topic Re: Extended ACL permit ip and allowed ports in Network Security

Extended ACL permit ip and allowed ports

mahesh18 — Tue, 12 Mar 2019 01:41:13 GMT

Hi everyone

Need to confirm if we have extended ACL with object group below

access-list xy_access_in extended permit ip object-group xy_subnets object-group cisco_ynetworks

will above ACL allow all the ports on the destination object group?

Thanks

mahesh

Re: Extended ACL permit ip and allowed ports

Jouni Forss — Thu, 09 May 2013 18:09:34 GMT

Hi,

The ACL rule by itself would mean that TCP/UDP traffic would be allowed on ANY destination or source port from the xy_subnets to cisco_ynetworks

Do notice this very important fact when configuring ACLs

If you have some ACL rule before this mentioned ACL rule in the mentioned ACL and its set to block some ports and the rules source/destination addresses apply to the source/destination networks in these "object-group" then its possible that some ports get blocked even though this rule alone would allow them

- Jouni

Re: Extended ACL permit ip and allowed ports

Jouni Forss — Thu, 09 May 2013 18:19:27 GMT

And to illustrate the situation above

Situation 1 - Only allow rule exists on the ACL

object-group network SOURCE

network-object 10.10.10.0 255.255.255.0

network-object 10.10.20.0 255.255.255.0

object-group network DESTINATION

network-object 10.10.100.0 255.255.255.0

network-object 10.10.200.0 255.255.255.0

access-list SOURCE-IN permit ip object-group SOURCE object-group DESTINATION

The above ACL would

Allow ALL TCP/UDP source and destination ports
Allow those from the source networks of SOURCE to the destination networks of DESTINATION

Situation 2 - Deny rules exist before the allowing rule

object-group network SOURCE

network-object 10.10.10.0 255.255.255.0

network-object 10.10.20.0 255.255.255.0

object-group network DESTINATION

network-object 10.10.100.0 255.255.255.0

network-object 10.10.200.0 255.255.255.0

access-list SOURCE-IN deny ip host 10.10.10.10 host 10.10.100.100

access-list SOURCE-IN deny tcp host 10.10.10.10 host 10.10.200.200 eq 80

access-list SOURCE-IN permit ip object-group SOURCE object-group DESTINATION

The above ACL would

First block ALL TCP/UDP traffic from host 10.10.10.10 to host 10.10.100.100
It would also block TCP traffic from host 10.10.10.10 to host 10.10.200.200 on the destination port TCP/80
It would then allow ALL TCP/UDP traffic from the source networks of SOURCE to the destination networks of DESTINATION

The key thing to notice ofcourse would be that we have blocked some traffic on the first 2 lines of the ACL and then allowed ALL TCP/UDP traffic.

So host 10.10.10.10 cant communicate with host 10.10.100.100 on any port since the "deny" rule for that is at the top of the ACL BEFORE the rule that allows ALL TCP/UDP traffic between these networks.

In the other case the TCP/80 destination traffic from host 10.10.10.10 to host 10.10.200.200 would be blocked BUT rest of the TCP/UDP traffic would be allowed by the rule using the "object-group"

- Jouni

Extended ACL permit ip and allowed ports

mahesh18 — Thu, 09 May 2013 18:41:17 GMT

Hi jouni,

After reading your first post i was going to ask you to explain with example.

Seems you read my mind and put the second post.

I got it now.Welcome to the ACL world.

Regards

Mahesh