Destination net unreachable

[GeoDM]

I have a Cisco 1721 Router. The router is between 2 local networks. Mine and one connected via fiber down the road. Right now the two networks can not see each other. This is good. I want them to only see a few selected servers on each side. To do this I have created 2 access-lists. After associating the access lists with the right card on the router I get this message when I try to ping.

Reply from XX.XX.X.XX: Destination net unreachable.

It receives properly but I can not longer telnet to the box. When I set the interface cards back to default everything work fine.

Is creating access-lists the proper way to do it or should I be trying something else?

 

[lgarner]

Access lists would be the way to restrict traffic. Just how restrictive are they? It might help if you posted them, if they're not too big.

 

[GeoDM]

Looking at this now I think something may be wrong but I'll let you tell me that. I finally got the SDM installed on the box but I did not like working with it that way and the access list I created there looks different then the one I created with the IOS. Also could you tell me how to delete the other access-lists, sdm_ethernet0_in & sdm_fastethernet0_in. Just some house keeping issues.

interface Ethernet0
ip address 10.10.1.14 255.255.0.0
ip access-group 101 in
no ip route-cache
half-duplex
!
interface FastEthernet0
ip address 10.10.2.14 255.255.0.0
ip access-group 102 in
no ip route-cache
speed auto
!
ip classless
ip http server
!
ip access-list extended sdm_ethernet0_in
remark SDM_ACL Category=1
permit ip any host 10.10.2.247 log
permit ip any host 10.10.2.23 log
permit ip any host 10.10.2.244 log
ip access-list extended sdm_fastethernet0_in
remark SDM_ACL Category=1
permit ip any host 10.10.1.242 log
permit ip any host 10.10.1.243 log
permit ip any host 10.10.1.240 log
permit ip any host 10.10.1.245 log
!
access-list 101 permit ip any host 10.10.2.247 log
access-list 101 permit ip any host 10.10.2.23 log
access-list 101 permit ip any host 10.10.2.244 log
access-list 102 permit ip any host 10.10.1.242 log
access-list 102 permit ip any host 10.10.1.243 log
access-list 102 permit ip any host 10.10.1.240 log
access-list 102 permit ip any host 10.10.1.245 log

 

[sbonete]

Both, the ones generated via SDM and yours are the same. The only difference is the way they were wrotten.

As far as I has been able to see, with that configuration you are only allowing some servers at the net 10.10.1.0 to speak with some other servers at the net 10.10.2.0.

Please, try to move traffic from one server to another and update the call.

Regards.

 

[lgarner]

First, change your interface subnet masks to /24, or change one of the IP addresses from 10.10.x.x to something else.

 

[jneiberger]

lgarner is right. Your interfaces are misconfigured to be in the same /16 subnet, which I don't think you're trying to do on purpose. If you are trying to do this then you need to redesign your network or configure the router for bridging.