outlaw17
asked on
Access Lists
hi,
For the below config, i intended to for subnet 192.168.1.0/24 to have access to all subnets while other subnets have access to internet and not each other. The config is working, i can ping from for example 192.168.1.25 to 192.168.3.20(wireless AP) but i can't access it. when i turn on the wireless lan on the laptop i get an ip of the range 192.168.3.xx, and it is when i get access to 192.168.3.20 (wireless AP). Could you please tell me what's missing and how to troubleshoot that kind of access lists???
no aaa new-model
system mtu routing 1500
ip subnet-zero
ip routing
ip dhcp excluded-address 192.168.1.1 192.168.1.20
ip dhcp excluded-address 192.168.1.40 192.168.1.41
ip dhcp excluded-address 192.168.5.1 192.168.5.20
ip dhcp excluded-address 192.168.2.1 192.168.2.30
ip dhcp excluded-address 192.168.3.1 192.168.3.20
!
ip dhcp pool LOCALLAN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server xx.xxx.xxx.xx xx.xxx.xxx.xx
!
ip dhcp pool student
network 192.168.5.0 255.255.255.0
default-router 192.168.5.1
dns-server xx.xxx.xxx.xx xx.xxx.xxx.xx
!
ip dhcp pool PUBLIC
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
dns-server xx.xxx.xxx.xx xx.xxx.xxx.xx
!
interface Vlan10
description --- DATA NATIVE VLAN
ip address 192.168.1.1 255.255.255.0
!
interface Vlan20
description --- Student VLAN
ip address 192.168.5.1 255.255.255.0
ip access-group 101 in
!
interface Vlan40
description --- PUBLIC VLAN
ip address 192.168.3.1 255.255.255.0
ip access-group 102 in
!
interface Vlan55
description To Firewall vlan
ip address 192.168.253.253 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.253.254
ip http server
!
access-list 101 permit icmp 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255 echo-reply
access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 permit ip any any
access-list 102 permit icmp 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 echo-reply
access-list 102 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 deny ip 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 102 permit ip any any
For the below config, i intended to for subnet 192.168.1.0/24 to have access to all subnets while other subnets have access to internet and not each other. The config is working, i can ping from for example 192.168.1.25 to 192.168.3.20(wireless AP) but i can't access it. when i turn on the wireless lan on the laptop i get an ip of the range 192.168.3.xx, and it is when i get access to 192.168.3.20 (wireless AP). Could you please tell me what's missing and how to troubleshoot that kind of access lists???
no aaa new-model
system mtu routing 1500
ip subnet-zero
ip routing
ip dhcp excluded-address 192.168.1.1 192.168.1.20
ip dhcp excluded-address 192.168.1.40 192.168.1.41
ip dhcp excluded-address 192.168.5.1 192.168.5.20
ip dhcp excluded-address 192.168.2.1 192.168.2.30
ip dhcp excluded-address 192.168.3.1 192.168.3.20
!
ip dhcp pool LOCALLAN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server xx.xxx.xxx.xx xx.xxx.xxx.xx
!
ip dhcp pool student
network 192.168.5.0 255.255.255.0
default-router 192.168.5.1
dns-server xx.xxx.xxx.xx xx.xxx.xxx.xx
!
ip dhcp pool PUBLIC
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
dns-server xx.xxx.xxx.xx xx.xxx.xxx.xx
!
interface Vlan10
description --- DATA NATIVE VLAN
ip address 192.168.1.1 255.255.255.0
!
interface Vlan20
description --- Student VLAN
ip address 192.168.5.1 255.255.255.0
ip access-group 101 in
!
interface Vlan40
description --- PUBLIC VLAN
ip address 192.168.3.1 255.255.255.0
ip access-group 102 in
!
interface Vlan55
description To Firewall vlan
ip address 192.168.253.253 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.253.254
ip http server
!
access-list 101 permit icmp 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255 echo-reply
access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 permit ip any any
access-list 102 permit icmp 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 echo-reply
access-list 102 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 deny ip 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 102 permit ip any any
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Mick Finley
The sequence of ACLs is important, as soon as a rule is applied the acl stops