After access list is applied, the host cant get to the internet anymore...help!

Answered Question
Nov 30th, 2009
User Badges:

Hey guys!


I applied an access list to a particular vlan over the holidays. The good thing is that the access list works, but the computer cannot get to the internet now. If i remove the access group in command, it can get back to the internet with no problem...But I really need tha ACL on that vlan interface...I do know there is a implicit deny any any once you apply one, but any suggestions?


interface Vlan22
description Security_System
ip address 172.22.0.1 255.255.0.0
ip access-group 122 in

access-list 122 permit tcp host 172.22.1.2 host 172.16.100.103
access-list 122 permit tcp host 172.22.1.2 host 172.16.100.100
access-list 122 permit tcp host 172.22.1.2 host 172.17.2.81



Since this access list is on the INBOUND, would i need an access list going outward on the same interface?

Correct Answer by Jon Marshall about 7 years 5 months ago

cisco_himg wrote:


Thanks Jon,


So since i have 1 and 2 completed. What would be the access list for number 3 look like?


The point is you don't have 1 & 2 completed. You have 1 completed then you are denying all other traffic which also stops 172.22.1.2 getting to anything else.


So lets say your internal networks are -172.16.100.0/24  & 172.17.2.0/24


access-list 122 permit tcp host 172.22.1.2 host 172.16.100.103

access-list 122 permit tcp host 172.22.1.2 host 172.16.100.100

access-list 122 permit tcp host 172.22.1.2 host 172.17.2.81

access-list 122 deny ip host 172.22.1.2 172.16.100.0 0.0.0.255

access-list 122 deny ip host 172.22.1.2 172.17.2.0 0.0.0.255

access-list 122 permit ip host 172.22.1.2 any


note that if you have more internal networks then you will need more than just lnes 4 & 5 as above.


Also this acl as it stands blocks all traffic from any host on the 172.22.1.x vlan from going out other than the explicitly permitted traffic for 172.22.1.2.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Mon, 11/30/2009 - 08:46
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

cisco_himg wrote:


Hey guys!


I applied an access list to a particular vlan over the holidays. The good thing is that the access list works, but the computer cannot get to the internet now. If i remove the access group in command, it can get back to the internet with no problem...But I really need tha ACL on that vlan interface...I do know there is a implicit deny any any once you apply one, but any suggestions?


interface Vlan22
description Security_System
ip address 172.22.0.1 255.255.0.0
ip access-group 122 in

access-list 122 permit tcp host 172.22.1.2 host 172.16.100.103
access-list 122 permit tcp host 172.22.1.2 host 172.16.100.100
access-list 122 permit tcp host 172.22.1.2 host 172.17.2.81



Since this access list is on the INBOUND, would i need an access list going outward on the same interface?

There is an implicit deny at the end of every acl. So you acl will need additional lines. You need to


1) allow 172.22.1.2 to the other internal destinations which you seem to have done  with your above acl

2) deny 172.22.1.2 to all other internal destinations

3) allow 172.22.1.2 to all other destinations ie. not internal which means the Internet


Jon

cisco_himg Mon, 11/30/2009 - 08:49
User Badges:

Thanks Jon,


So since i have 1 and 2 completed. What would be the access list for number 3 look like?

Correct Answer
Jon Marshall Mon, 11/30/2009 - 08:56
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

cisco_himg wrote:


Thanks Jon,


So since i have 1 and 2 completed. What would be the access list for number 3 look like?


The point is you don't have 1 & 2 completed. You have 1 completed then you are denying all other traffic which also stops 172.22.1.2 getting to anything else.


So lets say your internal networks are -172.16.100.0/24  & 172.17.2.0/24


access-list 122 permit tcp host 172.22.1.2 host 172.16.100.103

access-list 122 permit tcp host 172.22.1.2 host 172.16.100.100

access-list 122 permit tcp host 172.22.1.2 host 172.17.2.81

access-list 122 deny ip host 172.22.1.2 172.16.100.0 0.0.0.255

access-list 122 deny ip host 172.22.1.2 172.17.2.0 0.0.0.255

access-list 122 permit ip host 172.22.1.2 any


note that if you have more internal networks then you will need more than just lnes 4 & 5 as above.


Also this acl as it stands blocks all traffic from any host on the 172.22.1.x vlan from going out other than the explicitly permitted traffic for 172.22.1.2.


Jon

Actions

This Discussion