Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Trouble with ip access-group on vlan config

Hello, need help with getting my config to work.

What I need to get done is I added a vlan to a already working network, but this this vlan can only access specific resources. The only resources I can not get to work is internet browsing. 

What I can do is traceroute to google.com, nslookup google.com ping google.com 

Here is the config I am working with 

interface Vlan888
 description VLAN 888 - PROJECT test
 ip address 10.88.70.254 255.255.255.0
 ip access-group TEstIN in
 ip access-group TEstOUT out
 ip helper-address 10.70.0.1

 Extended IP access list TEstIN
    10 permit ip 10.88.70.0 0.0.0.255 10.88.70.0 0.0.0.255 log 
    15 permit ip 10.88.70.0 0.0.0.255 host 10.70.0.1 log 
    16 permit ip host 10.70.0.1 10.88.70.0 0.0.0.255 log
    20 permit ip 10.88.70.0 0.0.0.255 10.99.10.0 0.0.0.255 log 
    21 permit ip 10.88.70.0 0.0.0.255 10.99.11.0 0.0.0.255 log
    35 permit tcp any any eq www log 
    36 permit tcp any any eq 443 log 
    40 deny ip any any 

Extended IP access list TEstOUT
    10 permit ip 10.88.70.0 0.0.0.255 10.88.70.0 0.0.0.255 log
    15 permit ip host 10.70.0.1 10.88.70.0 0.0.0.255 log 
    20 permit ip 10.99.10.0 0.0.0.255 10.88.70.0 0.0.0.255 log 
    21 permit ip 10.99.11.0 0.0.0.255 10.88.70.0 0.0.0.255 log
    35 permit tcp any any eq www log
    36 permit tcp any any eq 443 log
    40 deny ip any any log 

 

This config is on a 6500 series 

  • WAN Routing and Switching
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Hi, I see that you are

Hi,

 

I see that you are allowing all TCP traffic destined to port 80,443 in both direction but no permit statement for traffic coming from port 80,443. Can you please modify ACL as below and check again

 

    35 permit tcp any any eq www log 
    36 permit tcp any any eq 443 log 

    37 permit tcp any eq www any log 
    38 permit tcp any eq 443 any log 

 

--Pls dont forget to rate helpful posts--

Regards,

Akash

2 REPLIES
Cisco Employee

Hi, I see that you are

Hi,

 

I see that you are allowing all TCP traffic destined to port 80,443 in both direction but no permit statement for traffic coming from port 80,443. Can you please modify ACL as below and check again

 

    35 permit tcp any any eq www log 
    36 permit tcp any any eq 443 log 

    37 permit tcp any eq www any log 
    38 permit tcp any eq 443 any log 

 

--Pls dont forget to rate helpful posts--

Regards,

Akash

New Member

Thank you very much Akash

Thank you very much Akash Agrawal that was it, I love that it was something so easy. 

110
Views
0
Helpful
2
Replies