topic Re: Extended Named ACL Denying Traffic in Network Security

Extended Named ACL Denying Traffic

tonyplueard — Tue, 11 Jul 2023 13:53:43 GMT

I have the following ACL. For the most part everything is working in the ACL as it should be. The problem is that even though 192.168.203.0 is permitted, I still get denies in the logs. The logs will be below the ACL. We switched from TCP to IP in the ACL and now we are no longer getting the denies but I don't understand why it was getting denied.

ip access-list extended veneer-203

permit tcp host 192.168.244.20 10.2.203.0 0.0.0.255 eq 80
permit tcp host 192.168.244.25 10.2.203.0 0.0.0.255 eq 80
permit tcp host 192.168.244.30 10.2.203.0 0.0.0.255 eq 80

permit tcp 192.168.203.0 0.0.0.255 10.2.203.0 0.0.0.255 eq 80 established
permit tcp 192.168.203.0 0.0.0.255 10.2.203.0 0.0.0.255 eq 443 established
permit tcp 192.168.203.0 0.0.0.255 10.2.203.0 0.0.0.255 eq 554 established

deny ip any any log

Jul 10 14:30:14 PDT: %SEC-6-IPACCESSLOGP: list veneer-203 denied tcp 192.168.203.45(64656) -> 10.2.203.52(80), 1 packet
Jul 10 14:30:24 PDT: %SEC-6-IPACCESSLOGP: list veneer-203 denied tcp 192.168.203.45(64671) -> 10.2.203.52(443), 1 packet
Jul 10 14:30:34 PDT: %SEC-6-IPACCESSLOGP: list veneer-203 denied tcp 192.168.203.45(64709) -> 10.2.203.51(443), 1 packet
Jul 10 14:31:04 PDT: %SEC-6-IPACCESSLOGP: list veneer-203 denied tcp 192.168.203.45(64729) -> 10.2.203.52(80), 1 packet

Re: Extended Named ACL Denying Traffic

MHM Cisco World — Tue, 11 Jul 2023 13:57:51 GMT

Please what is direction of traffic here

Are ACL inbound or outbound ?

Re: Extended Named ACL Denying Traffic

tonyplueard — Tue, 11 Jul 2023 13:58:41 GMT

This is an outbound ACL

Re: Extended Named ACL Denying Traffic

MHM Cisco World — Tue, 11 Jul 2023 14:11:02 GMT

ip access-list extended veneer-203 <<-OUTbound

permit tcp host 192.168.244.20 10.2.203.0 0.0.0.255 eq 80
permit tcp host 192.168.244.25 10.2.203.0 0.0.0.255 eq 80
permit tcp host 192.168.244.30 10.2.203.0 0.0.0.255 eq 80

permit tcp 192.168.203.0 0.0.0.255 10.2.203.0 0.0.0.255 eq 80
permit tcp 192.168.203.0 0.0.0.255 10.2.203.0 0.0.0.255 eq 443
permit tcp 192.168.203.0 0.0.0.255 10.2.203.0 0.0.0.255 eq 554
deny ip any any

ip access-list extended veneer-203IN <<-INbound

deny ip any any log

this what you need established work only INbound not for OUTbound if the traffic initiate from 192.168.203.x

Re: Extended Named ACL Denying Traffic

tonyplueard — Tue, 11 Jul 2023 14:15:03 GMT

So are you saying that having the established at the end is what is causing the denies?

Re: Extended Named ACL Denying Traffic

tonyplueard — Tue, 11 Jul 2023 14:15:49 GMT

Also the ACL is technically an outbound acl but it is an inbound to the 10.2.203.0 VLAN

Re: Extended Named ACL Denying Traffic

MHM Cisco World — Tue, 11 Jul 2023 14:22:12 GMT

I depend on your answer before you apply this ACL OUTbound under the SVI
and OUTbound not work with established.
established work with INbound ACL.
there is no ACL config as OUTbound and work as OUTbound and INbound.

Re: Extended Named ACL Denying Traffic

tonyplueard — Tue, 11 Jul 2023 14:25:15 GMT

I apologize it is an outbound ACL on the SVI

Re: Extended Named ACL Denying Traffic

tonyplueard — Tue, 11 Jul 2023 14:30:19 GMT

I redid the ACL without the established on it and I have stopped getting all the denies. Thank you for your help and I learned something new.

Re: Extended Named ACL Denying Traffic

MHM Cisco World — Tue, 11 Jul 2023 14:32:57 GMT

friend You are so welcome any time
have a nice day
MHM

Re: Extended Named ACL Denying Traffic

Marius Gunnerud — Wed, 12 Jul 2023 10:21:30 GMT

@tonyplueard please select a correct answer so to reward @MHM Cisco World for his time and effort. Selecting correct answers and rating helpful provides points to the experts which in turn will reward the expert with recognition in the Cisco Community.