ACL list not working as expected

March 29, 2011 at 09:03:36
Specs: N/A
access-list <#> permit/deny <protocol> <sourceAddress> <sourceMask> <destinationAdd> <destinationMask>

Say I applied an ACL inbound on Fa0/0, would the source address be the outside the LAN?
So if took the same ACL and applied it as outbound, would the source need to be change to an IP inside the LAN?

I am a bit confused by the data flow I'm seeing in packet tracer simulation mode to. I set up an ACL for testing purposes "access-list 199 permit ip any" set as inbound, the idea being it permits any traffic from the .0 subnet.

When I watch the packet in the simulation, it makes it to the destination address then is dropped by the router on it's way back out to the sender. This makes no sense to me, as security wise there are always going to be situations where you want traffic to be one way, and this makes it look like in needs ACL permission to leave onces it inside.

See More: ACL list not working as expected

Report •

March 29, 2011 at 11:10:18
When you designated the "in" part, you told the router that anything coming into fa0/0 is to follow that acl.

When your computer responded, it's network address did not match up to the acl network address which is why its response to the ping did not go through.

To fix it, you need to either change the "in" to "out" or apply the acl to the other interface (Fa0/1 for example) as an in instead.

Think of it this way, when applying an acl, look at it from the router's perspective. any packet that arrives to a router has to go out one of its interfaces. Anything coming into a router then has to go out one of its interfaces.

Hope this helps

Report •

March 30, 2011 at 09:39:11
Ok, I understand the ins and outs now, thanks.

It does leave me confused as to why this list isn't working. For some reason the server is the only host on LAN2 that can ping into LAN1.

Both applied on Router 1, attached to LAN1. Both ACL are applied out on different interfaces.

access-list 100 permit ip any (Allows anything from 2nd LAN to access 1st LAN)
[b]access-list 101 permit ip any host (allows any host in LAN1 to access server on LAN2)[/b]
access-list 101 deny ip any (stops all other traffic from LAN1 exiting)
access-list 101 permit ip any any (permits traffic originating in LAN2 to get back to LAN2)

Report •

March 30, 2011 at 11:24:57
You need to remember that the ACL has "deny all" at the end of it, even if you didn't state it. If you denied only what you needed in the above statements then end it with a "permit ip any any" statement

ACL's work by checking packets with each statement from the top and then the next down, next down and so on. If the packet doesn't meet any of those statements, then it denies it unless you have the statement i put above.

This may not be your exact problem, I will need to simulate it to check for sure.

Report •

Related Solutions

March 30, 2011 at 11:34:24
follow up:

You problem is is that it is both applied as out I believe. you have a block for anything going to LAN 2 except the server, so when you ping with a host that is not the server, it goes through but the response gets blocked from going back. as your ACL is set to only allow access to the server, not the other hosts.

My guess based on what I'm reading.

Report •

Ask Question