ACL statement

[sohtnax]

I am trying to add a line to my access-list, which allows udp 500 traffic. I have a statement that allows traffic over tcp 500, without a problem. Whenever I try to apply the new access-list, I can see it being applied, but once i check the running-config its no longer there. I tried to instead add a statement that allows udp 500 to a specific host, and that line does appear, however I still receive logging errors indicating udp 500 is blocked when I try to connect to that host.

Any thoughts??

 

[ChrisAC]

Post the access list.

**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[sohtnax]

Here you go:

access-list 101 permit tcp any any established
access-list 101 permit udp any eq domain any
access-list 101 permit gre any any
access-list 101 permit esp any any
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any gt 1024
access-list 101 permit tcp any any eq ftp-data
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq telnet
access-list 101 permit tcp any any eq 1270
access-list 101 permit udp any any eq 1270
access-list 101 permit tcp any any eq 7254
access-list 101 permit udp any any eq 7254
access-list 101 permit tcp any any eq 50
access-list 101 permit tcp any any eq 51
access-list 101 permit tcp any any eq 1723
access-list 101 permit tcp any any eq 65
access-list 101 permit udp any any eq tacacs
access-list 101 permit udp any any eq isakmp
access-list 101 permit tcp any any eq 10000
access-list 101 permit udp any any eq 10000
access-list 101 permit ahp any any
access-list 101 permit tcp any any eq 990
access-list 101 permit tcp any any eq 989
access-list 101 permit tcp any any range 1050 1060
access-list 101 permit icmp any host xx.xxx.xxx.x
access-list 101 permit udp any host xx.xxx.xxx.xx
access-list 101 permit icmp any host xxx.xx.xx.xxx
access-list 101 permit udp any eq ntp any
access-list 101 permit udp any any eq 500
access-list 101 permit tcp any any eq 500
access-list 101 permit udp any any eq 17
access-list 101 permit tcp any any eq 17
access-list 101 permit tcp any any eq 11101
access-list 101 permit udp any any eq 11101
access-list 101 deny udp any eq snmp any log
access-list 101 deny icmp any any echo-reply
access-list 101 deny icmp any any packet-too-big
access-list 101 deny icmp any any host-unreachable
access-list 101 deny tcp any any eq 6669
access-list 101 deny tcp any any eq 2222
access-list 101 deny tcp any any eq 7000
access-list 101 deny tcp any any eq 16959
access-list 101 deny tcp any any eq 27374
access-list 101 deny tcp any any eq 6711
access-list 101 deny tcp any any eq 6712
access-list 101 deny tcp any any eq 6776
access-list 101 deny tcp any any eq 16660
access-list 101 deny tcp any any eq 65000
access-list 101 deny tcp any any eq 27665
access-list 101 deny udp any any eq 31335
access-list 101 deny udp any any eq 27444
access-list 101 deny tcp any any eq 33270
access-list 101 deny tcp any any eq 39168
access-list 101 deny tcp any any eq 6660
access-list 101 deny tcp any any eq 1027
access-list 101 deny tcp any any eq 1029
access-list 101 deny tcp any any eq 1032
access-list 101 deny tcp any any eq 5190
access-list 101 deny ip any any log

 

[ChrisAC]

Well, you appear to be allowing UDP 500 on the ACL. Are you sure that the interface and direction of the ACL is correct? Do a 'show access lists' and you will see a hit count against each line of the ACL.

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[sohtnax]

It can't be caused by any other acccess list nor is it the wrong direction. I have narrowed it down to this ACL as the problen, because when I remove this ACL as it is applied on the interface, everything works fine.

 

[ChrisAC]

Debug the ACL . What happens when you do a 'show access-list 101'? What do you see in the hit count? I presume that this is for outbound access from your LAN to the internet. Is it applied inbound on the ethernet side or outbound on the WAN side? Can you post the output of 'show logging'?

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************