Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access-List Issue

Dear Experts,

I have been facing a very strange issue with cisco access-lists.

Here is the scenario

I have a biomedical server in vlan 100 ( 10.1.100.0/24) and domain client1 on vlan 101 ( 10.1.101.0). I've created an access list to allow traffic from client1( 10.1.101.2) and DC ( 10.1.102.2) to the server and deny others.

ip access-list extended Bio

permit ip host  10.1.101.2 host 10.1.100.2

permit ip host 10.1.102.2 host 10.1.100.2

deny ip any any

Applying to the interface

int vlan 100

ip access-group Bio out

After creating the access-list I can ping from client and dc to the server. I can successfully open the bio software but i cannot view some components .Once I removed the access-list I can see them. However, if login to client1 with workgroup credentials it also works with no pros.

For more informatio, the bio server member of the workgroup not domain

Please any advice

5 REPLIES
Cisco Employee

Access-List Issue

It seems that server initiatin additional communication which is not allowed by ACL - it can be some multicast or some authentication via host which is not specified in ACL (as you said that if client1 is authenticated it works).

You can try setting up wireshark or tcpdump on server/clients (based on OS) and see what all flows are triggered when you try to connnect to it. Then add these flows to a IP ACL.

Nik

New Member

Access-List Issue

Thanks for your fast response.

What the thing is happening that when I login to client with local administraton I am not  enocountered with this issue. But when login with the domain user the problem appears. Once I removed the ACL it works with both account local and domain.

Cisco Employee

Access-List Issue

Not much aware of how AD works here, but seems that being authenticated through domain you may brin some additional flows into account. Packet sniffere will help you to clarify what are those additional flows existing which is blocked by your ACL.

Nik

New Member

Re: Access-List Issue

change the interface vlan 100 as below:

int vlan 100

ip access-group Bio in

remove "ip access-group Bio out"

and update.

Thanks.

Neeraj Jagga

Re: Access-List Issue

Hi,

I would recommend to log the denied packets to your access-list.

This can be achieved by configuring the last entry of your AL like this: deny ip any any log.

Then checks the logs and the denied packets. Finally, modify your AL in order to permit the packets for your streams.

Maybe some packets which are needed for these streams are generated with different source/destination IP which are not permited by the existing AL.

Hope that helps!

Vasilis

263
Views
5
Helpful
5
Replies
CreatePlease to create content