ā08-11-2013 10:41 PM - edited ā03-07-2019 02:52 PM
I have 4 Vlans - VLAN 200, 250, 210 and 66
VLAN 66 is my gateway/default route, I configured an ACL on VLAN 250, vlan like 210 are denied and VLAN 66 is allowed, it can ping VLAN 66 which is my default route, but not the outside network beyond vlan 66
when i checked the sho ip access-list , it went to the deny ip any any policy, I cant understand why i cant ping the outside network wherein there is an existing default route and it is allowed on the first place
Extended IP access list 101
deny ip 192.168.250.0 0.0.0.255 192.168.210.0 0.0.0.255
deny ip 192.168.250.0 0.0.0.255 192.168.91.0 0.0.0.255
permit ip 192.168.250.0 0.0.0.255 192.168.66.252 0.0.0.3 (45 match(es))
permit ip 192.168.250.0 0.0.0.255 192.168.200.0 0.0.0.255
permit ip 192.168.250.0 0.0.0.255 192.168.250.0 0.0.0.255
deny ip any any (55 match(es))
please see attached file
Solved! Go to Solution.
ā08-12-2013 12:35 AM
Hi,
don't forget that routing doesn't modify the destination IP address so when the packet is forwarded to the default-gateway it still has the remote subnet destination IP and is matched by the implicit deny all at the end of the ACL.
Just add a permit ip 192.168.250.0 0.0.0.255 any at the end of the ACL and it will work as long as the most specific matches with the denies are first in your ACL.
Regards
Alain
Don't forget to rate helpful posts.
ā08-12-2013 12:35 AM
Hi,
don't forget that routing doesn't modify the destination IP address so when the packet is forwarded to the default-gateway it still has the remote subnet destination IP and is matched by the implicit deny all at the end of the ACL.
Just add a permit ip 192.168.250.0 0.0.0.255 any at the end of the ACL and it will work as long as the most specific matches with the denies are first in your ACL.
Regards
Alain
Don't forget to rate helpful posts.
ā08-12-2013 07:39 AM
hi alain,
192.168.250.0 0.0.0.255 is already permitted even before i posted this problem
access-list 101 remark VLAN_250
access-list 101 deny ip 192.168.250.0 0.0.0.255 192.168.210.0 0.0.0.255
access-list 101 deny ip 192.168.250.0 0.0.0.255 192.168.91.0 0.0.0.255
access-list 101 permit ip 192.168.250.0 0.0.0.255 192.168.66.252 0.0.0.3
access-list 101 permit ip 192.168.250.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 101 permit ip 192.168.250.0 0.0.0.255 192.168.250.0 0.0.0.255
access-list 101 deny ip any any
ā08-12-2013 07:47 AM
No you have:
access-list 101 permit ip 192.168.250.0 0.0.0.255 192.168.250.0 0.0.0.255
Whereas Alain said:
access-list 101 permit ip 192.168.250.0 0.0.0.255 any
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: