11-30-2009 08:23 AM - edited 03-06-2019 08:46 AM
Hey guys!
I applied an access list to a particular vlan over the holidays. The good thing is that the access list works, but the computer cannot get to the internet now. If i remove the access group in command, it can get back to the internet with no problem...But I really need tha ACL on that vlan interface...I do know there is a implicit deny any any once you apply one, but any suggestions?
interface Vlan22
description Security_System
ip address 172.22.0.1 255.255.0.0
ip access-group 122 in
access-list 122 permit tcp host 172.22.1.2 host 172.16.100.103
access-list 122 permit tcp host 172.22.1.2 host 172.16.100.100
access-list 122 permit tcp host 172.22.1.2 host 172.17.2.81
Since this access list is on the INBOUND, would i need an access list going outward on the same interface?
Solved! Go to Solution.
11-30-2009 08:56 AM
cisco_himg wrote:
Thanks Jon,
So since i have 1 and 2 completed. What would be the access list for number 3 look like?
The point is you don't have 1 & 2 completed. You have 1 completed then you are denying all other traffic which also stops 172.22.1.2 getting to anything else.
So lets say your internal networks are -172.16.100.0/24 & 172.17.2.0/24
access-list 122 permit tcp host 172.22.1.2 host 172.16.100.103
access-list 122 permit tcp host 172.22.1.2 host 172.16.100.100
access-list 122 permit tcp host 172.22.1.2 host 172.17.2.81
access-list 122 deny ip host 172.22.1.2 172.16.100.0 0.0.0.255
access-list 122 deny ip host 172.22.1.2 172.17.2.0 0.0.0.255
access-list 122 permit ip host 172.22.1.2 any
note that if you have more internal networks then you will need more than just lnes 4 & 5 as above.
Also this acl as it stands blocks all traffic from any host on the 172.22.1.x vlan from going out other than the explicitly permitted traffic for 172.22.1.2.
Jon
11-30-2009 08:46 AM
cisco_himg wrote:
Hey guys!
I applied an access list to a particular vlan over the holidays. The good thing is that the access list works, but the computer cannot get to the internet now. If i remove the access group in command, it can get back to the internet with no problem...But I really need tha ACL on that vlan interface...I do know there is a implicit deny any any once you apply one, but any suggestions?
interface Vlan22
description Security_System
ip address 172.22.0.1 255.255.0.0
ip access-group 122 inaccess-list 122 permit tcp host 172.22.1.2 host 172.16.100.103
access-list 122 permit tcp host 172.22.1.2 host 172.16.100.100
access-list 122 permit tcp host 172.22.1.2 host 172.17.2.81Since this access list is on the INBOUND, would i need an access list going outward on the same interface?
There is an implicit deny at the end of every acl. So you acl will need additional lines. You need to
1) allow 172.22.1.2 to the other internal destinations which you seem to have done with your above acl
2) deny 172.22.1.2 to all other internal destinations
3) allow 172.22.1.2 to all other destinations ie. not internal which means the Internet
Jon
11-30-2009 08:49 AM
Thanks Jon,
So since i have 1 and 2 completed. What would be the access list for number 3 look like?
11-30-2009 08:56 AM
cisco_himg wrote:
Thanks Jon,
So since i have 1 and 2 completed. What would be the access list for number 3 look like?
The point is you don't have 1 & 2 completed. You have 1 completed then you are denying all other traffic which also stops 172.22.1.2 getting to anything else.
So lets say your internal networks are -172.16.100.0/24 & 172.17.2.0/24
access-list 122 permit tcp host 172.22.1.2 host 172.16.100.103
access-list 122 permit tcp host 172.22.1.2 host 172.16.100.100
access-list 122 permit tcp host 172.22.1.2 host 172.17.2.81
access-list 122 deny ip host 172.22.1.2 172.16.100.0 0.0.0.255
access-list 122 deny ip host 172.22.1.2 172.17.2.0 0.0.0.255
access-list 122 permit ip host 172.22.1.2 any
note that if you have more internal networks then you will need more than just lnes 4 & 5 as above.
Also this acl as it stands blocks all traffic from any host on the 172.22.1.x vlan from going out other than the explicitly permitted traffic for 172.22.1.2.
Jon
11-30-2009 09:02 AM
that got it!.. thanks!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: