[c-nsp] Vlan access-list problem
Gert Doering
gert at greenie.muc.de
Tue Jan 3 17:39:54 EST 2006
Hi,
On Tue, Jan 03, 2006 at 03:12:02PM -0500, Jeff Crowe wrote:
> interface vlan 48
> ip address 10.0.0.1 255.255.255.128
> ip access-group 102 in
> ip access-group 103 out
> !
> access-list 102 permit ip 192.168.0.0 0.0.0.255 any
> access-list 102 deny any any
> access-list 103 permit any any (testing purposes)
>
>
> The network I am coming in from is in the 192.168.0.0/24 range, but as soon
> as I apply the access-list 102 to the vlan interface, the deny any any takes
> over and denies all packets.
Wrong direction. You permit packets with a *source* of 192.168.0.0,
but packets coming *in* into VLAN48 - that is, being *sent* by 192.168.0.x
machines.
You need:
access-list 102 permit ip any 192.168.0.0 0.0.0.255
access-list 102 deny any any
(permit packets *to* 192.168.0.0/24)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
More information about the cisco-nsp
mailing list