Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Access - Lists

Status
Not open for further replies.
nickbungus

nickbungus

Programmer
Feb 3, 2005
10
GB
Dear All

Can someone please help me with access lists?

You can see a diagram of the network at the url below:


I am trying to set up an access list so that all Jamaica hosts are not allowed access outside their network except TFTP to the file server at Barbados ip 172.16.51.94.

Barbados Subnet have no restrictions what so ever and can access all nodes on the network.

The Jamaica network ip is 172.16.50.0 (max 255 hosts - 172.16.50.1 is router fastethernet)
The Barbados network ip is 172.16.51.64 (max 32 hosts - 172.16.51.65 router fe)

I am adding the following access list to the fe at the Jamaica router:
access-list 101 permit ip any host 172.16.51.94
interface fastethernet 0/0
ip access-group 101 in

The access list works fine in that it only allows access to the Barbados server and nowhere else. The problem is, once I put the access list on I cannot get access to the Jamaica network from Barbados.

The above is the only access list on the network??

Anyone know where I am going wrong??

Help needed

Nick
 
Sort by date Sort by votes
I cannot get access to the Jamaica network from Barbados"

What do you mean? You mean you cannot telnet to the Jamaica router? Or you mean you cannot access the Jamaica LAN segment from Barbados LAN segment?
 
Upvote 0 Downvote
Hi

Sorry, should have been clearer

I cannot access the Jamaica LAN segment from Barbados LAN segment or Barbados router
 
Upvote 0 Downvote
With your ACL only traffic from Jamaica to Barbados' server is permitted. "Accessing" a host typically involves 2-way communication, so the traffic from a Jamaica node must be able to get to the Barbados node.

If you want to ping Jamaica nodes, add "access-l xxx permit icmp any <barbados_net> <barbados_mask> eq echo-reply". For TCP you can use the "established" keyword to allow replies to get back to Barbados.

Remember that there's an implicit "deny ip any any" at the end of every IP access list.
 
Upvote 0 Downvote
Cheers lgarner

Thinking about it, that makes a lot of sense - I forgot about the message returning.
tried this...

access-list 101 permit ip any host 172.16.51.94
access-list 101 permit icmp any 172.16.51.64 0.0.0.31 echo-reply
interface fastethernet 0/0
ip access-group 101 in

..worked a treat

Thanks

Nick
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

CDIV
  • Locked
  • Question
Use uplink port as access port 2960 1
Replies
9
Views
485
CDIV
CDIV
CDIV
  • Locked
  • Question
How do I enable SSH access in 2960x 1
Replies
4
Views
699
iggsterman
iggsterman
dmourghen
  • Locked
  • Question
PBR issue and Access-list
Replies
0
Views
130
dmourghen
dmourghen
mrdom
  • Locked
  • Question
RV325: Accessing LAN and WAN resources using the same hostname ...
Replies
0
Views
123
mrdom
mrdom
Castanz
  • Locked
  • Question
Can only access 1 port. Catalyst 2960-S
Replies
1
Views
106
allworxguy
allworxguy

Part and Inventory Search

Sponsor

Back
Top