Narayana,
show ip access-lists iptraffic
Reflexive IP access list iptraffic
permit tcp host 72.5.37.36 eq 443 host 128.59.238.108 eq 4270 (1 match) (time left 299)
thanks
Joseph
We have access lists set up for a remote site. The acls are applied to the following interface:
interface FastEthernet0/0.388
description IMC LAN
encapsulation dot1Q 388
ip address 10.59.238.1 255.255.255.0 secondary
ip address 128.59.238.1 255.255.255.0
ip access-group chrys-reflex-inbound in
ip access-group chrys-reflex-outbound out
The customer is trying to get to 72.5.37.36 - which is a citrix server. When he initiates an http session to that host, the session times out and he never gets to the login page. I've confirmed that the server is reachable from other locations. If I remove the outbound acl from the interface, he is able to reach the server.
If anyone can offer some insight as to why this is happening it would be greatly appreciated.
ip access-list extended chrys-reflex-inbound
permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 reflect iptraffic
permit ip 128.59.238.0 0.0.0.255 any reflect iptraffic
permit ip host 0.0.0.0 any reflect iptraffic
deny ip 10.0.0.0 0.255.255.255 any
deny ip any any
ip access-list extended chrys-reflex-outbound
permit tcp host 160.43.251.122 any eq 6464
permit ip host 72.5.37.36 any
permit tcp host 72.21.162.32 host 128.59.238.24 eq 5745
permit tcp host 72.21.162.32 host 128.59.238.24 eq 2837
remark RFA Access
permit ip 66.151.213.0 0.0.0.255 any
permit ip 64.74.40.0 0.0.0.255 any
remark ECI Access
permit tcp any host 128.59.238.12 eq smtp
permit tcp any host 128.59.238.24 eq 443
permit tcp any host 128.59.238.12 eq 443
permit tcp any host 128.59.238.15 eq 443
permit tcp any host 128.59.238.15 eq www
permit tcp 205.228.12.128 0.0.0.127 host 128.59.238.13 eq ftp
permit tcp 205.228.12.128 0.0.0.127 host 128.59.238.13 eq 443
permit tcp 199.89.64.128 0.0.0.127 host 128.59.238.13 eq ftp
permit tcp 199.89.64.128 0.0.0.127 host 128.59.238.13 eq 443
permit tcp 208.62.27.0 0.0.0.255 any eq 11000
permit tcp 208.62.27.0 0.0.0.255 any eq 11001
permit tcp 208.62.27.0 0.0.0.255 any eq 11002
permit tcp 208.62.27.0 0.0.0.255 any eq 11020
permit tcp 63.99.207.0 0.0.0.255 any eq 11000
permit tcp 63.99.207.0 0.0.0.255 any eq 11001
permit tcp 63.99.207.0 0.0.0.255 any eq 11002
permit tcp 63.99.207.0 0.0.0.255 any eq 11020
remark CUIT Access
permit ip 128.59.59.0 0.0.0.255 any
permit ip 128.59.39.0 0.0.0.255 any
permit ip 128.59.31.0 0.0.0.255 any
permit ip 128.59.30.0 0.0.0.255 any
permit ip 128.59.192.0 0.0.1.255 any
permit ip 128.59.138.0 0.0.0.255 any
permit ip 128.59.239.0 0.0.0.255 any
permit ip 128.59.197.0 0.0.0.255 any
remark OOI Access
permit tcp any host 128.59.238.15 eq 417
permit tcp any host 128.59.238.15 eq 9003
permit tcp any host 128.59.238.25 eq 1494
permit tcp any host 128.59.238.25 eq 443
permit ip host 67.102.164.43 any
permit tcp 128.59.213.0 0.0.0.255 any
permit ip host 128.59.138.128 host 128.59.238.15
permit tcp host 72.21.162.32 host 128.59.238.15 eq 2837
permit tcp host 72.21.162.32 host 128.59.238.15 eq 5745
permit tcp host 72.21.162.34 host 128.59.238.15 eq 2837
permit tcp host 72.21.162.34 host 128.59.238.15 eq 5745
remark tradedev.ooi.columbia.edu
permit tcp any host 128.59.238.13 eq 443
remark pcanywhere-AIS
permit tcp host 128.59.240.25 eq 5631 host 128.59.238.14 eq 5631
permit udp host 128.59.240.25 eq 5632 host 128.59.238.14 eq 5632
permit ip 10.70.142.0 0.0.0.255 128.59.238.0 0.0.0.255
permit udp host 72.5.37.78 any eq non500-isakmp
permit udp host 72.5.37.78 any eq isakmp
permit esp host 72.5.37.78 any
permit ahp host 72.5.37.78 any
permit tcp any host 128.59.238.50 eq smtp
permit tcp any host 128.59.238.34 eq www
permit tcp any host 128.59.238.34 eq 443
permit ip any host 128.59.238.28
permit ip host 64.80.108.81 host 128.59.238.51
permit tcp any host 128.59.238.48 eq www
permit tcp any host 128.59.238.48 eq 443
evaluate iptraffic
deny ip any any
