cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
575
Views
0
Helpful
4
Replies

After access list is applied, the host cant get to the internet anymore...help!

cisco_himg
Level 1
Level 1

Hey guys!

I applied an access list to a particular vlan over the holidays. The good thing is that the access list works, but the computer cannot get to the internet now. If i remove the access group in command, it can get back to the internet with no problem...But I really need tha ACL on that vlan interface...I do know there is a implicit deny any any once you apply one, but any suggestions?

interface Vlan22
description Security_System
ip address 172.22.0.1 255.255.0.0
ip access-group 122 in

access-list 122 permit tcp host 172.22.1.2 host 172.16.100.103
access-list 122 permit tcp host 172.22.1.2 host 172.16.100.100
access-list 122 permit tcp host 172.22.1.2 host 172.17.2.81

Since this access list is on the INBOUND, would i need an access list going outward on the same interface?

1 Accepted Solution

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

cisco_himg wrote:

Thanks Jon,

So since i have 1 and 2 completed. What would be the access list for number 3 look like?

The point is you don't have 1 & 2 completed. You have 1 completed then you are denying all other traffic which also stops 172.22.1.2 getting to anything else.

So lets say your internal networks are -172.16.100.0/24  & 172.17.2.0/24

access-list 122 permit tcp host 172.22.1.2 host 172.16.100.103

access-list 122 permit tcp host 172.22.1.2 host 172.16.100.100

access-list 122 permit tcp host 172.22.1.2 host 172.17.2.81

access-list 122 deny ip host 172.22.1.2 172.16.100.0 0.0.0.255

access-list 122 deny ip host 172.22.1.2 172.17.2.0 0.0.0.255

access-list 122 permit ip host 172.22.1.2 any

note that if you have more internal networks then you will need more than just lnes 4 & 5 as above.

Also this acl as it stands blocks all traffic from any host on the 172.22.1.x vlan from going out other than the explicitly permitted traffic for 172.22.1.2.

Jon

View solution in original post

4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

cisco_himg wrote:

Hey guys!

I applied an access list to a particular vlan over the holidays. The good thing is that the access list works, but the computer cannot get to the internet now. If i remove the access group in command, it can get back to the internet with no problem...But I really need tha ACL on that vlan interface...I do know there is a implicit deny any any once you apply one, but any suggestions?

interface Vlan22
description Security_System
ip address 172.22.0.1 255.255.0.0
ip access-group 122 in

access-list 122 permit tcp host 172.22.1.2 host 172.16.100.103
access-list 122 permit tcp host 172.22.1.2 host 172.16.100.100
access-list 122 permit tcp host 172.22.1.2 host 172.17.2.81

Since this access list is on the INBOUND, would i need an access list going outward on the same interface?

There is an implicit deny at the end of every acl. So you acl will need additional lines. You need to

1) allow 172.22.1.2 to the other internal destinations which you seem to have done  with your above acl

2) deny 172.22.1.2 to all other internal destinations

3) allow 172.22.1.2 to all other destinations ie. not internal which means the Internet

Jon

Thanks Jon,

So since i have 1 and 2 completed. What would be the access list for number 3 look like?

Jon Marshall
Hall of Fame
Hall of Fame

cisco_himg wrote:

Thanks Jon,

So since i have 1 and 2 completed. What would be the access list for number 3 look like?

The point is you don't have 1 & 2 completed. You have 1 completed then you are denying all other traffic which also stops 172.22.1.2 getting to anything else.

So lets say your internal networks are -172.16.100.0/24  & 172.17.2.0/24

access-list 122 permit tcp host 172.22.1.2 host 172.16.100.103

access-list 122 permit tcp host 172.22.1.2 host 172.16.100.100

access-list 122 permit tcp host 172.22.1.2 host 172.17.2.81

access-list 122 deny ip host 172.22.1.2 172.16.100.0 0.0.0.255

access-list 122 deny ip host 172.22.1.2 172.17.2.0 0.0.0.255

access-list 122 permit ip host 172.22.1.2 any

note that if you have more internal networks then you will need more than just lnes 4 & 5 as above.

Also this acl as it stands blocks all traffic from any host on the 172.22.1.x vlan from going out other than the explicitly permitted traffic for 172.22.1.2.

Jon

that got it!.. thanks!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco