Access list

[chab8371]

I configure a fixed IP (192.168.6.13) in the access list in the same segment as the equipment (192.168.6.230) and since then I lost the access of the WS-12-250-DC

[sirhc]

You must have messed up your rule somehow.

I just tested the access list and it worked fine for me?

Maybe post up a little more information, VLANs, and such.

[chab8371]

The config is very simple. No Vlan´s. Static IP in the equipment: 192.168.6.230 and when I add the IP 192.168.6.13 to the list (that´s the PC IP) y lost the access. It´s the second time de Netonix hangs up and it´s located on a hill at 1800 meters high!! Very frustrating for us. A loss of time and effort in order to make a hard reset.

[sirhc]

Not sure what to tell you, I just tested access list again and it works?

As you can see in the picture below I told the switch that only my workststation could talk to it and it worked and only the one computer could access the switch UI/CLI.

In this picture I told it the whole 192.168.1.0/24 sub-net in the office could talk to it and I could access the switch from any workstation in the office.

Can not help you without more information but it appears to work fine for me?

Also I would never experiment with something like this without being on site to insure it works and or LAB-ing it up in the shop and testing my config and then I still like to have a tech on site to make sure what I want to do works as intended.

At my WISP we LAB everything before we try it in the field.

Now I will test a routed IP access list just in case that is your issue.

[chab8371]

Thanks Chris,

May be the weather was too cold in the top of the hill (jajaja!). The Netonix is in bridge mode, no like a router. Before making the change in the address list, we test the access via http and https (by the doubt). After that, We put the static IP and receive an alert (I don´t remember what it says, but was something like "the ip consigned will be the only with access to the equipment"), we push apply and pummmm!! See you in the next hard reset.

[chab8371]

I know the Netonix is hang out because the ping replies well. And the ports with POE on, remains active.

[sirhc]

I know the Netonix is hang out because the ping replies well. And the ports with POE on, remains active.

Yea, the access list does not block ICMP, I have asked Eric to change this and he still has not.

Your switch is working fine you just can not access the UI or CLI anymore because of your access list.

What would help us determine if this was your fault or a bug would be to send a guy out to the tower and remove the access list.

Then log into the UI again and take a screen shot of your Tabs then a screen shot of the Access List you are about to apply and post them then we can see if your doing it wrong or there is indeed a bug.

You have provided not a single piece of information that can be used to re-create your issue or see what you might be doing wrong.

All you say is you applied some mystery access list and you can no longer access your switch which is not much to go on!

Is it your fault or a bug, who knows, my crystal ball is no better than yours.

Provide some specific information, preferably the screen shots I explained above and we will get right on this.

[chab8371]

Before putting de IP en the access list, I change the http port to 100, so therefore the access to the switch was via 192.168.6.230:100. I don´t know if this is relevant, but that action was prior.

[sirhc]

Before putting de IP en the access list, I change the http port to 100, so therefore the access to the switch was via 192.168.6.230:100. I don´t know if this is relevant, but that action was prior.

Well yes that is relevant, maybe there is a bug in the access list when you change the port for a service. I will investigate that later today.

If you were going to implement an access list why would you have a need to change the port? Not that you shouldn't and it should work just curious?

We do have a Tar Pit on our UI/CLI login so people would have a hard time longing in with a brute force cracker even if they find the device.

[sirhc]

Well I changed my switch to use port 444 instead of port 443

Then added a rule in the access list for 192.168.1.176 as before and it still worked.

When you created your access list did you enter in the IP as 192.168.6.230:100


If so that may be your problem, notice I just entered in my IP with no colon the port number

Also is your switch behind a NAT router at that location? Another words what is you computer IP and what was the switch IP and is there NAT translation going on?