Solved: Re: Issue ACL Extended is not functional correct

ksoltani · ‎04-05-2022

At Switch Core WS-C4500X-32 level, there is an access-list named "FILTER-FTP-HTTP-SNMP-TELNET-445" allowing access to Specific IP and the server "10.219.41.186" with Ports (ftp, www, telnet etc)
this access-list applies to vlan level 77
In the sans "ip access-group FILTER-FTP-HTTP-SNMP-TELNET-445 out"
The problem is that manages to open a printer in "http://10.215.40.156/" and do telnet, ftp
despite that we applied at the end of access list deny tcp any any eq (ftp, telnet, www)

below is the configuration

interface Vlan77
description Data
ip address 10.215.43.252 255.255.252.0
ip access-group FILTER-FTP-HTTP-SNMP-TELNET-445 out
standby 77 ip 10.215.43.254
standby 77 priority 110
standby 77 preempt
standby 77 authentication hsrp77
ip ospf 1 area 48
arp timeout 300
end
!
ip access-list extended FILTER-FTP-HTTP-SNMP-TELNET-445
permit ip any host 10.215.44.31
permit ip any host 10.215.44.33
permit tcp host 10.231.225.49 any eq 445
deny tcp any any eq 445
permit tcp host 10.219.41.186 any eq ftp-data
permit tcp host 10.219.41.186 any eq ftp
permit tcp host 10.219.41.186 any eq www
permit tcp host 10.219.41.186 any eq telnet
permit udp host 10.219.41.186 any eq snmp
permit udp host 10.219.41.186 any eq snmptrap
deny tcp any any eq ftp-data
deny tcp any any eq ftp
deny tcp any any eq www
deny tcp any any eq telnet
deny tcp 10.215.40.0 0.0.3.255 eq www any
deny udp any any eq snmp
deny udp any any eq snmptrap
permit ip any any
!

I am in vlans 77 and I managed to open a printer in http despite that I do "deny tcp any any eq 80"

there is a solution to block access to the printer in parallel I keep the last line 'permit ip any any "

David Ruess · ‎04-05-2022

Depending on which way you need to block traffic I believe its backwards for interface vlans.

OUT = coming from outside the VLAN going in

IN = coming from within the VLAN going out

Try applying it in the other direction:

ip access-group FILTER-FTP-HTTP-SNMP-TELNET-445 in

If that doesnt work try adding a 'log' statement on the permit ip any any statement to see if traffic you are trying to dney is hitting that last line. If it is hitting the permit ip any any re-evaluate all statements in ACL

View solution in original post

David Ruess · ‎04-05-2022

Depending on which way you need to block traffic I believe its backwards for interface vlans.

OUT = coming from outside the VLAN going in

IN = coming from within the VLAN going out

Try applying it in the other direction:

ip access-group FILTER-FTP-HTTP-SNMP-TELNET-445 in

If that doesnt work try adding a 'log' statement on the permit ip any any statement to see if traffic you are trying to dney is hitting that last line. If it is hitting the permit ip any any re-evaluate all statements in ACL

ksoltani · ‎04-05-2022

@David Ruess I try in the interface vlan out or in is not work

I don't know where the exact problem is
is the syntax wrong

David Ruess · ‎04-05-2022

Try putting the last statement in the access-list as 'permit ip any any log'

Then access the printer http site from within VLAN 77. Once you connect go back to the switch and check the logs to see what hit the ACL 'show log' it should be the most recent entries and you can see exactly what IPs are and how they are accessing the printer IP. I could be syntax

Also is the HSRP instance configured as the primary (is the other HSRP instance a lower priority)? And is the ACL applied on both HSRP VLAN instances?