Help, my ACL is not working?? Simple Filtering....

stownsend · ‎03-17-2003

When building the ACL, should the 'access-list 102 permit ip any any' be in the beginning or the ending of the list? I've tried both and there didn't seem to be a difference.

I have the code below in my Front End Router. The Pix that is off the E0 interface is still getting Packets from S0/0-S0/1 that I've Denied. Specifically the UDP 1434 and 139 packets.

Here is the Log from the PIX

%PIX-3-106011: Deny inbound (No xlate) udp src outside:64.159.82.2 (unresolved) /2364 dst outside:192.168.1.70 (unresolved) /1434

here are my Serial interfaces:

interface Serial0/0

description Serial Connection to Internet - First T1

no ip address

encapsulation frame-relay IETF

no ip mroute-cache

fair-queue

service-module t1 timeslots 1-24

frame-relay lmi-type ansi

!

interface Serial0/0.1 point-to-point

ip address 10.0.0.1 255.255.255.252

ip access-group 102 in

ip load-sharing per-packet

no ip mroute-cache

frame-relay interface-dlci 16

!

interface Serial0/1

description Serial Connection to Internet - Second T1

no ip address

encapsulation frame-relay IETF

no ip mroute-cache

fair-queue

service-module t1 timeslots 1-24

frame-relay lmi-type ansi

!

interface Serial0/1.1 point-to-point

ip address 10.0.0.5 255.255.255.252

ip access-group 102 in

ip load-sharing per-packet

no ip mroute-cache

frame-relay interface-dlci 16

Here is my ACL:

access-list 102 permit ip any any

access-list 102 deny tcp any 192.168.1.0 0.0.0.255 eq 137

access-list 102 deny tcp any 192.168.1.0 0.0.0.255 eq 138

access-list 102 deny tcp any 192.168.1.0 0.0.0.255 eq 139

access-list 102 deny udp any 192.168.1.0 0.0.0.255 eq netbios-dgm

access-list 102 deny udp any 192.168.1.0 0.0.0.255 eq netbios-ns

access-list 102 deny udp any 192.168.1.0 0.0.0.255 eq netbios-ss

access-list 102 deny tcp any 192.168.1.0 0.0.0.255 eq 1433

access-list 102 deny tcp any 192.168.1.0 0.0.0.255 eq 1434

access-list 102 deny udp any 192.168.1.0 0.0.0.255 eq 1433

access-list 102 deny udp any 192.168.1.0 0.0.0.255 eq 1434

access-list 102 deny icmp any 0.0.0.0 255.255.255.0

access-list 102 deny icmp any 0.0.0.255 255.255.255.0

access-list 102 deny icmp any any redirect log

access-list 102 deny ip 10.0.0.0 0.255.255.255 any

access-list 102 deny ip 172.16.0.0 0.15.255.255 any

access-list 102 deny ip 192.168.0.0 0.0.255.255 any

access-list 102 deny ip 224.0.0.0 31.255.255.255 any

access-list 102 deny ip 0.0.0.0 0.255.255.255 any

access-list 102 deny ip 127.0.0.0 0.255.255.255 any

access-list 102 deny ip 255.0.0.0 0.255.255.255 any

access-list 102 deny ip host 0.0.0.0 any

bkganesh · ‎03-17-2003

ACL is order sensitive. ACL will be processed from top to bottom.The "permit ip any any" at the top makes all the rules below it redundant. This has the same effect as not having the ACL. If you want to deny selected sources and permit everything else, you should have "permit ip any any" at the very bottom of the list.

-Ganesh.

stownsend · ‎03-17-2003

Great. I tried that and it works great. Though I thought I had it that way before.

So not I'm on to blocking port 6346 from coming into my Ethernet Interface.

My Interface is defined as:

interface FastEthernet0/0

ip address 192.168.1.2 255.255.255.0

ip access-group 101 in

no ip mroute-cache

duplex auto

speed auto

!

My ACL is:

access-list 101 deny tcp any any eq 6346

access-list 101 permit ip any any

On my PIX I can still see traffic that is destined for port 6346. They should not be getting to the PIX if I have the Above in my Front end router.

Is there something I need to do to 'refresh' the ACL do the port knows that I made changes?

Thanks,

Scott<-

bkganesh · ‎03-17-2003

I assume that FastEthernet0/0 is the port to which the PIX is connected. The ACL 101 is correctly designed for blocking TCP traffic for port 6346. However, it needs to be applied differently to the interface FastEthernet0/0. You have applied the ACL 101 to FastEthernet0/0 for inbound traffic on that interface. This is evident by "in" in "ip access-group 101 in". Traffic sent by PIX to front end router will be "inbound" for FastEthernet0/0 whereas traffic sent by front end router to PIX will be "outbound" for FastEthernet0/0. If you want to block outbound traffic, you need to apply the ACL for direction "out". Hence, the config statement will be "ip access-group 101 out".

If your intention is to block TCP traffic 6346 completely, you can as well modify the ACL applied on serial interfaces to block this traffic.

-Ganesh.

ACL Manager team,

CiscoWorks.

stownsend · ‎03-18-2003

thanks, I thought I had that in there at one point. I'll put it back in and see how it goes.

At what point does the ACL take effect? Is it instant when you make the change or do you need to reset the interface to make the change happen that instant or what?

Is there an easy way to remember the 'in's and 'out's of applying access lists to interfaces?

thanks again!

Scott<-

bkganesh · ‎03-19-2003

The ACL changes take effect as and when you are making them. You don't have to reset the interface to make ACL changes take effect.

Consider a router interface. If you want to filter traffic that is leaving this interface to enter a different network, you need to apply the ACL to direction "out". "Out" here means the traffic going out of the interface. If you want to filter traffic that is entering the interface from a different network, you need to apply the ACL to direction "in". "In" here means that traffic is entering the router interface from an external network.

Hope this helps!

-Ganesh.

ACL Manager team.

CiscoWorks.