02-24-2012 07:06 AM - edited 03-11-2019 03:34 PM
Narayana,
show ip access-lists iptraffic
Reflexive IP access list iptraffic
permit tcp host 72.5.37.36 eq 443 host 128.59.238.108 eq 4270 (1 match) (time left 299)
thanks
Joseph
We have access lists set up for a remote site. The acls are applied to the following interface:
interface FastEthernet0/0.388 description IMC LAN encapsulation dot1Q 388 ip address 10.59.238.1 255.255.255.0 secondary ip address 128.59.238.1 255.255.255.0 ip access-group chrys-reflex-inbound in ip access-group chrys-reflex-outbound out
The customer is trying to get to 72.5.37.36 - which is a citrix server. When he initiates an http session to that host, the session times out and he never gets to the login page. I've confirmed that the server is reachable from other locations. If I remove the outbound acl from the interface, he is able to reach the server.
If anyone can offer some insight as to why this is happening it would be greatly appreciated.
ip access-list extended chrys-reflex-inbound permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 reflect iptraffic permit ip 128.59.238.0 0.0.0.255 any reflect iptraffic permit ip host 0.0.0.0 any reflect iptraffic deny ip 10.0.0.0 0.255.255.255 any deny ip any any
ip access-list extended chrys-reflex-outbound permit tcp host 160.43.251.122 any eq 6464 permit ip host 72.5.37.36 any permit tcp host 72.21.162.32 host 128.59.238.24 eq 5745 permit tcp host 72.21.162.32 host 128.59.238.24 eq 2837 remark RFA Access permit ip 66.151.213.0 0.0.0.255 any permit ip 64.74.40.0 0.0.0.255 any remark ECI Access permit tcp any host 128.59.238.12 eq smtp permit tcp any host 128.59.238.24 eq 443 permit tcp any host 128.59.238.12 eq 443 permit tcp any host 128.59.238.15 eq 443 permit tcp any host 128.59.238.15 eq www permit tcp 205.228.12.128 0.0.0.127 host 128.59.238.13 eq ftp permit tcp 205.228.12.128 0.0.0.127 host 128.59.238.13 eq 443 permit tcp 199.89.64.128 0.0.0.127 host 128.59.238.13 eq ftp permit tcp 199.89.64.128 0.0.0.127 host 128.59.238.13 eq 443 permit tcp 208.62.27.0 0.0.0.255 any eq 11000 permit tcp 208.62.27.0 0.0.0.255 any eq 11001 permit tcp 208.62.27.0 0.0.0.255 any eq 11002 permit tcp 208.62.27.0 0.0.0.255 any eq 11020 permit tcp 63.99.207.0 0.0.0.255 any eq 11000 permit tcp 63.99.207.0 0.0.0.255 any eq 11001 permit tcp 63.99.207.0 0.0.0.255 any eq 11002 permit tcp 63.99.207.0 0.0.0.255 any eq 11020 remark CUIT Access permit ip 128.59.59.0 0.0.0.255 any permit ip 128.59.39.0 0.0.0.255 any permit ip 128.59.31.0 0.0.0.255 any permit ip 128.59.30.0 0.0.0.255 any permit ip 128.59.192.0 0.0.1.255 any permit ip 128.59.138.0 0.0.0.255 any permit ip 128.59.239.0 0.0.0.255 any permit ip 128.59.197.0 0.0.0.255 any remark OOI Access permit tcp any host 128.59.238.15 eq 417 permit tcp any host 128.59.238.15 eq 9003 permit tcp any host 128.59.238.25 eq 1494 permit tcp any host 128.59.238.25 eq 443 permit ip host 67.102.164.43 any permit tcp 128.59.213.0 0.0.0.255 any permit ip host 128.59.138.128 host 128.59.238.15 permit tcp host 72.21.162.32 host 128.59.238.15 eq 2837 permit tcp host 72.21.162.32 host 128.59.238.15 eq 5745 permit tcp host 72.21.162.34 host 128.59.238.15 eq 2837 permit tcp host 72.21.162.34 host 128.59.238.15 eq 5745 remark tradedev.ooi.columbia.edu permit tcp any host 128.59.238.13 eq 443 remark pcanywhere-AIS permit tcp host 128.59.240.25 eq 5631 host 128.59.238.14 eq 5631 permit udp host 128.59.240.25 eq 5632 host 128.59.238.14 eq 5632 permit ip 10.70.142.0 0.0.0.255 128.59.238.0 0.0.0.255 permit udp host 72.5.37.78 any eq non500-isakmp permit udp host 72.5.37.78 any eq isakmp permit esp host 72.5.37.78 any permit ahp host 72.5.37.78 any permit tcp any host 128.59.238.50 eq smtp permit tcp any host 128.59.238.34 eq www permit tcp any host 128.59.238.34 eq 443 permit ip any host 128.59.238.28 permit ip host 64.80.108.81 host 128.59.238.51 permit tcp any host 128.59.238.48 eq www permit tcp any host 128.59.238.48 eq 443 evaluate iptraffic deny ip any any
02-24-2012 09:01 AM
Hi Joseph,
Please provide the show output of access-list 'iptraffic'.
Thanks,
Narayana
02-26-2012 04:44 PM
Narayana,
show ip access-lists iptraffic
Reflexive IP access list iptraffic
permit tcp host 72.5.37.36 eq 443 host 128.59.238.108 eq 4270 (1 match) (time left 299)
thanks
Joseph
02-28-2012 06:44 AM
Hi Joseph,
Please let me know what is the source IP from which you are trying to access the citrix server.
Thanks,
Narayana
02-28-2012 06:51 AM
Naranya,
The source ip was 128.59.238.108. I'll be going to the site tomorrow to try some packet captures. If there is any other information you think might be useful, let me know. Thanks for your time.
Joe
02-29-2012 07:24 AM
Hi Joe,
I do not see any reason why the traffic flow should not work when you have the outbound access-list applied on interface. If you are able to find something from packet captures please post it.
Thanks,
Narayana
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: