Correctly applying ACLs

Unanswered Question
Sep 22nd, 2009

Greetings:

Confused. When I created the following ACL:

access-list 150 permit ip 10.233.0.0 0.0.0.255 host 172.16.5.30

access-list 150 permit ip 10.233.0.0 0.0.0.255 host 10.1.7.136

access-list 150 permit ip 10.233.0.0 0.0.0.255 host 10.1.7.137

access-list 150 permit ip 10.233.0.0 0.0.0.255 host 10.1.7.139

access-list 150 permit ip 10.233.0.0 0.0.0.255 host 10.1.4.43

access-list 150 permit ip 10.233.0.0 0.0.0.255 host 172.28.0.7

access-list 150 permit ip 10.233.0.0 0.0.0.255 host 172.28.0.75

access-list 150 permit ip 10.233.0.0 0.0.0.255 host 172.28.0.110

access-list 150 permit ip 10.233.0.0 0.0.0.255 host 172.28.0.111

access-list 150 permit ip 10.233.0.0 0.0.0.255 host 172.16.5.143

access-list 150 permit ip 10.233.0.0 0.0.0.255 host 172.16.5.142

access-list 150 permit ip 10.233.0.0 0.0.0.255 host 172.16.5.147

access-list 150 deny ip any any

and apply it to the WAN interface as:

ip access-group 150 in

I cannot ping the 10.233.x.x network and they can't ping the router's WAN ip (10.223.0.7)

As soon as I remove the ACL - normal connectivity resumes - but no protection using acl-150.

What am I missing? Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
YANGCCIE4 Tue, 09/22/2009 - 06:29

Hi, iholdings

>>I cannot ping the 10.233.x.x network

>>access-list 150 deny ip any any

you deny ip any any , so the packets which source address no in the host list(172.x-10.x) will be dropped,

you ping 10.233.0.x from other peer, the icmp return from 10.233.0.x will be dropped, packet analizer will capture the icmp type 3 code 13 packets.

iholdings Tue, 09/22/2009 - 06:36

So I have the access-group applied correctly on the right interface and the right direction - but need to adjust the acl 150 - how?

I simply need to allow 10.223.x.x access to the listed hosts under acl 150 - but disallow all other access to networks behind the LAN interface. Thanks.

Lucien Avramov Tue, 09/22/2009 - 08:29

before the line deny ip any any, add on a line for permit icmp any any:

access-list 150 permit ip 10.233.0.0 0.0.0.255 host 172.16.5.147

access-list 150 permit icmp any any

access-list 150 deny ip any any

YANGCCIE4 Tue, 09/22/2009 - 07:25

>>I cannot ping the 10.233.x.x network --- 10.233.x.x or 10.233.0.x, ?? x.x will widen the range.

if you put the access-list under the routers interface 10.223.0.x 255.255.255.0 inbound, then you ping from the device which the Ip address not in the listed hosts, then it will be denied, if you ping from the device which the ip address in the listed host, it will be allowed,

YANGCCIE4 Tue, 09/22/2009 - 07:29

>>they can't ping the router's WAN ip (10.223.0.7)

add one entry

access-list 150 permit ip 10.233.0.0 0.0.0.255 host 10.223.0.7

hope it work

Yang

Actions

This Discussion