Re: Access list problem [7:9939]

Tue, 26 Jun 2001 02:05:37 -0700 

John,

You really want to limit www traffic don't you? First you allow traffic _to_
203.111.42.204 or 203.111.42.215. If the www traffic isn't caught by that
then it needs to match a source of  203.111.42.224, 203.111.42.225, or
203.111.42.226.  Everything else is going to get caught by that implicit deny.

If that isn't the problem, then you might try stripping it down and then
adding the lines in one at a time until it stops working again. I know its
alot of work but some of the strangest things can be gotchas. Including
things that shouldn't. I had a router that had problems with ACLs. If you
tried to deny any UDP traffic the router would lock out all traffic,
including stuff that should have been allowed by previous lines. We ended up
nuking it and loading a new image.

HTH

*********** REPLY SEPARATOR  ***********

On 6/26/2001 at 4:26 AM John Brandis wrote:

>Hi All,
>
>I thought I was on top of access lists, until today. When ever I apply
>this particualr access list in IOS 11.2 , nothing on the network can
>view internet pages. They can ping no problem but nothing else. Please
>advise if you can, on which line the error is.
>Thanks all, I appreciate it.
>
>Extended IP access list 110
>    deny   tcp any any eq 139
>    permit udp any any eq domain
>    permit tcp any any eq domain
>    permit icmp any any
>    permit tcp any host 203.111.42.200 eq ftp-data
>    permit tcp any host 203.111.42.200 eq ftp
>    permit tcp any host 203.111.42.200 eq 22
>    permit tcp any host 203.111.42.204 eq ftp-data
>    permit tcp any host 203.111.42.204 eq ftp
>    permit tcp any host 203.111.42.204 eq www
>    permit tcp any host 203.111.42.204 eq 3389
>    permit tcp any host 203.111.42.215 eq smtp
>    permit tcp any host 203.111.42.215 eq www
>    permit tcp any host 203.111.42.215 eq 3389
>    permit ip host 203.111.42.224 any
>    permit ip host 203.111.42.225 any
>    permit ip host 203.111.42.226 any




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=9945&t=9939
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to