cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1486
Views
0
Helpful
3
Replies

Extended ACL permit ip and allowed ports

mahesh18
Level 6
Level 6

                   Hi everyone

Need to confirm if we have extended ACL with object group below

access-list xy_access_in extended permit ip object-group xy_subnets object-group cisco_ynetworks

will above ACL allow all the ports  on the destination object group?

Thanks

mahesh

2 Accepted Solutions

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

The ACL rule by itself would mean that TCP/UDP traffic would be allowed on ANY destination or source port from the xy_subnets to cisco_ynetworks

Do notice this very important fact when configuring ACLs

If you have some ACL rule before this mentioned ACL rule in the mentioned ACL and its set to block some ports and the rules source/destination addresses apply to the source/destination networks in these "object-group" then its possible that some ports get blocked even though this rule alone would allow them

- Jouni

View solution in original post

And to illustrate the situation above

Situation 1 - Only allow rule exists on the ACL

object-group network SOURCE

network-object 10.10.10.0 255.255.255.0

network-object 10.10.20.0 255.255.255.0

object-group network DESTINATION

network-object 10.10.100.0 255.255.255.0

network-object 10.10.200.0 255.255.255.0

access-list SOURCE-IN permit ip object-group SOURCE object-group DESTINATION

The above ACL would

  • Allow ALL TCP/UDP source and destination ports
  • Allow those from the source networks of SOURCE to the destination networks of DESTINATION

Situation 2 - Deny rules exist before the allowing rule

object-group network SOURCE

network-object 10.10.10.0 255.255.255.0

network-object 10.10.20.0 255.255.255.0

object-group network DESTINATION

network-object 10.10.100.0 255.255.255.0

network-object 10.10.200.0 255.255.255.0

access-list SOURCE-IN deny ip host 10.10.10.10 host 10.10.100.100

access-list SOURCE-IN deny tcp host 10.10.10.10 host 10.10.200.200 eq 80

access-list SOURCE-IN permit ip object-group SOURCE object-group DESTINATION

The above ACL would

  • First block ALL TCP/UDP traffic from host 10.10.10.10 to host 10.10.100.100
  • It would also block TCP traffic from host 10.10.10.10 to host 10.10.200.200 on the destination port TCP/80
  • It would then allow ALL TCP/UDP traffic from the source networks of SOURCE to the destination networks of DESTINATION

The key thing to notice ofcourse would be that we have blocked some traffic on the first 2 lines of the ACL and then allowed ALL TCP/UDP traffic.

So host 10.10.10.10 cant communicate with host 10.10.100.100 on any port since the "deny" rule for that is at the top of the ACL BEFORE the rule that allows ALL TCP/UDP traffic between these networks.

In the other case the TCP/80 destination traffic from host 10.10.10.10 to host 10.10.200.200 would be blocked BUT rest of the TCP/UDP traffic would be allowed by the rule using the "object-group"

- Jouni

View solution in original post

3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

The ACL rule by itself would mean that TCP/UDP traffic would be allowed on ANY destination or source port from the xy_subnets to cisco_ynetworks

Do notice this very important fact when configuring ACLs

If you have some ACL rule before this mentioned ACL rule in the mentioned ACL and its set to block some ports and the rules source/destination addresses apply to the source/destination networks in these "object-group" then its possible that some ports get blocked even though this rule alone would allow them

- Jouni

And to illustrate the situation above

Situation 1 - Only allow rule exists on the ACL

object-group network SOURCE

network-object 10.10.10.0 255.255.255.0

network-object 10.10.20.0 255.255.255.0

object-group network DESTINATION

network-object 10.10.100.0 255.255.255.0

network-object 10.10.200.0 255.255.255.0

access-list SOURCE-IN permit ip object-group SOURCE object-group DESTINATION

The above ACL would

  • Allow ALL TCP/UDP source and destination ports
  • Allow those from the source networks of SOURCE to the destination networks of DESTINATION

Situation 2 - Deny rules exist before the allowing rule

object-group network SOURCE

network-object 10.10.10.0 255.255.255.0

network-object 10.10.20.0 255.255.255.0

object-group network DESTINATION

network-object 10.10.100.0 255.255.255.0

network-object 10.10.200.0 255.255.255.0

access-list SOURCE-IN deny ip host 10.10.10.10 host 10.10.100.100

access-list SOURCE-IN deny tcp host 10.10.10.10 host 10.10.200.200 eq 80

access-list SOURCE-IN permit ip object-group SOURCE object-group DESTINATION

The above ACL would

  • First block ALL TCP/UDP traffic from host 10.10.10.10 to host 10.10.100.100
  • It would also block TCP traffic from host 10.10.10.10 to host 10.10.200.200 on the destination port TCP/80
  • It would then allow ALL TCP/UDP traffic from the source networks of SOURCE to the destination networks of DESTINATION

The key thing to notice ofcourse would be that we have blocked some traffic on the first 2 lines of the ACL and then allowed ALL TCP/UDP traffic.

So host 10.10.10.10 cant communicate with host 10.10.100.100 on any port since the "deny" rule for that is at the top of the ACL BEFORE the rule that allows ALL TCP/UDP traffic between these networks.

In the other case the TCP/80 destination traffic from host 10.10.10.10 to host 10.10.200.200 would be blocked BUT rest of the TCP/UDP traffic would be allowed by the rule using the "object-group"

- Jouni

Hi jouni,

After reading your first  post i was going to ask you to explain with example.

Seems you read my mind and put the second  post.

I got it  now.Welcome to the ACL world.

Regards

Mahesh

Review Cisco Networking for a $25 gift card