Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
455
Views
0
Helpful
2
Replies

Trouble with ip access-group on vlan config

Go to solution
Adam Coombs
Level 1
Level 1

‎09-05-2014 07:02 AM - edited ‎03-04-2019 11:41 PM

Hello, need help with getting my config to work.

What I need to get done is I added a vlan to a already working network, but this this vlan can only access specific resources. The only resources I can not get to work is internet browsing. 

What I can do is traceroute to google.com, nslookup google.com ping google.com 

Here is the config I am working with 

interface Vlan888
 description VLAN 888 - PROJECT test
 ip address 10.88.70.254 255.255.255.0
 ip access-group TEstIN in
 ip access-group TEstOUT out
 ip helper-address 10.70.0.1

 Extended IP access list TEstIN
    10 permit ip 10.88.70.0 0.0.0.255 10.88.70.0 0.0.0.255 log 
    15 permit ip 10.88.70.0 0.0.0.255 host 10.70.0.1 log 
    16 permit ip host 10.70.0.1 10.88.70.0 0.0.0.255 log
    20 permit ip 10.88.70.0 0.0.0.255 10.99.10.0 0.0.0.255 log 
    21 permit ip 10.88.70.0 0.0.0.255 10.99.11.0 0.0.0.255 log
    35 permit tcp any any eq www log 
    36 permit tcp any any eq 443 log 
    40 deny ip any any 

Extended IP access list TEstOUT
    10 permit ip 10.88.70.0 0.0.0.255 10.88.70.0 0.0.0.255 log
    15 permit ip host 10.70.0.1 10.88.70.0 0.0.0.255 log 
    20 permit ip 10.99.10.0 0.0.0.255 10.88.70.0 0.0.0.255 log 
    21 permit ip 10.99.11.0 0.0.0.255 10.88.70.0 0.0.0.255 log
    35 permit tcp any any eq www log
    36 permit tcp any any eq 443 log
    40 deny ip any any log 

 

This config is on a 6500 series 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Akash Agrawal
Cisco Employee
Cisco Employee

‎09-05-2014 07:46 AM

Hi,

 

I see that you are allowing all TCP traffic destined to port 80,443 in both direction but no permit statement for traffic coming from port 80,443. Can you please modify ACL as below and check again

 

    35 permit tcp any any eq www log 
    36 permit tcp any any eq 443 log 

    37 permit tcp any eq www any log 
    38 permit tcp any eq 443 any log 

 

--Pls dont forget to rate helpful posts--

Regards,

Akash

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Akash Agrawal
Cisco Employee
Cisco Employee

‎09-05-2014 07:46 AM

Hi,

 

I see that you are allowing all TCP traffic destined to port 80,443 in both direction but no permit statement for traffic coming from port 80,443. Can you please modify ACL as below and check again

 

    35 permit tcp any any eq www log 
    36 permit tcp any any eq 443 log 

    37 permit tcp any eq www any log 
    38 permit tcp any eq 443 any log 

 

--Pls dont forget to rate helpful posts--

Regards,

Akash

0 Helpful

Go to solution
Adam Coombs
Level 1
Level 1
In response to Akash Agrawal

‎09-05-2014 07:59 AM

Thank you very much Akash Agrawal that was it, I love that it was something so easy. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card