Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IP Access-List HELP

Please refer to below configuration. I have no problem with the access-list 110. The problem is the access-list 120, when there is a host at 159.254.205.0/24 segment try to access to the web server at 159.254.207.128/27 segment, it block by access-list 120. I had permitted tcp any any with establish key word, when I show log, they are denied by access-list 120 !

Why ?

p/s : but I have no problem to ping both way !!

interface fasethernet 0

ip address 159.254.205.1 255.255.255.0

interface fasethernet 1

ip address 159.254.207.129 255.255.255.224

ip access-group 110 in

ip access-group 120 out

access-list 110 permit icmp any any

access-list 110 permit ip 159.254.207.128 0.0.0.31 159.254.205.100

access-list 110 permit ip 159.254.207.128 0.0.0.31 159.254.205.200

access-list 110 deny ip any any

access-list 120 permit icmp any any

access-list 120 permit tcp any any establish

access-list 120 permit udp any any

access-list 120 deny ip any any log

2 REPLIES

Re: IP Access-List HELP

Hi,

when the PC tries to connect to the web server, the TCP session is not established yet, so the it is blocked.

If you want to use established keyword, you should use it in the incoming access list.

See http://www.cisco.com/warp/public/105/ACLsamples.pdf for detailes.

Regards,

Milan

New Member

Re: IP Access-List HELP

Thanks a lot, Milan

After I change the access-list as below and it work now.

interface fasethernet 0

ip address 159.254.205.1 255.255.255.0

interface fasethernet 1

ip address 159.254.207.129 255.255.255.224

ip access-group 110 in

access-list 110 permit icmp any any

access-list 110 permit tcp any any gt 1024 established

access-list 110 permit ip 159.254.207.128 0.0.0.31 159.254.205.100

access-list 110 permit ip 159.254.207.128 0.0.0.31 159.254.205.200

access-list 110 deny ip any any

91
Views
0
Helpful
2
Replies
CreatePlease login to create content