Solved: Problem with acl and access-group

gmerot · ‎04-26-2013

Hi guys

I have some problem to get working ACLs. The main purpose of this ACLs is to control what is going out from vlan to internet. (For example, i want that only my proxy can access to the web.) So, i use Cisco Packet Tracer and test new rules in lab without any problem.

interface Vlan1

ip address x.x.x.x x.x.x.x

ip flow ingress

ip flow egress

ip nat inside

ip access-group 190 in

ip virtual-reassembly

crypto map cryptomap

!

access-list 190 permit tcp any any eq 22 log

access-list 190 permit tcp any any eq www

access-list 190 permit tcp any any eq 443 log

access-list 190 permit udp any any eq 53 log

access-list 190 permit tcp any any eq 53 log

access-list 190 permit udp any any eq domain log

access-list 190 permit udp any any eq ntp log

access-list 190 permit tcp any any eq 3389 log

access-list 190 permit tcp any any eq smtp log

access-list 190 permit icmp any any echo log

access-list 190 permit tcp any any established

access-list 190 deny ip any any

But it doesn't work on my Cisco 1811w and i dont uderstand why and i'm not sure to have sufficient knowledge to aolve my problem by my own.

Could someone help me ?

Please find attached the running-config.

Ranil Herath · ‎04-29-2013

Hi Gregory,

Could you try removing "access-list 190 permit tcp any any established" and test if the ACL works?

Judging by the rest of your ACLs you already know that "access-list 190 deny ip any any" at the end should makes no difference as there is an implicit deny at the end - I'm guessing you added this just to be absolutely sure.

Regards

Ranil

View solution in original post

Julio Carvajal · ‎04-29-2013

Hello Gregory,

as Rani said remove that established ACL line as that is the one causing the issue,

Regards,

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎04-26-2013

Hello Gregory,

I mean base on this

access-list 190 permit tcp any any eq www

Everyone will be able to access the outside via port 80, is that expected?

I mean what is not working?

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

gmerot · ‎04-29-2013

In my last post, i forgot to say that with this rules applied, my test is to check access to an external ftp with a simple telnet : telnet external_ftp 21.

Despite the line access-list 190 deny ip any any, i still have access to any external FTP!?!?

jcarvaja, you are right, but when i change this rule like this: access-list 190 permit tcp host 192.168.1.58 any eq www

It still works from any worksation from the Vlan.

It likes something bypass the ACL ?!?

Regards,

Ranil Herath · ‎04-29-2013

Hi Gregory,

Could you try removing "access-list 190 permit tcp any any established" and test if the ACL works?

Judging by the rest of your ACLs you already know that "access-list 190 deny ip any any" at the end should makes no difference as there is an implicit deny at the end - I'm guessing you added this just to be absolutely sure.

Regards

Ranil

Julio Carvajal · ‎04-29-2013

Hello Gregory,

as Rani said remove that established ACL line as that is the one causing the issue,

Regards,

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

gmerot · ‎04-30-2013

It works almost correctly.

I'm facing new issue ...

When i apply the ACLs on the VLAN1, no one can't access to any services (website, ftp, ...) existing in the

VLAN1 from other VLAN...

I try to solve this problem in lab with no luck at the moment !

if you have some idea

Regards,

gmerot · ‎04-30-2013

So i answer to myself...

For each server hosted a service, i added those lines to my ACL and it works !

access-list 190 permit tcp host 192.168.1.HTTP any established

access-list 190 permit tcp host 192.168.1.HTTPS any established

access-list 190 permit tcp host 192.168.1.SMTP any established

access-list 190 permit tcp host 192.168.1.FTP any established

is that correct ?

But i don't understant why i can not add lines like this below :

access-list 190 permit tcp host 192.168.1.HTTP any eq http established

access-list 190 permit tcp host 192.168.1.HTTPS any eq 443 established

access-list 190 permit tcp host 192.168.1.SMTP any eq smtp established

access-list 190 permit tcp host 192.168.1.FTP any eq ftp established

???

Ranil Herath · ‎04-30-2013

If I recall your config correctly you were applying the ACL on interface VLAN 1INBOUND.

"access-list 190 permit tcp host 192.168.1.HTTP any eq http established"
If you use the above rule it's going to filter traffic coming INTO the router from VLAN1 - in other words return traffic from your web server.
In the return traffic, the destination port is not going to be 80. It'll be some random port that was used by the client.

You have 2 options.Use either,
1. access-list 190 permit tcp host 192.168.1.HTTP eq HTTP any established

2. Or create a new ACL that has entries with the ESTABLISHED key word and assign it INBOUND on the outside VLAN interface. (Although this may not be ideal for your setup - I can't open your original config at the moment to check :) )

Hope this is helps

Cheers

Sent from Cisco Technical Support iPhone App

gmerot · ‎05-02-2013

Thanks for the explanation

But i'm facing new issue ...

When i apply the ACLs on the VLAN1, my SSH access to the router from wokstation in VLAN1 is so slow???

Do you know why ?

Regards,

gmerot · ‎05-03-2013

Ok i find by myself... i just need to add a line for the ssh !

Thanks jcarvaja and Ranil Herath for your help !!

gmerot · ‎05-16-2013

Concerning active/passive FTP, i need to acces to external FTP server (active or passive).

I read this link and i transform my acls :

access-list 190 permit tcp any any eq ftp

access-list 190 remark FOR ACTIVE

access-list 190 permit tcp any eq ftp-data any 1024

access-list 190 remark FOR PASSIVE

access-list 190 permit tcp any gt 1024 any gt 1024

It works but with the last line, the range port from 1024 to 65535 is opened and bypassed my other acl ?!?!?

Is there a tip for passive FTP ?

Regards,