09-05-2011 04:48 PM
Good day all,
I have been trying to apply ACLs to a vlan interface and have not been able to make it work,
I configured them as follows:
Extended IP access list 160
10 deny ip 10.0.0.0 0.0.255.255 10.0.24.0 0.0.0.255
20 permit ip 10.0.24.0 0.0.0.255 host 8.8.8.8 log
30 deny ip 10.0.24.0 0.0.0.255 any
40 deny icmp 10.0.24.0 0.0.0.255 any
50 deny ip any any
Extended IP access list 161
10 deny ip host 4.2.2.2 10.0.24.0 0.0.0.255
20 deny ip host w.x.y.z 10.0.24.0 0.0.0.255 - firewall outside address
30 permit icmp host 10.0.2.3 any
40 deny icmp any any (5 matches)
50 deny ip any any
60 deny udp any any
interface Vlan600
ip address 10.0.24.3 255.255.255.0
ip access-group 161 in
ip access-group 160 out
no ip route-cache cef
no ip route-cache
no ip mroute-cache
end
The problem is that i can still ping 4.2.2.2 and 8.8.8.8 which i only want to limit to 8.8.8.8. I was also able to ping yahoo.com and others The pings from the other subnets fails and any from the 24 subnet to the external address of the firewall fails which are both required results.
I tried to debug the ping test with the debug ip packet command but didnt see anything show up on my log server. I then tried the same lines in a program called acl editor simulator and it comes up as a no match. Can someone please help me figure how to block all web and 4.2.2.2 traffic in and out.
Thanks
Michael
Solved! Go to Solution.
09-08-2011 07:36 PM
Michael
It looks to me like you have your in and out reversed. VLAN 600 is subnet 10.0.24.0. In access list 160 we find that 10.0.24.x are the source addresses. So this access list should be applied as "inbound". And in access list 161 we find that references to subnet 10.0.24.0 have it as the destination, so it should be applied as "outbound".
So if you change the access-group configurations and apply 160 in and 161 out you should find more hits in the access lists.
But even if you change the direction of the access lists there will not be any successful traffic in and out of the subnet. I note that access list 160 has only a single line with a permit statement and it permits traffic to host 8.8.8.8. I also note that access list 161 has only a single line with a permit statement. And it permits only ICMP packets from host 10.0.2.3. So the amount of traffic permitted will be very small.
HTH
Rick
09-06-2011 05:51 PM
I realised if i put "permit ip any any" at say line 25 of ACL 161 all passes but if i do any acls such as
- permit ip host 10.255.255.11 host 10.0.24.100
- permit ip host 10.255.255.11 10.0.24.0 0.0.0.255
- permit ip 10.255.255.0 0.0.0.255 host 10.0.24.100
none of the hosts talks to each other.
My switch uses C3750-IPBASEK9-M
Any ideas
Thanks
Michael
09-06-2011 09:57 PM
Hi Michael,
What IP address are you pinging from? Also, can you give a quick explanation of what you are trying to block and what you are trying to allow? Thanks,
Mike Burr
09-08-2011 07:36 PM
Michael
It looks to me like you have your in and out reversed. VLAN 600 is subnet 10.0.24.0. In access list 160 we find that 10.0.24.x are the source addresses. So this access list should be applied as "inbound". And in access list 161 we find that references to subnet 10.0.24.0 have it as the destination, so it should be applied as "outbound".
So if you change the access-group configurations and apply 160 in and 161 out you should find more hits in the access lists.
But even if you change the direction of the access lists there will not be any successful traffic in and out of the subnet. I note that access list 160 has only a single line with a permit statement and it permits traffic to host 8.8.8.8. I also note that access list 161 has only a single line with a permit statement. And it permits only ICMP packets from host 10.0.2.3. So the amount of traffic permitted will be very small.
HTH
Rick
09-08-2011 09:46 PM
Thanks Richard.
I did find this out today, i cleared it all and redid it the other way around and it worked ... well 90 %. I will probably post a new thread if i cant figure out the other part
Thanks again Richard and Michael.
Regards
Michael
09-09-2011 08:26 AM
Michael
I am glad that my suggestions led you to a solution that worked - at least mostly. Thank you for using the rating system to mark the question as answered, and thanks for the rating. It makes the forum more useful when people can read about an issue and can know that a solution was reached. Your rating has helped this process.
If you do have more issues with the access list do post again about that issue.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: