After access list is applied, the host cant get to the internet anymore...help!

Answered Question
Nov 30th, 2009

Hey guys!

I applied an access list to a particular vlan over the holidays. The good thing is that the access list works, but the computer cannot get to the internet now. If i remove the access group in command, it can get back to the internet with no problem...But I really need tha ACL on that vlan interface...I do know there is a implicit deny any any once you apply one, but any suggestions?

interface Vlan22
description Security_System
ip address 172.22.0.1 255.255.0.0
ip access-group 122 in

access-list 122 permit tcp host 172.22.1.2 host 172.16.100.103
access-list 122 permit tcp host 172.22.1.2 host 172.16.100.100
access-list 122 permit tcp host 172.22.1.2 host 172.17.2.81

Since this access list is on the INBOUND, would i need an access list going outward on the same interface?

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 7 years 1 month ago

cisco_himg wrote:

Thanks Jon,

So since i have 1 and 2 completed. What would be the access list for number 3 look like?

The point is you don't have 1 & 2 completed. You have 1 completed then you are denying all other traffic which also stops 172.22.1.2 getting to anything else.

So lets say your internal networks are -172.16.100.0/24  & 172.17.2.0/24

access-list 122 permit tcp host 172.22.1.2 host 172.16.100.103

access-list 122 permit tcp host 172.22.1.2 host 172.16.100.100

access-list 122 permit tcp host 172.22.1.2 host 172.17.2.81

access-list 122 deny ip host 172.22.1.2 172.16.100.0 0.0.0.255

access-list 122 deny ip host 172.22.1.2 172.17.2.0 0.0.0.255

access-list 122 permit ip host 172.22.1.2 any

note that if you have more internal networks then you will need more than just lnes 4 & 5 as above.

Also this acl as it stands blocks all traffic from any host on the 172.22.1.x vlan from going out other than the explicitly permitted traffic for 172.22.1.2.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Mon, 11/30/2009 - 08:46

cisco_himg wrote:

Hey guys!

I applied an access list to a particular vlan over the holidays. The good thing is that the access list works, but the computer cannot get to the internet now. If i remove the access group in command, it can get back to the internet with no problem...But I really need tha ACL on that vlan interface...I do know there is a implicit deny any any once you apply one, but any suggestions?

interface Vlan22
description Security_System
ip address 172.22.0.1 255.255.0.0
ip access-group 122 in

access-list 122 permit tcp host 172.22.1.2 host 172.16.100.103
access-list 122 permit tcp host 172.22.1.2 host 172.16.100.100
access-list 122 permit tcp host 172.22.1.2 host 172.17.2.81

Since this access list is on the INBOUND, would i need an access list going outward on the same interface?

There is an implicit deny at the end of every acl. So you acl will need additional lines. You need to

1) allow 172.22.1.2 to the other internal destinations which you seem to have done  with your above acl

2) deny 172.22.1.2 to all other internal destinations

3) allow 172.22.1.2 to all other destinations ie. not internal which means the Internet

Jon

cisco_himg Mon, 11/30/2009 - 08:49

Thanks Jon,

So since i have 1 and 2 completed. What would be the access list for number 3 look like?

Correct Answer
Jon Marshall Mon, 11/30/2009 - 08:56

cisco_himg wrote:

Thanks Jon,

So since i have 1 and 2 completed. What would be the access list for number 3 look like?

The point is you don't have 1 & 2 completed. You have 1 completed then you are denying all other traffic which also stops 172.22.1.2 getting to anything else.

So lets say your internal networks are -172.16.100.0/24  & 172.17.2.0/24

access-list 122 permit tcp host 172.22.1.2 host 172.16.100.103

access-list 122 permit tcp host 172.22.1.2 host 172.16.100.100

access-list 122 permit tcp host 172.22.1.2 host 172.17.2.81

access-list 122 deny ip host 172.22.1.2 172.16.100.0 0.0.0.255

access-list 122 deny ip host 172.22.1.2 172.17.2.0 0.0.0.255

access-list 122 permit ip host 172.22.1.2 any

note that if you have more internal networks then you will need more than just lnes 4 & 5 as above.

Also this acl as it stands blocks all traffic from any host on the 172.22.1.x vlan from going out other than the explicitly permitted traffic for 172.22.1.2.

Jon

Actions

This Discussion