09-03-2009 12:50 PM - edited 03-06-2019 07:35 AM
From my client, IP=10.17.41.104, I do:
'telnet 10.17.206.11 80'and it works. I can ping web server OK.
Then I do
'telnet 10.17.206.5 80' and it times out.
Both web servers 10.17.206.11 and 10.17.206.5 are connected to the same layer 2 switch, same location.
Then I did traces to '10.17.206.5' till I found the layer 3 switch 4507 which contains the access-lists below.
I added line 11 and 12 below using my IP address and I still cannot get to the webserver via http from my workstation.
Any ideas what I am missing or how can I troubleshoot this further?
Input-log shows that I have hits OK for line 11, but that is about it. Somehow it seems the traffic from the webserver 10.17.206.5 still can't go back to my workstation apparently...
Extended IP access list LETMECONNECT
10 permit icmp any any (1937 matches)
11 permit ip host 10.17.41.104 any input-log
12 permit ip any host 10.17.41.104 input-log
20 deny ip host 10.17.206.5 any (25071 matches)
30 deny ip host 10.17.206.6 any (28151 matches)
40 deny ip host 10.17.206.7 any (15147 matches)
50 deny ip host 10.17.206.8 any (15725 matches)
60 deny ip host 10.17.206.9 any (20348 matches)
70 deny ip host 10.17.206.10 any (19782 matches)
80 deny ip host 10.17.206.29 any
90 deny ip any host 10.17.206.29 (14 matches)
100 permit ip any host 10.17.217.22
110 permit ip any host 10.17.217.23
120 permit ip any host 10.17.217.24
130 permit ip any host 10.17.217.25
140 permit ip host 10.17.217.22 any
150 permit ip host 10.17.217.23 any
160 permit ip host 10.17.217.24 any
170 permit ip host 10.17.217.25 any
180 deny ip any host 10.17.206.5 (59 matches)
190 deny ip any host 10.17.206.6 (34 matches)
200 deny ip any host 10.17.206.7 (28 matches)
210 deny ip any host 10.17.206.8 (6 matches)
220 deny ip any host 10.17.206.9 (11 matches)
230 deny ip any host 10.17.206.10 (6 matches)
240 permit ip any host 10.17.42.71
250 permit ip any host 10.17.42.175
260 permit ip host 10.17.42.71 any
270 permit ip host 10.17.42.175 any
280 permit ip any any (1927397 matches)
#
!Vlan interface where WEBSERVER-LAYER2 SWITCH IS SERVED:
Int vlan 20
(...)
ip access-group LETMECONNECT in
ip access-group LETMECONNECT out
(...)
Solved! Go to Solution.
09-03-2009 01:43 PM
Marlon
No problem, i was just joking :-)
As for asymmetric traffic it all depends on which switch is HSRP active for your client vlan and which is HSRP active for the server vlan (assuming both client and server vlans are routed off the 4507s).
Jon
09-03-2009 01:03 PM
Marlon
What happens if you try and ping 10.17.206.5 ?
Jon
09-03-2009 01:04 PM
Ping from my workstation to 10.17.206.5 works successfully.
09-03-2009 01:08 PM
Then your acl looks like it's working ?
Can you try connecting to 10.17.206.5 on port 80 from a device on the same subnet ?
Jon
09-03-2009 01:12 PM
Jon,
You're spot on with that ping - I am again looking for a complicated answer (see my previous post in this thread) where a simple answer is completely sufficient. Thank you!
Best regards,
Peter
09-03-2009 01:15 PM
Peter
Nope, youre right not me :-) - see previous post i made.
Jon
09-03-2009 01:24 PM
Darn. Here is the problem:
From the Layer2 2900 the web servers are connected, there are two connections (g0/1 and g0/2) to 4507-1 and 4507-2.
So I added the ACL allowing my workstation to the other 4507 and now it works.
HSRP highest IP is on vlan configuration on 4507-1. So the ingress traffic flows thru 4507-2, and the egress traffic via 4507-2. I am not sure if this is right...
09-03-2009 01:28 PM
Marlon
Yep, that would explain it. Might have helped if you had mentioned you had 2 4507 switches :-)
Jon
09-03-2009 01:38 PM
Well, I was not expecting that the traffic is kind of asymmetric then...
Sorry :-) Thanks all.
09-03-2009 01:43 PM
Marlon
No problem, i was just joking :-)
As for asymmetric traffic it all depends on which switch is HSRP active for your client vlan and which is HSRP active for the server vlan (assuming both client and server vlans are routed off the 4507s).
Jon
09-03-2009 01:15 PM
From the layer 2 switch the device is connected, yes I knew I could get there just fine via 80. So the web server is fine, I just need to allow specific IP's to get to it via http.
09-03-2009 01:12 PM
Actually Peter has a good point as i didn't notice the first line of your acl which is to permit all icmp.
Jon
09-03-2009 01:10 PM
Hello,
While it should not be necessary, have you tried to remove and put back the "ip access-group" commands on the VLAN20 interface? Perhaps the switch needs to have the ACL reapplied to parse it again. Be careful when removing and reapplying the ACL to the VLAN20 so that you don't lock yourself out.
Best regards,
Peter
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: