04-26-2013 06:58 AM - edited 03-11-2019 06:35 PM
Hi guys
I have some problem to get working ACLs. The main purpose of this ACLs is to control what is going out from vlan to internet. (For example, i want that only my proxy can access to the web.) So, i use Cisco Packet Tracer and test new rules in lab without any problem.
interface Vlan1
ip address x.x.x.x x.x.x.x
ip flow ingress
ip flow egress
ip nat inside
ip access-group 190 in
ip virtual-reassembly
crypto map cryptomap
!
access-list 190 permit tcp any any eq 22 log
access-list 190 permit tcp any any eq www
access-list 190 permit tcp any any eq 443 log
access-list 190 permit udp any any eq 53 log
access-list 190 permit tcp any any eq 53 log
access-list 190 permit udp any any eq domain log
access-list 190 permit udp any any eq ntp log
access-list 190 permit tcp any any eq 3389 log
access-list 190 permit tcp any any eq smtp log
access-list 190 permit icmp any any echo log
access-list 190 permit tcp any any established
access-list 190 deny ip any any
But it doesn't work on my Cisco 1811w and i dont uderstand why and i'm not sure to have sufficient knowledge to aolve my problem by my own.
Could someone help me ?
Please find attached the running-config.
Solved! Go to Solution.
04-29-2013 08:31 AM
Hi Gregory,
Could you try removing "access-list 190 permit tcp any any established" and test if the ACL works?
Judging by the rest of your ACLs you already know that "access-list 190 deny ip any any" at the end should makes no difference as there is an implicit deny at the end - I'm guessing you added this just to be absolutely sure.
Regards
Ranil
04-29-2013 09:54 AM
Hello Gregory,
as Rani said remove that established ACL line as that is the one causing the issue,
Regards,
Remember to rate all of the helpful posts
04-26-2013 09:48 AM
Hello Gregory,
I mean base on this
access-list 190 permit tcp any any eq www
Everyone will be able to access the outside via port 80, is that expected?
I mean what is not working?
Regards,
04-29-2013 12:13 AM
In my last post, i forgot to say that with this rules applied, my test is to check access to an external ftp with a simple telnet : telnet external_ftp 21.
Despite the line access-list 190 deny ip any any, i still have access to any external FTP!?!?
jcarvaja, you are right, but when i change this rule like this: access-list 190 permit tcp host 192.168.1.58 any eq www
It still works from any worksation from the Vlan.
It likes something bypass the ACL ?!?
Regards,
04-29-2013 08:31 AM
Hi Gregory,
Could you try removing "access-list 190 permit tcp any any established" and test if the ACL works?
Judging by the rest of your ACLs you already know that "access-list 190 deny ip any any" at the end should makes no difference as there is an implicit deny at the end - I'm guessing you added this just to be absolutely sure.
Regards
Ranil
04-29-2013 09:54 AM
Hello Gregory,
as Rani said remove that established ACL line as that is the one causing the issue,
Regards,
Remember to rate all of the helpful posts
04-30-2013 06:42 AM
It works almost correctly.
I'm facing new issue ...
When i apply the ACLs on the VLAN1, no one can't access to any services (website, ftp, ...) existing in the
VLAN1 from other VLAN...
I try to solve this problem in lab with no luck at the moment !
if you have some idea
Regards,
04-30-2013 07:24 AM
So i answer to myself...
For each server hosted a service, i added those lines to my ACL and it works !
access-list 190 permit tcp host 192.168.1.HTTP any established
access-list 190 permit tcp host 192.168.1.HTTPS any established
access-list 190 permit tcp host 192.168.1.SMTP any established
access-list 190 permit tcp host 192.168.1.FTP any established
is that correct ?
But i don't understant why i can not add lines like this below :
access-list 190 permit tcp host 192.168.1.HTTP any eq http established
access-list 190 permit tcp host 192.168.1.HTTPS any eq 443 established
access-list 190 permit tcp host 192.168.1.SMTP any eq smtp established
access-list 190 permit tcp host 192.168.1.FTP any eq ftp established
???
04-30-2013 10:17 AM
If I recall your config correctly you were applying the ACL on interface VLAN 1INBOUND.
"access-list 190 permit tcp host 192.168.1.HTTP any eq http established"
If you use the above rule it's going to filter traffic coming INTO the router from VLAN1 - in other words return traffic from your web server.
In the return traffic, the destination port is not going to be 80. It'll be some random port that was used by the client.
You have 2 options.Use either,
1. access-list 190 permit tcp host 192.168.1.HTTP eq HTTP any established
2. Or create a new ACL that has entries with the ESTABLISHED key word and assign it INBOUND on the outside VLAN interface. (Although this may not be ideal for your setup - I can't open your original config at the moment to check :) )
Hope this is helps
Cheers
Sent from Cisco Technical Support iPhone App
05-02-2013 02:52 AM
Thanks for the explanation
But i'm facing new issue ...
When i apply the ACLs on the VLAN1, my SSH access to the router from wokstation in VLAN1 is so slow???
Do you know why ?
Regards,
05-03-2013 06:17 AM
Ok i find by myself... i just need to add a line for the ssh !
Thanks jcarvaja and Ranil Herath for your help !!
05-16-2013 08:53 AM
Concerning active/passive FTP, i need to acces to external FTP server (active or passive).
I read this link and i transform my acls :
access-list 190 permit tcp any any eq ftp
access-list 190 remark FOR ACTIVE
access-list 190 permit tcp any eq ftp-data any 1024
access-list 190 remark FOR PASSIVE
access-list 190 permit tcp any gt 1024 any gt 1024
It works but with the last line, the range port from 1024 to 65535 is opened and bypassed my other acl ?!?!?
Is there a tip for passive FTP ?
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide