Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

acl on vlan - cant make it through outside network

I have 4 Vlans - VLAN 200, 250, 210 and 66

VLAN 66 is my gateway/default route, I configured an ACL on  VLAN 250, vlan like 210 are denied and VLAN 66 is allowed, it can ping VLAN 66 which is my default route, but not the outside network beyond vlan 66

when i checked the sho ip access-list , it went to the deny ip any any policy, I cant understand why i cant ping the outside network wherein there is an existing default route and it is allowed on the first place

Extended IP access list 101

    deny ip 192.168.250.0 0.0.0.255 192.168.210.0 0.0.0.255

    deny ip 192.168.250.0 0.0.0.255 192.168.91.0 0.0.0.255

    permit ip 192.168.250.0 0.0.0.255 192.168.66.252 0.0.0.3 (45 match(es))

    permit ip 192.168.250.0 0.0.0.255 192.168.200.0 0.0.0.255

    permit ip 192.168.250.0 0.0.0.255 192.168.250.0 0.0.0.255

   deny ip any any (55 match(es))

please see attached file

1 ACCEPTED SOLUTION

Accepted Solutions
Purple

acl on vlan - cant make it through outside network

Hi,

don't forget that routing doesn't modify the destination IP address so when the packet is forwarded to the default-gateway it still has the remote subnet destination IP and is matched by the implicit deny all at the end of the ACL.

Just add a permit ip 192.168.250.0 0.0.0.255 any at the end of the ACL and it will work as long as the most specific matches with the denies are first in your ACL.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
3 REPLIES
Purple

acl on vlan - cant make it through outside network

Hi,

don't forget that routing doesn't modify the destination IP address so when the packet is forwarded to the default-gateway it still has the remote subnet destination IP and is matched by the implicit deny all at the end of the ACL.

Just add a permit ip 192.168.250.0 0.0.0.255 any at the end of the ACL and it will work as long as the most specific matches with the denies are first in your ACL.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
New Member

acl on vlan - cant make it through outside network

hi alain,

192.168.250.0 0.0.0.255  is already permitted even before i posted this problem

access-list 101 remark VLAN_250

access-list 101 deny ip 192.168.250.0 0.0.0.255 192.168.210.0 0.0.0.255

access-list 101 deny ip 192.168.250.0 0.0.0.255 192.168.91.0 0.0.0.255

access-list 101 permit ip 192.168.250.0 0.0.0.255 192.168.66.252 0.0.0.3

access-list 101 permit ip 192.168.250.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 101 permit ip 192.168.250.0 0.0.0.255 192.168.250.0 0.0.0.255

access-list 101 deny ip any any

Silver

acl on vlan - cant make it through outside network

No you have:

access-list 101 permit ip 192.168.250.0 0.0.0.255 192.168.250.0 0.0.0.255

Whereas Alain said:

access-list 101 permit ip 192.168.250.0 0.0.0.255 any

161
Views
0
Helpful
3
Replies
CreatePlease to create content