Issue with access lists please help

Hi ALL !!

I need to connect from a host (192.168.8.139)in the lan to host

192.168.1.15 so I put acl like this: ( I added the first line )

access-list 111 permit tcp host 192.168.8.139 any access-list 111 permit tcp 192.168.0.0 0.0.255.255 host 192.168.8.2 eq telnet access-list 111 permit tcp host 192.168.8.7 any access-list 111 permit tcp 192.168.0.0 0.0.255.255 any eq www access-list 111 permit udp 192.168.0.0 0.0.255.255 any eq domain access-list 111 permit tcp 192.168.0.0 0.0.255.255 any eq 443 access-list 111 permit tcp 192.168.0.0 0.0.255.255 any eq 5900 access-list 111 permit ip host 192.168.8.198 any access-list 111 permit ip host 192.168.8.199 any access-list 111 permit icmp any any echo-reply access-list 111 permit icmp any any echo access-list 111 permit icmp any any source-quench access-list 111 permit icmp any any time-exceeded access-list 111 deny icmp any any access-list 111 permit tcp any any established access-list 111 deny ip any any log

take a look also at line 3 of the acl this host is the internal mail server, from that mail server when I try to connect to host

192.168.1.15 there is no problem !!! so I made a similar entry to enable connection from my host (192.168.8.139) but It doesnt work !! I know its a problem of the ACL beacuse when I remove this ACL (which is applied to vlan 1 BTW) the connection works!!

please help ! marco

Reply to
meshulash
Loading thread data ...

From your description the observed behaviour seems impossible. There are no weird hidden behaviours in ACLs. I guess you must be missing something out.

What do you mean by "connect"?

You need to troubleshoot the connection process step by step.

You might consider using:-

sh access-l "hit counters" on permit and deny counters logging on ACLs and check the logs add troubleshooting entries to acls to enable use of counters[1] use deb ip packet ACL detail[2]

Arrange for packet capture on end hosts or otherwise. I now have few qualms about installing wireshark on any end host.

If logging ANYTHING but expecially "deb ip packet" use efficient logging methods.

logging buffered no loggign console

[1] e.g. access-list 111 deny ip 192.168.8.139 0.0.0.0 192.168.1.15 0.0.0.0 log access-list 111 deny ip any any log [2] BEWARE deb IP packet can stop your router from functioning. Unless highly experienced do not do this in service hours Have personnel on-site to power cycle router if router is remote
Reply to
bod43

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.