You won't see hit count on a switch as the ACL is processed in hardware. Hit count are found on software based devices like routers.



Actions

This Discussion