is this a valid access-list?

Unanswered Question
Dec 14th, 2009

ip access-list  extended new

5 permit 10.32.52.6 0.0.0.0 172.27.200.100 0.0.0.0

6 deny  10.32.52.0 0.0.0.255 172.27.200.100 0.0.0.0

7 permit 10.32.52.0 0.0.0.255 172.27.200.100 0.0.0.0

Route-Map  newnew permit 5

match ip address new

set ip nex-hop 10.32.254.5

interface fa3/1

ip adress 100.100.100.1 255.255.255.252

ip policy route-map newnew

ip route 172.27.200.0 255.255.255.0 144.1.4.85

with the above config , the source 10.32.52.6 is able to ping 172.27.200.100 but 172.27.200.100 is not able to ping 10.32.52.6 . IF I USE the command " ip route 172.27.200.0 255.255.255.0 10.32.254.5" ping works both ways.I am trying to get this two way ping working using the route map matching above access-list and had no success....This config is being used on 4006 cisco switch....any ideas?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mcarnahan Mon, 12/14/2009 - 20:25

It's hard to say without seeing the rest of the config....you don't show any info pertaining to the 10.32.54.0 network other than in the access list.  Do you have a route for that network, or is it on one of your interfaces?  And where is 144.1.4.85?  Is that an interface IP?

Also, line 7 of your access-list is never going to be applied as that traffic is denied by line 6 and I think you meant to specify the return traffic like this....

ip access-list  extended new

5 permit 10.32.52.6 0.0.0.0 172.27.200.100 0.0.0.0

6 deny  10.32.52.0 0.0.0.255 172.27.200.100 0.0.0.0

7 permit 172.27.200.100 0.0.0.0 10.32.52.0 0.0.0.255

That's the best I can do without seeing the rest of your config....

CCDECCDE9 Mon, 12/14/2009 - 20:55

10.32.254.5  and 144.1.4.85 are vpn routers that are  part of vlan interfaces on this 4006 switchoo

172.27.200.0 is terminating on these two vpn routers for 2 different tunnels.10.32.0.0/16 is   behind 10.32.254.5 and 144,1,0.0/16 is behind 144.1.4.85

Rick Morris Tue, 12/15/2009 - 13:52

Couple of things I see:

ip access-list  extended new

5 permit 10.32.52.6 0.0.0.0 172.27.200.100 0.0.0.0

6 deny  10.32.52.0 0.0.0.255 172.27.200.100 0.0.0.0

7 permit 10.32.52.0 0.0.0.255 172.27.200.100 0.0.0.0

You are denying the traffic then permitting it.  You will never get to the permit because the ACL is read top down and it will stop there.  So traffic from 10.32.52.0/24 to 172.27.200.100 is being denied.

You are only showing lines 5-7 what are lines 1-4, and are there any other lines after 7?

mcarnahan Wed, 12/16/2009 - 14:31

If you want this route map to apply in both directions, then you have to apply the 'ip policy  route-map newnew' to the interface that is recieving the traffic from 172.27.200.100.  Try that and see....

Actions

This Discussion