Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACL Range Syntax

I'm trying to create and extended IP Access-list and limit the amount of necessary lines by adding the range command.

The syntax takes, but does not permit the allowed TCP Ports we need. (TAC hasn't been much help)

Router = 7206NPE-G1, IOS 12.1(19)E2

syntax

!

access-list 112 permit tcp any 172.16.12.0 0.0.0.255 range 46000 46030

!

The command above takes, but I'm logging denials for 46001, 2, 3, etc.(all within the range) I could use the GT operand, but why doesn't this work? I'm browsing documents for syntax specifics.

Thanks - Tim

  • Other Network Infrastructure Subjects
4 REPLIES

Re: ACL Range Syntax

Tim,

So are you getting log messages which indicate ports within the range 46000-46030 are being denied ? Can you paste those syslog messages ? Can you also give some more information about the protocol you are using ? How is this access-list applied to the interface ? A snapshot of the ACL config would help!

Have you tested the following - add individual access-list statement permitting ports 46000, 46001...46030 ?

New Member

Re: ACL Range Syntax

>So are you getting log messages which indicate >ports within the range 46000-46030 are being >denied ?

Yes

>Can you paste those syslog messages ?

No - in order to do so, I'd have to deny a major component of our trading system.

>Can you also give some more information about the >protocol you are using ?

TCP/IP based communications, running on an HP Platform called RTR.

>How is this access-list applied to the interface ?

It is applied outbound on our Egress FE ints. See Config below.

Int Fast E 0/0

ip access-group 112 out

Int Fast E 0/1

ip access-group 112 out

Int Fast E 1/0

ip access-group 155 in

Int Fast E1/1

ip access-group 155 in

!

! // I'm not going to list all of the

! // lines for the 112 -- its huge.

access-list 112 permit ip any 224.0.0.0 0.0.0.255

access-list 112 permit icmp any any

access-list 112 permit eigrp 10.55.10.0 0.0.0.255 10.55.10.0 0.0.0.255

access-list 112 permit eigrp 10.55.20.0 0.0.0.255 10.55.20.0 0.0.0.255

access-list 112 permit tcp any eq 20220 172.16.0.0 0.0.255.255

access-list 112 permit tcp any 172.16.11.0 0.0.0.255 eq 14711

access-list 112 permit tcp any 172.16.12.0 0.0.0.255 eq 14711

access-list 112 permit tcp any 172.16.13.0 0.0.0.255 eq 46000

access-list 112 permit tcp any 172.16.13.0 0.0.0.255 eq 46001

access-list 112 permit tcp any 172.16.13.0 0.0.0.255 eq 46002

access-list 112 permit tcp any 172.16.13.0 0.0.0.255 eq 46003

access-list 112 permit tcp any 172.16.13.0 0.0.0.255 eq 46004

access-list 112 permit tcp any 172.16.13.0 0.0.0.255 eq 46005

access-list 112 permit tcp any 172.16.13.0 0.0.0.255 eq 46006

access-list 112 permit tcp any 172.16.23.0 0.0.0.255 eq 46000

access-list 112 permit tcp any 172.16.23.0 0.0.0.255 eq 46001

access-list 112 permit tcp any 172.16.23.0 0.0.0.255 eq 46002

access-list 112 permit tcp any 172.16.23.0 0.0.0.255 eq 46003

access-list 112 permit tcp any 172.16.23.0 0.0.0.255 eq 46004

access-list 112 permit tcp any 172.16.23.0 0.0.0.255 eq 46005

access-list 112 permit tcp any 172.16.23.0 0.0.0.255 eq 46006

access-list 112 permit tcp any 172.16.21.0 0.0.0.255 eq 14711

access-list 112 permit tcp any 172.16.22.0 0.0.0.255 eq 14711

............

access-list 112 deny ip any any log

! END

ACL 155 is a simple host permission acl, for us to audit who is, and isn't approved by SEC to connect.

ACL 112 is applied outbound - - coming into our Dist/Core where the HP-RTR servers are mentioned. Spoke sites connect to these.

New Member

Re: ACL Range Syntax

FYI - We currently have no syslog server - bad, I know, but Ciscoworks is not in my camp, wish it was.

New Member

Re: ACL Range Syntax

is your port range from 46000 to 46030 source port?

116
Views
0
Helpful
4
Replies