We can troubleshoot the ACL error using the show commands as we discussed earlier. The wrong order ACEs are the most common ACL errors. In this article will discuss some common errors in ACL configuration
ACL Error – Example 1
In the figure, host 192.168.2.2 has no HTTP or HTTPs access with 192.168.4.2. When entering the show access-lists command, matches are shown for the first deny statement. This is an indicator that this statement has been matched by traffic.
Now, look at the order of the entries. Host 192.168.2.2 has no connectivity with 192.168.4.2 because of the order of rule process ID 10 in the access list. When router processes ACLs from the top to down, statement 10 denies host 192.168.2.2 for TCP traffic, so statement 20 can never be matched. Statements 10 and 20 should be reversed. The third line allows all other non-TCP traffic that falls under IP, for example, ICMP, UDP, etc.
ACL Errors – Example 2
The network 192.168.2.0/24 cannot use TFTP to connect to the 192.168.4.2 server.
The 192.168.2.0/24 network cannot use TFTP to connect to the 192.168.4.2 because TFTP uses UDP but when we use the show access-list command the statement has no permit entry for UDP traffic.
The access list allows all other TCP traffic and the UDP is implicitly denied. The implied deny any statement does not appear in show access-lists output and therefore matches are not shown. The third statement must be changed to ip any any. Instead of tcp any any.
ACL Errors – Example 3
In the topology in the figure 192.168.1.0/24 network can use Telnet to connect to 192.168.4.0/24, but it is not according to the policy, this connection should not be allowed. The results of the show access-lists command show that the permit statement has been matched.
The network 192.168.1.0/24 network can use Telnet because the Telnet port number in statement 10 of access-list 101 is listed in the wrong position in the ACL statement.
It currently denies any source packet with a port number that is equal to Telnet. To deny Telnet traffic inbound on fa0/0, we need to deny the destination port number that is equal to Telnet, for example, deny tcp any any eq telnet.