Access List Question

Answered Question
Sep 1st, 2009

Hi folks -

I have a vendor machine in our network that we assigned a static IP address to. This machine just needs access to the Internet and nothing on our network.

So I created the following access list and applied it to the port that this machine is connected to. The machine is connected to a Cisco 3560 switch. It's using 4.2.2.2 for DNS.

Extended IP access list 111

10 permit tcp host 172.16.34.78 any eq www

14 permit tcp host 172.16.34.78 any eq domain

15 permit icmp host 172.16.34.78 any

20 deny ip host 172.16.34.78 any

This machine is unable to connect to the Internet. I can ping 4.2.2.2 from the machine but 4.2.2.2 is not resolving any of the domain names on the Internet.

When I remove the access-l applied to the port, machine can get to the Internet just fine.

This is how the access-l was applied to the port:

ip access-group 111 in

So I am not sure where am I going wrong.

Can anyone help??

Thanks!

I have this problem too.
0 votes
Correct Answer by Edison Ortiz about 7 years 3 months ago

You won't see hit count on a switch as the ACL is processed in hardware. Hit count are found on software based devices like routers.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Edison Ortiz Tue, 09/01/2009 - 07:52

The internet is composed by thousand of TCP|UDP ports not just www and domain. What happens if this host goes to a https site? What happens if they need to ftp a file?

What you need to do is block all local subnets in your network and have a permit ip host any at the end, similar to:

access-list 111 deny ip host 172.16.34.78 [local subnets...]

access-list 111 permit ip host 172.16.34.78 any

__

Edison.

ksarin123_2 Tue, 09/01/2009 - 08:06

Thanks for your prompt response. I will make that change and see if it works.

On another note, how do I see the hit count on the access list. Sometimes I see the hit count by default and sometimes I don't.

Thanks again!

Correct Answer
Edison Ortiz Tue, 09/01/2009 - 08:11

You won't see hit count on a switch as the ACL is processed in hardware. Hit count are found on software based devices like routers.

Actions

This Discussion