Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Sanity check

Sorry for a silly question, I just want to make sure this is order for me to open up everything on a subnet all I need to do on my access-list is change from:

permit tcp host host


permit ip host host

and this will not block anything no ports or anything wide open

Hall of Fame Super Gold

Re: Sanity check


Yes, the first version of the access list would permit TCP traffic (but not UDP, ICMP, etc) and the second version of the access list will permit any IP traffic between those hosts - no port restrictions or anything - wide open for those hosts.



Community Member

Re: Sanity check

Thank you Rick for answering my question having a rsync issue between those two devices where rsync just hangs but I can telnet, ping and ssh to it anyways thank you!!!

Community Member

Re: Sanity check


I see one of the hosts is using private addressing and the other public. Is NAT involved? If so, perhaps an rsync initiated by the outside host can't get through the NAT. You should be able to overcome this with a static NAT translation.

Also, are you using encryption for rsync? Perhaps it's using ESP or AHP (ala' IPSec). You may need to explicitly permit those protocols in your ACL as well.

BTW, some older versions of IOS even required ICMP to be explicitly permitted. Newer versions permit ICMP when you permit the IP suite as a whole.

Thanks, Robin.

Community Member

Re: Sanity check

Hi Robin;

I believe this is a static NAT but let me double check this to ensure, maybe you've seen this before here is the error message I get:

ieschi1: Connection timed out

rsync: connection unexpectedly closed (0 bytes read so far)

rsync error: error in rsync protocol data stream (code 12) at io.c(342)

Thank you in advance for you help!!!

CreatePlease to create content