Troubleshooting ACL issues

  1. Determine which interfaces have ACLS applied to them. As well as which direction they are used on, use show run and or show ip interfaces commands to view ACLs.
  2. Determine which ACL statements are matched by test packets ( show access-lists and show ip access-lists )
  3. Analyze the ACLs to predict which packet should match the ACL found in the above steps.

Facts to remember about ACLs

  • ACLs are proccessed on a first-match logic
  • note the direction of the packet in relation to the server, verify  source \ destination ACL wild cards.
  • TCP or UDP must be used in the ACL if checking for port numbers
  • ICMP is not a tcp nor udp protocol must be specified by itself
  • use an explicit deny to show counter increments