topic Re: Problem With ACLs in Network Security

Problem With ACLs

Slargus — Thu, 02 Feb 2023 15:38:30 GMT

I am new to cisco and trying to setup a vlan with some access-lists in my cisco router 871. The router i have is connected to another router with default ip 192.168.1.1/24. My router has the WAN ip 192.168.1.110 and the vlan network is 10.0.0.0/29. The access list is monitoring the incomming trafic. My problem when i try to access the internet using a host from the vlan network (lets say ip 10.0.0.2). I am able to access the internet only when using the "Access list 100 permit 10.0.0.0 0.0.0.7 any", but i dont understand why when this is saying "allow traffic from network 10.0.0.0/22 to any network" and i am monitoring the incomming trafic, shouldn't i use the opposite for that like "Access list 100 permit any 10.0.0.0 0.0.0.7" to get the result i want? Thanks in advance!

Here is my config:
interface FastEthernet0
!
interface FastEthernet1
description Openstack-Host
!
interface FastEthernet2
description compute1
!
interface FastEthernet3
description compute2
!
interface FastEthernet4
description FW_OUTSIDE_WAN
ip address 192.168.1.110 255.255.255.0
ip access-group 100 in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Vlan1
description Playground
ip address 10.0.0.1 255.255.255.248
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
no ip http server
no ip http secure-server
ip dns server
ip nat inside source list 100 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.110 22 192.168.1.110 3030 extendable
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip 10.0.0.0 0.0.0.7 any
access-list 100 permit tcp any any established
access-list 100 permit tcp host 8.8.8.8 eq 53 any
access-list 100 permit udp host 8.8.8.8 eq 53 any
access-list 100 permit tcp host 8.8.4.4 eq 53 any
access-list 100 permit udp host 8.8.4.4 eq 53 any

Re: Problem With ACLs

balaji.bandi — Thu, 02 Feb 2023 15:44:54 GMT

Still not able to understand the requiremet here - what is the goal of this task ?

First i would not suggested same ACL for this.

Seconds this RFC 1918 address, i do not believe any traffil will come in from private IP address, so you will not see at all.

you can use different ACL number 101 same match and use ip access-group 101 in (example)

Re: Problem With ACLs

MHM Cisco World — Thu, 02 Feb 2023 15:45:47 GMT

ip access-group 100 in <<- your ACL is IN direction so it must 10.0.0.0/22 to any

Re: Problem With ACLs

Slargus — Thu, 02 Feb 2023 15:57:54 GMT

So the ACL will also check the traffic comming from inside my router because is comming from different interface?

Re: Problem With ACLs

Slargus — Thu, 02 Feb 2023 16:01:48 GMT

Sorry if my question was confusing. I am able to recieve traffic from outside though, can you explain why i should use a second ACL? Also thanks for the quick Response!

Re: Problem With ACLs

MHM Cisco World — Thu, 02 Feb 2023 16:02:32 GMT

Yes,

ACL IN
LAN-Router-WAN(or any)
ACL will be
permit/deny LAN WAN (or any)

ACL out
LAN-Router-WAN
ACL will be
permit/deny WAN (or any) LAN

Re: Problem With ACLs

Slargus — Thu, 02 Feb 2023 16:06:16 GMT

ok i understand now, thank you!!