problem facing in Access list on cisco 2900

Answered Question
Jan 3rd, 2017
User Badges:

Dear Team ,

I have a mpls network 0f 59  branches i am sitting on a core router 2900

i want to block a server with ip 192.168.1.85 accessing for all branches excluding 10.10.9.0 network

and other branches ip ranges from 10.10.0.0 255.255.0.0 

i have applied th acceslist policy but its not working 

i have made two different polices and applied one by one


1)

access-list 110 deny ip any host 192.168.1.85
access-list 110 permit ip 10.10.9.0 0.0.0.255 host 192.168.1.85
access-list 110 permit ip any any

2)

access-list 120 permit ip host 192.168.1.85 10.10.9.0 0.0.0.255
access-list 120 deny ip host 192.168.1.85 any
access-list 120 permit ip any any


output


10 permit ip host 192.168.1.85 10.10.9.0 0.0.0.255 (288332 matches)
20 deny ip host 192.168.1.85 any (10011 matches)
30 permit ip any any (1960357 matches)


please check and let me know any changes is required 

Correct Answer by Mark Malone about 3 months 3 weeks ago

Hi the access-list 120 looks right your allowing it speak to 10.9  but blocking it speaking to anyone else that what you want yes , your getting deny hits  , so what exactly is not working ? is the acl applied in and out ?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Mark Malone Tue, 01/03/2017 - 05:54
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 LAN

Hi the access-list 120 looks right your allowing it speak to 10.9  but blocking it speaking to anyone else that what you want yes , your getting deny hits  , so what exactly is not working ? is the acl applied in and out ?



shaikhaltamash291 Thu, 01/05/2017 - 03:47
User Badges:

Dear Sir,


I have applied the acl in and out its working now the problem is that 

i have two  interfaces lan and wan by default traffic goes by wan so i was not getting ping reply

to 1.85 from 10.09 if i ping 1.85 taking source 10.10.9.1 interface its work

thank you for your valuable response 




Mark Malone Thu, 01/05/2017 - 04:32
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 LAN

the acl is applied on the wan interface yes ?

im not exactly sure what your saying the acl work's yes but if you ping from  source of 10.10.9.1 to 192.168.1.85 it works yes ? and you don't want this , you only want to be able to ping from 192.168.1.85 to 10.10.9.1 ?

if that right then you need to add a reverse acl in blocking traffic coming back from the source but that could break the flow allowing one way but not the other depending on what  its doing

example

10 permit ip host 192.168.1.85 10.10.9.0 0.0.0.255 (288332 matches)

15 deny ip host 10.10.9.1 host 192.168.1.85
20 deny ip host 192.168.1.85 any (10011 matches)
30 permit ip any any (1960357 matches)



Actions

This Discussion

Related Content