Re: ip access-group xxx out

From: Stephen Oliver (stevie_oliver@xxxxxxxxxxx)
Date: Fri Feb 01 2002 - 10:17:41 GMT-3

• Next message: Steven Weber: "Re: 25xx Good Laugh"
• Previous message: Rizwan Afzal: "VSM support"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
ACLs do not apply to traffic originating from the router.

>From: "Dan Lockwood" <dlockwood@shastalink.k12.ca.us>
>Reply-To: "Dan Lockwood" <dlockwood@shastalink.k12.ca.us>
>To: <ccielab@groupstudy.com>
>Subject: ip access-group xxx out
>Date: Thu, 31 Jan 2002 15:25:53 -0800
>
>I created an access-list 101 and applied it to interface Ethernet0. See
>the config below. It seemed that the ACL was ineffective. To further
>investigate I added "permit icmp any any log" to the list. I suspected
>that pinging from the router would cause hits on this ACL, again
>nothing. I finally broke down and called TAC. Acording to the engineer
>I spoke with, ACLs do not apply to traffic originating from the router.
>I wanted to get everyone's opinion about this.
>
>Building configuration...
>Current configuration:
>!
>version 11.3
>service timestamps debug uptime
>service timestamps log uptime
>service password-encryption
>!
>hostname 2501-25062714
>!
>enable password 7 06000632444B1B140419
>!
>no ip domain-lookup
>!
>!
>interface Ethernet0
>ip address 10.1.3.223 255.255.255.0
>ip access-group 100 in
>ip access-group 101 out
>!
>interface Serial0
>no ip address
>no ip mroute-cache
>shutdown
>no fair-queue
>!
>interface Serial1
>no ip address
>shutdown
>!
>ip classless
>ip route 0.0.0.0 0.0.0.0 10.1.3.1
>!
>access-list 1 permit 10.1.3.21
>access-list 2 permit 10.1.3.0 0.0.0.255
>access-list 2 permit 10.1.4.0 0.0.0.255
>access-list 100 permit icmp any any
>access-list 100 permit tcp 10.1.3.0 0.0.0.255 host 10.1.3.223 eq telnet
>access-list 100 permit tcp 10.1.4.0 0.0.0.255 host 10.1.3.223 eq telnet
>access-list 100 permit tcp 12.40.193.0 0.0.0.255 host 10.1.3.223 eq
>telnet
>access-list 101 permit tcp host 10.1.3.223 host 10.0.1.2 eq telnet
>access-list 101 permit tcp host 10.1.3.223 host 10.0.1.4 eq telnet
>!
>line con 0
>password 7 02040B4C07031D
>login
>line aux 0
>line vty 0 4
>access-class 2 in
>exec-timeout 5 0
>password 7 04485B550E2249
>login
>!
>end
>
>Dan Lockwood
>Microsoft Certified Professional
>CompTIA Network+ Certified
>Cisco Certified Network Associate

• Next message: Steven Weber: "Re: 25xx Good Laugh"
• Previous message: Rizwan Afzal: "VSM support"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 13:46:09 GMT-3