[c-nsp] "dynamic" access-list

Ueli Heuer papierkuebel at gmail.com
Sat Jun 11 19:45:54 EDT 2005


On 6/11/05, Scott Weeks <surfer at mauigateway.com> wrote:
> 
> 
> Hello,
> 
> Did anyone get back to you on this?
> 
>      now I tried to ping the hosts from a 'wrong' IP-Address, to check if
>      the access list is working. I did not believe, the pings replied!
> 
> There're no denies on the ACLs.  Everything is allowed and that's why the
> ping replies came back to you.

You forgot  there is not written `deny ip any any` at the end of every
ip access-list
this is not needed to write.

the workaround standard accesslist works like expected:

ip access-list standard DSLAMs
 permit a.b.c..0 0.0.0.255


the mysterious thing is, the accesslist changed from time to time!

the configured statement was 

   permit udp a.b.c.0 0.0.0.255 any eq snmp

and it changed to

   permit udp a.b.c.0 0.0.0.255 0.0.0.0 0.0.0.3 eq snmp
or
   permit udp a.b.c.0 0.0.0.255 0.0.0.0 0.0.0.7 eq snmp
or
   permit udp a.b.c.0 0.0.0.255 0.0.0.0 0.0.0.15 eq snmp

und this is for shure not wat I configured. 

Kind regards,
 Ueli



More information about the cisco-nsp mailing list