Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Access-list

Good day;

Not sure what I'm doing wrong but when I add the following access-list to my interface fa1/8 I cannot ping anything anymore I've been staring at this for a while so it all looks the same to me...am I missing something? Thank you in advance for your help!!

ip access-list extended BNP-in

permit ip 67.57.163.0 0.0.0.255 10.255.118.0 0.0.0.127

remark : ICMP access

permit icmp host 10.255.118.74 10.255.118.0 0.0.0.127

permit icmp 67.57.163.0 0.0.0.255 10.255.118.0 0.0.0.127

ip access-list extended BNP-out

permit ip 10.255.118.0 0.0.0.127 67.57.163.0 0.0.0.255

remark : ICMP

permit icmp 10.255.118.0 0.0.0.127 host 10.255.118.74

permit icmp 10.255.118.0 0.0.0.127 host 10.255.118.77

8 REPLIES
Community Member

Re: Access-list

I generally specify both echo and echo reply at the end of each access list line to be sure and check the matches or use debug and logging.

robert

Hall of Fame Super Gold

Re: Access-list

Warren

You have not told us what is the subnet on interface fa1/8. And you have not been specific about which access list is applied in which direction - the naming of the access list probably suggests which direction. I am going to make a guess that the subnet on the interface is 10.255.118.0/25. If that is the case then you are applying the access lists in the wrong direction.

If the access list is applied inbound then the subnet of the interface is the source address and some other address is the destination. And if applied outbound then then interface subnet is the destination and some other address is the source.

HTH

Rick

Community Member

Re: Access-list

Sorry here is the full config that I put in:

ip route 67.57.163.0 255.255.255.0 10.255.118.73

ip nat inside source static 205.248.197.50 10.255.118.76

ip nat inside source static 205.248.197.198 10.255.118.77

ip nat inside source static 205.248.197.130 10.255.118.78

ip access-list extended BNP-in

permit ip 67.57.163.0 0.0.0.255 10.255.118.0 0.0.0.127

remark : ICMP access

permit icmp host 10.255.118.74 10.255.118.0 0.0.0.127

permit icmp 67.57.163.0 0.0.0.255 10.255.118.0 0.0.0.127

ip access-list extended BNP-nat

permit ip any 67.57.163.0 0.0.0.255

ip access-list extended BNP-out

permit ip 10.255.118.0 0.0.0.127 67.57.163.0 0.0.0.255

remark : ICMP

permit icmp 10.255.118.0 0.0.0.127 host 10.255.118.74

permit icmp 10.255.118.0 0.0.0.127 host 10.255.118.77

inter fa1/8

ip address 10.255.118.74 255.255.255.128

ip access-group BNP-in in

ip access-group BNP-out out

ip nat outside

ip access-list standard redis-static

210 permit 67.57.163.0 0.0.0.255

Community Member

Re: Access-list

its been a while since I have done one of these but I recall you used to also have to add the NAT specifics in the ACL so yo uwould need rules for ICMP to 205.248.197.x addresses as well.

Worth a try.

robert

Community Member

Re: Access-list

I'm a knuckle head ok....well I cheated and I added icmp any any and now I'm able to ping

thanks guys for your suggestions and help!!!!!

Hall of Fame Super Gold

Re: Access-list

Warren

Thanks for posting the additional information. It does complicate the situation quite a bit. If I understand the static route then subnet 67.57.163.0 is reached through some device that is connected on the subnet of fa1/8. If that subnet is outbound from the router on fa1/8 then any device in that subnet can communicate with any device in the 10.255.118.0 subnet without going through the router interface. Therefore the access list on the router is ineffective in controlling any traffic between 67.57.163.0 and 10.255.118.0 and 3 of the 6 lines in the access lists are trying to do that. And the 3 other lines are attempting to control traffic between 10.255.118.74 and the rest of the subnet.

And as I guessed in my previous post you have confused the function of access-group in and access-group out.

I think that the fundamental reason that you can not ping anything is that the inbound access does not permit any of the traffic that it will see. If you are pinging devices in the subnet of 10.255.118.0 then the responses coming back to the router will have 10.255.118.x as the source address. And your inbound access list does not permit that subnet as the source address.

HTH

Rick

Community Member

Re: Access-list

What I was trying to do is this I have to get to an outside IP address of 67.57.163.0 I was given the NAT of 10.255.118.0/25. So what I was trying to do was to only allow devices with the natted ip of 10.255.118.0/25 to be able to come through this connection to get to 67.57.163.0/24 I thought I had accomplished that but I guess I haven't any suggestions on how I may go about doing that then?

Community Member

Re: Access-list

Thanks everyone for your help what you all said really helped and I was able to get it going upon your insight...thank you!!!!

129
Views
0
Helpful
8
Replies
CreatePlease to create content