Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Access-list problem

hi friends ,

I wrote an access-list that permit only 2 hosts from the specified network. and apply this list to interface inbound . the first host are accessible but the second not.

Who can help me ?

the list definition :

ip access-list extended site2internal

permit tcp 172.25.0.0 0.0.255.255 host 172.20.1.2 eq www

permit ip 172.25.0.0 0.0.255.255 host 172.20.0.20

deny ip any 172.20.0.0 0.0.255.255

permit ip any any

172.20.1.2 accessible

172.20.0.20 not-accessible

5 REPLIES
Hall of Fame Super Silver

Re: Access-list problem

Hello Reza,

are the two hosts

172.20.1.2 accessible

172.20.0.20 not-accessible

in the same ip subnet ?

you need to verify also routing in the return path

Hope to help

Giuseppe

New Member

Re: Access-list problem

Hi Giuseppe ,

Yes to hosts are in a same subnet , 255.255.0.0.

the routing are correct.

ip route 172.20.0.0 255.255.0.0 GigabitEthernet0/1.1

This hosts are accessible from other subnets, that no access-list are applied.

Best Regards

New Member

Re: Access-list problem

Hi everyone,

My problem exist , I try to develop the access-list but only one host are accessible :

ip access-list extended site2internal

permit tcp 172.25.0.0 0.0.255.255 host 172.20.1.2 eq www

permit ip 172.25.0.0 0.0.255.255 host 172.20.0.20

permit tcp 172.25.0.0 0.0.255.255 host 172.20.0.23 eq ftp

permit tcp 172.25.0.0 0.0.255.255 host 172.20.0.6 eq domain

deny ip any 172.20.0.0 0.0.255.255

permit ip any any

With this configuration I intend from subnet 172.25.0.0 to 172.20.0.0 only hosts : 172.20.0.20 , 172.20.0.23 , 172.20.0.20 , 172.20.0.6 , 172.20.1.2 with appropriate port number are accessible.

But only host 172.20.1.2 are accessible and other not.

How can help me to solve this ?

Best Regards

New Member

Re: Access-list problem

I thought that the problem is with 172.20.0.x hosts, hosts that the third octet is "zero" . how can I correct this ?

Purple

Re: Access-list problem

Shouldn't matter if its a zero subnet. I would verify the layer 3 subnet definition is 255.255.0.0 . If yes also verify on the clients that the mask is is the same 255.255.0.0 . If the acl is in the exact order you posted I don't see anything to keep it from working.

117
Views
0
Helpful
5
Replies
CreatePlease to create content