10-24-2012 03:17 PM - last edited on 03-25-2019 05:49 PM by ciscomoderator
On my Nexus 5k seems that ACL for "in" (garden_IN) is allowing ports needed. But for "out" (garden_OUT) unless established is ANY this does not work. Usually I do established with same port number. Is this right? Have not had to use any before. Garden is initiating connection to Pasture.
Nexus5000# sho running-config interface vlan 75
interface Vlan75
no shutdown
description pasture_PRIV garden SIDE
ip access-group garden_IN in
ip access-group garden_OUT out
ip address 172.25.0.1/24
Nexus5000# sho running-config interface vlan 74
interface Vlan74
no shutdown
description pasture_PRIV pasture SIDE
ip address 172.24.0.1/24
IPV4 ACL garden_IN
statistics per-entry
9 remark permit tcp ports from 172.25.0.0/24 (garden) to 172.24.0.0/24 (pasture)
10 permit tcp 172.25.0.0/24 172.24.0.0/24 eq 1433
20 permit tcp 172.25.0.0/24 172.24.0.0/24 eq 445
30 permit tcp 172.25.0.0/24 172.24.0.0/24 eq 1434
40 permit tcp 172.25.0.0/24 172.24.0.0/24 eq 4022
50 permit tcp 172.25.0.0/24 172.24.0.0/24 eq 135
60 permit udp 172.25.0.0/24 172.24.0.0/24 eq 1434
IPV4 ACL garden_OUT
statistics per-entry
4 remark permit tcp established from 172.24.0.0/24 (pasture) to 172.25.0.0/24 (garden)
5 permit tcp 172.24.0.0/24 172.25.0.0/24 established [match=232]
10 permit tcp 172.24.0.0/24 172.25.0.0/24 eq 1433 established [match=0]
20 permit tcp 172.24.0.0/24 172.25.0.0/24 eq 445 established [match=0]
30 permit tcp 172.24.0.0/24 172.25.0.0/24 eq 1434 established [match=0]
40 permit tcp 172.24.0.0/24 172.25.0.0/24 eq 4022 established [match=0]
50 permit tcp 172.24.0.0/24 172.25.0.0/24 eq 135 established [match=0]
60 permit udp 172.24.0.0/24 172.25.0.0/24 eq 1434 [match=0]
Thanks!
Craig
Solved! Go to Solution.
10-24-2012 03:42 PM
I'm pretty sure "established" means it checks if the TCP ACK bit is set, regardless of the port. That's why you see 232 matches for rule 5 on garden_OUT and none on the other rules.
You can apply the rule to an explicit TCP port if you just want to match packets belonging to an established TCP session only for example on the HTTP port (80).
permit tcp x eq 80 y established
Please note that you probably want to match the source port in garden_OUT and not the destination port.
Does that help?
10-24-2012 03:42 PM
I'm pretty sure "established" means it checks if the TCP ACK bit is set, regardless of the port. That's why you see 232 matches for rule 5 on garden_OUT and none on the other rules.
You can apply the rule to an explicit TCP port if you just want to match packets belonging to an established TCP session only for example on the HTTP port (80).
permit tcp x eq 80 y established
Please note that you probably want to match the source port in garden_OUT and not the destination port.
Does that help?
10-24-2012 11:30 PM
Figured it out! Thanks for the responses.
The established acl's had source and target port backwards.
Wrong
permit tcp 172.24.0.0/24 172.25.0.0/24 eq 1433 established
Correct
permit tcp 172.24.0.0/24 eq 1433 172.25.0.0/24 established
No longer need the established any, works fine! Great!
Thanks!
Craig
10-24-2012 10:44 PM
This link should help
http://www.orbit-computer-solutions.com/Reflexive-ACLs.php
Regards,
10-24-2012 11:39 PM
IMO reflexive ACLs are not supported on Nexus 5000. "established" is the way to go on this platform.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide