Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access-List

I'm not sure if I'm in the right place but I have a problem with ACL. I have a user who is using VmWare and I gave him a network address of 10.17.0.0/16. I can get to anything on the 10.17.0.X network but nothing else. Here is my acl:interface Vlan17

description "SBU_LABMGR_VM_VLAN"

ip address 10.17.0.1 255.255.0.0

ip access-group SBU_LABMGR_VM_VLAN-IN in

ip access-list extended SBU_LABMGR_VM_VLAN-IN

permit ip 10.17.0.0 0.0.255.255 10.0.7.0 0.0.0.255

permit ip 10.17.0.0 0.0.255.255 10.1.7.0 0.0.0.255

permit ip 10.17.0.0 0.0.255.255 10.1.8.0 0.0.0.255

permit ip 10.17.0.0 0.0.255.255 10.4.7.0 0.0.0.255

permit ip 10.17.1.0 0.0.0.255 10.1.7.0 0.0.0.255

permit ip 10.17.0.0 0.0.255.255 host 10.1.15.75

permit ip 10.17.0.0 0.0.255.255 host 10.1.20.25

deny ip 10.17.0.0 0.0.255.255 10.0.0.0 0.255.255.255

deny ip 10.17.0.0 0.0.255.255 172.16.0.0 0.15.255.255

deny ip 10.17.0.0 0.0.255.255 192.168.0.0 0.0.0.255

permit ip any any

is there any thing wrong with this access-list

4 REPLIES
Bronze

Re: Access-List

deny ip 10.17.0.0 0.0.255.255 10.0.0.0 0.255.255.255

Do you want them denied to everything on the 10 network?

Can you ping the next hop after the gateway?

Is there any other access list on the default gateway or a firewall that could be blocking traffic?

Is VLAN17 entered in all correct VLAN databases and allowed to traverse all trunk links if it is not terminated at the gateway?

Is NAT,PAT or a proxy setup to access the internet?

New Member

Re: Access-List

Yes I want denied them denied to everything on the 10 network except 10.1.7.X, 10.0.7.X and everything else I have in the permit ACL.

2) There is no firewall blocking traffic

3) Vlan 17 is entered correctly in the database can ping 10.17.0.X network can't get to 10.17.1.X/0.0.255.255 or above.

Bronze

Re: Access-List

"Vlan 17 is entered correctly in the database can ping 10.17.0.X network can't get to 10.17.1.X/0.0.255.255 or above"

So you can't ping anything in the 10.17.1.x and above?

Since VLAN17 int = 10.17.0.1 255.255.0.0 can I assume 10.17.1.x are part of the same network segment and vlan membership?

Can you ping 10.17.1.x from VLAN17 interface?

New Member

Re: Access-List

Thank you for your assistance the problem was with the virtual server gateway. Everything is working!

101
Views
0
Helpful
4
Replies