Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access List question


I've been fighting with a C1700 for many hours and can't seem to figure out where the problem with my access lists lies. Hopefully someone here can please help me out as I'm getting a little desperate!


C1700 with WIC 4ESW

IOS ver 12.3(3.5)T


FE1 (VLAN200)

FE4 (VLAN100)

I've got the router and VLAN configuration correct as it works fine until I apply access lists.

Desired results:

(1) All hosts on can access TCP 1494 and UDP 1604 on host

(2) Only hosts can access WWW and DNS anywhere

(3) All other outbound requests on are blocked

(4) All hosts on and 200.0 can access WWW and TCP 3389 on host

(5) All hosts on and 200.0 have unrestricted access to each other

List entries:

access-list 100 permit tcp any eq www

access-list 100 permit tcp any host eq 1494

access-list 100 permit udp any host eq 1604

access-list 100 permit tcp any eq domain

access-list 100 permit udp any eq domain

access-list 150 permit tcp any host eq www

access-list 150 permit tcp any host eq 3389


on FE0

ip access-group 100 in

works fine

ip access-group 150 out

works fine

ip access-group 100 in

ip access-group 150 out

no routing happens from network

Thanks in advance



Re: Access List question

Based on the info above, I would argue that:

"ip access-group 150 out

works fine"

does not work fine. You have to remember that there is an implicit deny at the end of every ACL. What is happening here is that you are not accounting for return traffic in your ACL's. For instance, let's say that a host on the network initiates a TCP/1494 connection to network. If the both ACL 100 and 150 are in place as shown above, the reply from the host will be blocked by ACL 150 due to the implicit 'deny ip any any' at the end of the ACL. This is a common frustration with creating ACL's such as you are trying to do. To alleviate this, we created a feature known as CBAC (Context Based Access Control). This feature allows the router to "watch" traffic as it passes and dynamically create an ACL entry to allow the return traffic back in. You can get some more information on this feature here:

One other less effective way to accomplish the desired result is to use the 'estblished' keyword in your ACL. You can find some info on this option out on CCO as well.

Let me know if there is anything I can clarify.