Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Access-List
- Thread starter ASofyan
- Start date
chieftan999
MIS
Do you mean you have created an Access-list (number) but are unable to apply it to an interface?
Are you using the access-group command on the interface as follows:-
Simple extended access list
Router#conf t
Router(config)#access-list 101 permit tcp any any eq 5007
Router(config)#access-list 101 permit udp any any eq 5007
Router(config)#access-list 10 permit ip any any
Router#conf t
Router(config)#int s0/1
Router(config-if)#access-group (Access list number) (in or out)
Router(config-if)#CTRL+Z
I dont fully understand what you are asking either.
Are you using the access-group command on the interface as follows:-
Simple extended access list
Router#conf t
Router(config)#access-list 101 permit tcp any any eq 5007
Router(config)#access-list 101 permit udp any any eq 5007
Router(config)#access-list 10 permit ip any any
Router#conf t
Router(config)#int s0/1
Router(config-if)#access-group (Access list number) (in or out)
Router(config-if)#CTRL+Z
I dont fully understand what you are asking either.
- Thread starter
- #4
Thanks for appreciated, i have problem about ip access-group, why just one line number access-group that's showing
cisco#sh run
interface FastEthernet0/0
ip address x.x.x.x x.x.x.x
speed auto
half-duplex
no cdp enable
!
interface Serial0/0
ip address x.x.x.x. x.x.x.x
ip access-group 110 in Remarks " just one number access-
group, actually i apply all access-group"
no ip redirects
no ip mroute-cache
no cdp enable
!
ip classless
ip route x.x.x.x x.x.x.x
no ip http server
ip pim bidir-enable
!
!
logging history debugging
access-list 110 deny tcp any host x.x.x.x eq echo
access-list 110 deny tcp any host x.x.x.x eq discard
access-list 110 deny tcp any host x.x.x.x eq daytime
access-list 110 deny tcp any host x.x.x.x eq chargen
access-list 110 deny tcp any host x.x.x.x eq telnet
access-list 110 deny tcp any host x.x.x.x eq finger
access-list 110 permit tcp any any
access-list 110 permit ip any any
access-list 111 deny ip 127.0.0.0 0.255.255.255 any
access-list 111 deny ip 192.168.0.0 0.0.0.255 any
access-list 111 deny ip 172.16.0.0 0.0.255.255 any
access-list 111 deny ip 10.0.0.0 0.255.255.255 any
access-list 111 deny ip host 0.0.0.0 any
access-list 111 deny ip x.x.x.x x.x.x.x any
access-list 111 deny icmp any any redirect
access-list 111 permit ip any any
access-list 120 deny udp any any eq snmp
access-list 120 permit ip any any
access-list 121 deny ip host x.x.x.x any
access-list 121 permit ip any any
access-list 122 deny ip host x.x.x.x any
access-list 121 permit ip any any
no cdp run
snmp-server community public RO
Thanks Friends
i will be waiting your advise
cisco#sh run
interface FastEthernet0/0
ip address x.x.x.x x.x.x.x
speed auto
half-duplex
no cdp enable
!
interface Serial0/0
ip address x.x.x.x. x.x.x.x
ip access-group 110 in Remarks " just one number access-
group, actually i apply all access-group"
no ip redirects
no ip mroute-cache
no cdp enable
!
ip classless
ip route x.x.x.x x.x.x.x
no ip http server
ip pim bidir-enable
!
!
logging history debugging
access-list 110 deny tcp any host x.x.x.x eq echo
access-list 110 deny tcp any host x.x.x.x eq discard
access-list 110 deny tcp any host x.x.x.x eq daytime
access-list 110 deny tcp any host x.x.x.x eq chargen
access-list 110 deny tcp any host x.x.x.x eq telnet
access-list 110 deny tcp any host x.x.x.x eq finger
access-list 110 permit tcp any any
access-list 110 permit ip any any
access-list 111 deny ip 127.0.0.0 0.255.255.255 any
access-list 111 deny ip 192.168.0.0 0.0.0.255 any
access-list 111 deny ip 172.16.0.0 0.0.255.255 any
access-list 111 deny ip 10.0.0.0 0.255.255.255 any
access-list 111 deny ip host 0.0.0.0 any
access-list 111 deny ip x.x.x.x x.x.x.x any
access-list 111 deny icmp any any redirect
access-list 111 permit ip any any
access-list 120 deny udp any any eq snmp
access-list 120 permit ip any any
access-list 121 deny ip host x.x.x.x any
access-list 121 permit ip any any
access-list 122 deny ip host x.x.x.x any
access-list 121 permit ip any any
no cdp run
snmp-server community public RO
Thanks Friends
i will be waiting your advise
chieftan999
MIS
Still not quite sure what you are asking.
You can only apply one access-group per interface.
You can only apply one access-group per interface.
- Thread starter
- #6
I can apply access-list and access-group (thats no problem ), but why just "access-group 110 in" on the interface serial0/0, no others access-list group number.
if i add access group in/out others, just last access-group number is showing on interface serial0/0.
Best Regards
Achmad Sofyan S.Kom
if i add access group in/out others, just last access-group number is showing on interface serial0/0.
Best Regards
Achmad Sofyan S.Kom
Are you doing this:
R(config)#interface serial 0/0
R(config-if)#no access-group 110
R(config-if)#access-group 111
and then try a "show running-config"
and it still shows:
interface Serial0/0
ip address x.x.x.x. x.x.x.x
ip access-group 110 in
is that your problem?
R(config)#interface serial 0/0
R(config-if)#no access-group 110
R(config-if)#access-group 111
and then try a "show running-config"
and it still shows:
interface Serial0/0
ip address x.x.x.x. x.x.x.x
ip access-group 110 in
is that your problem?
- Thread starter
- #8
ASofyan -
How about we take this real slow.
First remove the access-list from the interface s0/0 and verify.
conf t
int s 0/0
no ip access-group 110
exit
sho run
Verify that no Access-list exists under s0/0
Second, now enter the access-list you want.
conf t
int s 0/0
ip access-group 120 in
exit
sho run
verify that access-list 120 in configured under interface s 0/0.
You can only apply 1 access-list as inbound and only 1 access-list as outbound.
Let me know how it goes
Now you should see accee
How about we take this real slow.
First remove the access-list from the interface s0/0 and verify.
conf t
int s 0/0
no ip access-group 110
exit
sho run
Verify that no Access-list exists under s0/0
Second, now enter the access-list you want.
conf t
int s 0/0
ip access-group 120 in
exit
sho run
verify that access-list 120 in configured under interface s 0/0.
You can only apply 1 access-list as inbound and only 1 access-list as outbound.
Let me know how it goes
Now you should see accee
- Thread starter
- #10
- Thread starter
- #11
chieftan999
MIS
Long access lists are not easy to apply because you can only have 1 in and 1 out per interface.
You will have to look at how you can incorporate them as one access list.
You will have to look at how you can incorporate them as one access list.
ASofyan -
If you want to combine all the access-lists into one access-list I would recommend that you first use an "extended" access-list list.
Second, put all the deny statements first (be careful here. The order is important). Then put all the permit statements (again, watch the order or the statements).
If you want to combine all the access-lists into one access-list I would recommend that you first use an "extended" access-list list.
Second, put all the deny statements first (be careful here. The order is important). Then put all the permit statements (again, watch the order or the statements).
- Status
Similar threads