topic Hi Greg; Short answer, it in Network Security

Question about implicit rule to less secure networks

gbromleyclc — Tue, 12 Mar 2019 06:25:51 GMT

Okay, I had a long question written out, and that triggered something in my head and I fixed my issue. But that leaves me with a question: why did it work?

So I was having problems with accessing an internal camera from our wireless network, which are on different subnets. The wireless network has a security level of 10, so has access to pretty much just the internet. I was able to get access from the wireless network to the internal camera with the acl: access-list CLC_Wireless_access_in line 1 extended permit ip 192.168.x.0 255.255.255.128 host 192.168.xx.51.

Originally I tried this, but it removed the implicit access to less secure networks, and I lost connection to the internet. Then I tried an 'any any' rule for the wireless, but that allowed access to the entire internal network, which I didn't want. So then I tried both, sort of. I used the acl to the camera (above) and then this one, 'wireless to any': access-list CLC_Wireless_access_in line 2 extended permit ip 192.168.x.0 255.255.255.128 any

And now I have what I want, access from the wireless to the camera (not the rest of the internal network) and access to the internet. My question is: why does the 'wireless to any' acl not grant access to the rest of the internal network? I figured it was because that implicit rule only to less secure networks is still there, behind the scenes blocking traffic to a higher security level. So does an 'any any' on the wireless allow all traffic, and a 'wireless to any' allow all traffic to less secure networks?

Thanks in advance,

- Greg

Hi Greg; Short answer, it

Maykol Rojas — Fri, 14 Aug 2015 17:14:20 GMT

Hi Greg;

Short answer, it does grant access to everything. Having that, is the same as doing the any any you did before.

The reasoning behind why it does not have access to the rest of the internal network might be routing, NAT or even an ACL on the internal interface, but I would be it is not on the wireless side.

You can try to run a "packet-tracer" to other internal resources, and probably would result in allow.

Again, the reasoning why it does not let other assets to be accessed may require a look at the rest of the config.

Mike.

Thanks for the quick response

gbromleyclc — Fri, 14 Aug 2015 18:25:49 GMT

Thanks for the quick response Mike!

So what would be the correct way to accomplish access from the wireless network to the camera and outbound to the internet?

Is there any way to have the acl for the camera in place and put the implicit 'allow access to less secure networks' back in before the implicit 'deny' blocks everything?

Thanks again,

Gregpermit the wireless

Jon Marshall — Fri, 14 Aug 2015 19:03:54 GMT

Greg

permit the wireless subnet to the specific host
deny the wireless subnet to the rest of the internal network
permit the wireless subnet to any

note if there are any other higher security interfaces connected to networks you would need to deny those as well before the permit to any at the end.

Jon