Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access List Question

Hi folks -

I have a vendor machine in our network that we assigned a static IP address to. This machine just needs access to the Internet and nothing on our network.

So I created the following access list and applied it to the port that this machine is connected to. The machine is connected to a Cisco 3560 switch. It's using 4.2.2.2 for DNS.

Extended IP access list 111

10 permit tcp host 172.16.34.78 any eq www

14 permit tcp host 172.16.34.78 any eq domain

15 permit icmp host 172.16.34.78 any

20 deny ip host 172.16.34.78 any

This machine is unable to connect to the Internet. I can ping 4.2.2.2 from the machine but 4.2.2.2 is not resolving any of the domain names on the Internet.

When I remove the access-l applied to the port, machine can get to the Internet just fine.

This is how the access-l was applied to the port:

ip access-group 111 in

So I am not sure where am I going wrong.

Can anyone help??

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Bronze

Re: Access List Question

You won't see hit count on a switch as the ACL is processed in hardware. Hit count are found on software based devices like routers.

3 REPLIES
Hall of Fame Super Bronze

Re: Access List Question

The internet is composed by thousand of TCP|UDP ports not just www and domain. What happens if this host goes to a https site? What happens if they need to ftp a file?

What you need to do is block all local subnets in your network and have a permit ip host any at the end, similar to:

access-list 111 deny ip host 172.16.34.78 [local subnets...]

access-list 111 permit ip host 172.16.34.78 any

__

Edison.

New Member

Re: Access List Question

Thanks for your prompt response. I will make that change and see if it works.

On another note, how do I see the hit count on the access list. Sometimes I see the hit count by default and sometimes I don't.

Thanks again!

Hall of Fame Super Bronze

Re: Access List Question

You won't see hit count on a switch as the ACL is processed in hardware. Hit count are found on software based devices like routers.

133
Views
0
Helpful
3
Replies