cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
525
Views
0
Helpful
12
Replies

I can't understand why this ACL extended entry does not work?

news2010a
Level 3
Level 3

From my client, IP=10.17.41.104, I do:

'telnet 10.17.206.11 80'and it works. I can ping web server OK.

Then I do

'telnet 10.17.206.5 80' and it times out.

Both web servers 10.17.206.11 and 10.17.206.5 are connected to the same layer 2 switch, same location.

Then I did traces to '10.17.206.5' till I found the layer 3 switch 4507 which contains the access-lists below.

I added line 11 and 12 below using my IP address and I still cannot get to the webserver via http from my workstation.

Any ideas what I am missing or how can I troubleshoot this further?

Input-log shows that I have hits OK for line 11, but that is about it. Somehow it seems the traffic from the webserver 10.17.206.5 still can't go back to my workstation apparently...

Extended IP access list LETMECONNECT

10 permit icmp any any (1937 matches)

11 permit ip host 10.17.41.104 any input-log

12 permit ip any host 10.17.41.104 input-log

20 deny ip host 10.17.206.5 any (25071 matches)

30 deny ip host 10.17.206.6 any (28151 matches)

40 deny ip host 10.17.206.7 any (15147 matches)

50 deny ip host 10.17.206.8 any (15725 matches)

60 deny ip host 10.17.206.9 any (20348 matches)

70 deny ip host 10.17.206.10 any (19782 matches)

80 deny ip host 10.17.206.29 any

90 deny ip any host 10.17.206.29 (14 matches)

100 permit ip any host 10.17.217.22

110 permit ip any host 10.17.217.23

120 permit ip any host 10.17.217.24

130 permit ip any host 10.17.217.25

140 permit ip host 10.17.217.22 any

150 permit ip host 10.17.217.23 any

160 permit ip host 10.17.217.24 any

170 permit ip host 10.17.217.25 any

180 deny ip any host 10.17.206.5 (59 matches)

190 deny ip any host 10.17.206.6 (34 matches)

200 deny ip any host 10.17.206.7 (28 matches)

210 deny ip any host 10.17.206.8 (6 matches)

220 deny ip any host 10.17.206.9 (11 matches)

230 deny ip any host 10.17.206.10 (6 matches)

240 permit ip any host 10.17.42.71

250 permit ip any host 10.17.42.175

260 permit ip host 10.17.42.71 any

270 permit ip host 10.17.42.175 any

280 permit ip any any (1927397 matches)

#

!Vlan interface where WEBSERVER-LAYER2 SWITCH IS SERVED:

Int vlan 20

(...)

ip access-group LETMECONNECT in

ip access-group LETMECONNECT out

(...)

1 Accepted Solution

Accepted Solutions

Marlon

No problem, i was just joking :-)

As for asymmetric traffic it all depends on which switch is HSRP active for your client vlan and which is HSRP active for the server vlan (assuming both client and server vlans are routed off the 4507s).

Jon

View solution in original post

12 Replies 12

Jon Marshall
Hall of Fame
Hall of Fame

Marlon

What happens if you try and ping 10.17.206.5 ?

Jon

Ping from my workstation to 10.17.206.5 works successfully.

Then your acl looks like it's working ?

Can you try connecting to 10.17.206.5 on port 80 from a device on the same subnet ?

Jon

Jon,

You're spot on with that ping - I am again looking for a complicated answer (see my previous post in this thread) where a simple answer is completely sufficient. Thank you!

Best regards,

Peter

Peter

Nope, youre right not me :-) - see previous post i made.

Jon

Darn. Here is the problem:

From the Layer2 2900 the web servers are connected, there are two connections (g0/1 and g0/2) to 4507-1 and 4507-2.

So I added the ACL allowing my workstation to the other 4507 and now it works.

HSRP highest IP is on vlan configuration on 4507-1. So the ingress traffic flows thru 4507-2, and the egress traffic via 4507-2. I am not sure if this is right...

Marlon

Yep, that would explain it. Might have helped if you had mentioned you had 2 4507 switches :-)

Jon

Well, I was not expecting that the traffic is kind of asymmetric then...

Sorry :-) Thanks all.

Marlon

No problem, i was just joking :-)

As for asymmetric traffic it all depends on which switch is HSRP active for your client vlan and which is HSRP active for the server vlan (assuming both client and server vlans are routed off the 4507s).

Jon

From the layer 2 switch the device is connected, yes I knew I could get there just fine via 80. So the web server is fine, I just need to allow specific IP's to get to it via http.

Actually Peter has a good point as i didn't notice the first line of your acl which is to permit all icmp.

Jon

Peter Paluch
Cisco Employee
Cisco Employee

Hello,

While it should not be necessary, have you tried to remove and put back the "ip access-group" commands on the VLAN20 interface? Perhaps the switch needs to have the ACL reapplied to parse it again. Be careful when removing and reapplying the ACL to the VLAN20 so that you don't lock yourself out.

Best regards,

Peter

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco