09-01-2009 07:46 AM - edited 03-04-2019 05:54 AM
Hi folks -
I have a vendor machine in our network that we assigned a static IP address to. This machine just needs access to the Internet and nothing on our network.
So I created the following access list and applied it to the port that this machine is connected to. The machine is connected to a Cisco 3560 switch. It's using 4.2.2.2 for DNS.
Extended IP access list 111
10 permit tcp host 172.16.34.78 any eq www
14 permit tcp host 172.16.34.78 any eq domain
15 permit icmp host 172.16.34.78 any
20 deny ip host 172.16.34.78 any
This machine is unable to connect to the Internet. I can ping 4.2.2.2 from the machine but 4.2.2.2 is not resolving any of the domain names on the Internet.
When I remove the access-l applied to the port, machine can get to the Internet just fine.
This is how the access-l was applied to the port:
ip access-group 111 in
So I am not sure where am I going wrong.
Can anyone help??
Thanks!
Solved! Go to Solution.
09-01-2009 08:11 AM
You won't see hit count on a switch as the ACL is processed in hardware. Hit count are found on software based devices like routers.
09-01-2009 07:52 AM
The internet is composed by thousand of TCP|UDP ports not just www and domain. What happens if this host goes to a https site? What happens if they need to ftp a file?
What you need to do is block all local subnets in your network and have a permit ip host any at the end, similar to:
access-list 111 deny ip host 172.16.34.78 [local subnets...]
access-list 111 permit ip host 172.16.34.78 any
__
Edison.
09-01-2009 08:06 AM
Thanks for your prompt response. I will make that change and see if it works.
On another note, how do I see the hit count on the access list. Sometimes I see the hit count by default and sometimes I don't.
Thanks again!
09-01-2009 08:11 AM
You won't see hit count on a switch as the ACL is processed in hardware. Hit count are found on software based devices like routers.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: