This should be simple, but I am doing something wrong. I need a write an PACL that will only allow established traffic to a switch port. Here is what I have so far :
access-list 101 permit tcp any 192.168.145.250 0.0.0.0 established
int g1/48 ip access-group 101 in
What this gets me is no connectivity with the acl in place on the interface. It has to be something that is right in my face, that I am missing. Our 4500 can't do NAT, so I have to find a workaround.
Suggestions?
TIA Lovejoy
To get to an "established" state, you need to first exchange a few packets. So you need to get your ACL to permit the packet exchange that will lead to the established state after which, the first line handles the traffic.
Thanks for the response. It was my assumption that since there was no ACl controlling any outbound traffic, that the ACL 101 would "see" that it was established traffic. Do I need to have an ACL like the
access-list 100 permit ip 192.168.145.250 0.0.0.0 any
and apply it in the out direction on the interface?
Thanks Lovejoy
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.