Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2537
Views
0
Helpful
5
Replies

ACL allowing some traffic with DENY

Go to solution
michaelsrpersaud
Level 1
Level 1

‎09-05-2011 04:48 PM

Good day all,

I have been trying to apply ACLs to a vlan interface and have not been able to make it work,

I configured them as follows:

Extended IP access list 160

    10 deny ip 10.0.0.0 0.0.255.255 10.0.24.0 0.0.0.255

    20 permit ip 10.0.24.0 0.0.0.255 host 8.8.8.8 log

    30 deny ip 10.0.24.0 0.0.0.255 any

    40 deny icmp 10.0.24.0 0.0.0.255 any

    50 deny ip any any

Extended IP access list 161

    10 deny ip host 4.2.2.2 10.0.24.0 0.0.0.255

    20 deny ip host w.x.y.z 10.0.24.0 0.0.0.255 - firewall outside address

    30 permit icmp host 10.0.2.3 any

    40 deny icmp any any (5 matches)

    50 deny ip any any

    60 deny udp any any

interface Vlan600

ip address 10.0.24.3 255.255.255.0

ip access-group 161 in

ip access-group 160 out

no ip route-cache cef

no ip route-cache

no ip mroute-cache

end

The problem is that i can still ping 4.2.2.2 and 8.8.8.8 which i only want to limit to 8.8.8.8. I was also able to ping yahoo.com and others The pings from the other subnets fails and any from the 24 subnet to the external address of the firewall fails which are both required results.

I tried to debug the ping test with the debug ip packet command but didnt see anything show up on my log server. I then tried the same lines in a program called acl editor simulator and it comes up as a no match. Can someone please help me figure how to block all web and 4.2.2.2 traffic in and out.

Thanks

Michael

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎09-08-2011 07:36 PM

Michael

It looks to me like you have your in and out reversed. VLAN 600 is subnet 10.0.24.0. In access list 160 we find that 10.0.24.x are the source addresses. So this access list should be applied as "inbound". And in access list 161 we find that references to subnet 10.0.24.0 have it as the destination, so it should be applied as "outbound".

So if you change the access-group configurations and apply 160 in and 161 out you should find more hits in the access lists.

But even if you change the direction of the access lists there will not be any successful traffic in and out of the subnet. I note that access list 160 has only a single line with a permit statement and it permits traffic to host 8.8.8.8. I also note that access list 161 has only a single line with a permit statement. And it permits only ICMP packets from host 10.0.2.3. So the amount of traffic permitted will be very small.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
5 Replies 5

Go to solution
michaelsrpersaud
Level 1
Level 1

‎09-06-2011 05:51 PM

I realised if i put  "permit ip any any" at say line 25 of ACL 161 all passes but if i do any acls such as

- permit ip host 10.255.255.11 host 10.0.24.100

- permit ip host 10.255.255.11 10.0.24.0 0.0.0.255

- permit ip 10.255.255.0 0.0.0.255 host 10.0.24.100

none of the hosts talks to each other.

My switch uses C3750-IPBASEK9-M

Any ideas

Thanks

Michael

0 Helpful

Go to solution
mikeburr1234
Level 1
Level 1
In response to michaelsrpersaud

‎09-06-2011 09:57 PM

Hi Michael,

What IP address are you pinging from? Also, can you give a quick explanation of what you are trying to block and what you are trying to allow? Thanks,

Mike Burr

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎09-08-2011 07:36 PM

Michael

It looks to me like you have your in and out reversed. VLAN 600 is subnet 10.0.24.0. In access list 160 we find that 10.0.24.x are the source addresses. So this access list should be applied as "inbound". And in access list 161 we find that references to subnet 10.0.24.0 have it as the destination, so it should be applied as "outbound".

So if you change the access-group configurations and apply 160 in and 161 out you should find more hits in the access lists.

But even if you change the direction of the access lists there will not be any successful traffic in and out of the subnet. I note that access list 160 has only a single line with a permit statement and it permits traffic to host 8.8.8.8. I also note that access list 161 has only a single line with a permit statement. And it permits only ICMP packets from host 10.0.2.3. So the amount of traffic permitted will be very small.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
michaelsrpersaud
Level 1
Level 1
In response to Richard Burts

‎09-08-2011 09:46 PM

Thanks Richard.

I did find this out today, i cleared it all and redid it the other way around and it worked ... well 90 %. I will probably post a new thread if i cant figure out the other part

Thanks again Richard and Michael.

Regards

Michael

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to michaelsrpersaud

‎09-09-2011 08:26 AM

Michael

I am glad that my suggestions led you to a solution that worked - at least mostly. Thank you for using the rating system to mark the question as answered, and thanks for the rating. It makes the forum more useful when people can read about an issue and can know that a solution was reached. Your rating has helped this process.

If you do have more issues with the access list do post again about that issue.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents