07-20-2010 07:15 AM - edited 03-04-2019 09:07 AM
Hello,
I'm learning as I go with configuring Cisco routers so please excuse my very basic questions.
I have two networks (172.16.0.0 and 172.17.0.0) I need to be able to have the traffic from the 172.16 network access systems on the 172.17 network, but the 172.17 network should NOT be able to get to anything on the 172.16 network except for 1 server on one specific port. Please see my access-lists:
access-list 120 permit tcp 172.17.0.0 0.0.0.255 host 172.16.1.7 eq 15871
access-list 120 deny ip 172.17.0.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 120 deny ip 172.17.0.0 0.0.0.255 172.16.0.0 0.15.255.255
access-list 120 deny ip 172.17.0.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 120 permit ip any any
My feeling is the third deny statement is causing the problem.
So my first question is, are the statements bi-directional?
Someone else configured this router. Should each ACL have a different #? I ask because when I issue a NO ACCESS-LIST 120 deny ip 172.17.0.0 0.0.0.255 172.16.0.0 0.15.255.255 it removes all of the 120 ACLS
Any help or suggestions on what the ACL's should be would be HUGELY appreciated!
Nick Jax
07-20-2010 08:07 AM
So my first question is, are the statements bi-directional?
No, they are not bidirectional. You apply the access-group under the interface in or out.
Per your syntax, you need to apply this ACL in the out direction towards the 172.16.x.x network.
Or in direction from the 172.17.x.x network.
Should each ACL have a different #? I ask because when I issue a NO ACCESS-LIST 120 deny ip 172.17.0.0 0.0.0.255 172.16.0.0 0.15.255.255 it removes all of the 120 ACLS
No, you don't need to create an ACL number for each entry since you are only allowed to enter one access-group command per interface.
If you want to modify an entry, type show ip access-list
Write down the sequence number of the entry you want to remove, then proceed with the command ip access-list extended 120
then remove the entry with a no followed by the sequence number.
For instance:
Rack1R1#sh ip access-list 120
Extended IP access list 120
10 permit tcp 172.17.0.0 0.0.0.255 host 172.16.1.7 eq 15871
20 deny ip 172.17.0.0 0.0.0.255 10.0.0.0 0.255.255.255
30 deny ip 172.17.0.0 0.0.0.255 172.16.0.0 0.15.255.255
40 deny ip 172.17.0.0 0.0.0.255 192.168.0.0 0.0.255.255
50 permit ip any any
Rack1R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Rack1R1(config)#ip access-list exten 120
Rack1R1(config-ext-nacl)#$no 30 deny ip 172.17.0.0 0.0.0.255 172.16.0.0 0.15.255.255
Rack1R1(config-ext-nacl)#do show ip access-list
Extended IP access list 120
10 permit tcp 172.17.0.0 0.0.0.255 host 172.16.1.7 eq 15871
20 deny ip 172.17.0.0 0.0.0.255 10.0.0.0 0.255.255.255
40 deny ip 172.17.0.0 0.0.0.255 192.168.0.0 0.0.255.255
50 permit ip any any
Rack1R1(config-ext-nacl)#
Regards
Edison
07-20-2010 08:13 AM
Nick
Access lists are very useful but can become quite complex and confusing. Good luck to you as you work your way to a better understanding of how they work.
The question of whether access lists or bi-directional is an interesting question. Basically the answer is that no they are not bi-directional. An extended access list is coded to permit or deny certain source addresses and/or certain destination addresses and the access list is applied to an interface specifying a direction (in or out). So the access list is really uni-directional. But to work effectively with access lists you frequently need to think bi-directionally. For example your requirement that 172.17 not be able to get to anything on 172.16 seems straightforward. But it gets more complex when you think that if 172.16 gets to 172.17 then 172.17 needs to send responses. So how do you allow responses but not allow 172.17 to initiate traffic? (and the answer is that for TCP permitting responses is pretty easy - you permit "established" - but for UDP it is a bit more complex and you frequently wind up specifying source and destination ports - for example for TFTP you allow port 69 as the destination port on traffic from 172.16 to 172.17 and allow as the source port for traffic from 172.17 to 172.16 and deny port 69 in the reverse directions).
I do not understand the third deny - it specifies 192.168.0.0 but you have not told us anything about how that network relates to your environment. And in fact there is not anything in your post that explains what problem you are encountering. So it is hard to give good advice about that particular access list.
As to the question about numbering the access list. A numbered access list may have a single statement or may have multiple statements (multiple statements in the access list are much more common). It is one of the behaviors of numbered access lists that if you attempt to remove a single line that it will remove the entire access list. In recent versions of IOS they have used the concept of sequence numbers which can make editing the access list a bit more easy.
HTH
Rick
07-20-2010 09:22 AM
Thank you Rick/Edison,
Rick - sorry for not being specific..here is my issue (for reference I am posting my acl again and interface info)
interface Ethernet0
ip address 172.16.1.1 255.255.255.0
no ip directed-broadcast
media-type 10BaseT
interface Ethernet1
ip address 172.17.0.1 255.255.255.0
ip access-group 120 in
no ip directed-broadcast
media-type 10BaseT
access-list 120 permit tcp 172.17.0.0 0.0.0.255 host 172.16.1.7 eq 15871
access-list 120 deny ip 172.17.0.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 120 deny ip 172.17.0.0 0.0.0.255 172.16.0.0 0.15.255.255
access-list 120 deny ip 172.17.0.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 120 permit ip any any
172.17.0.0 - Company 1 network
172.16.0.0 - Company 2 network
192.168.0.0 - DMZ
My tech team needs to be able to support users on the Company 1 network. USers in company 1 should NOT be able to see Company 2 servers/workstations or other networked resources with the exception of the device listed on the first ACL. I want my team to have full access to teh 172.17 network.
Have another question too: I noticed the "IP access-group 120 in" statement on the ethernet 1 interface. If I am reading this right, it is saying to apply acl 120 for inbound traffic. The first ACL reads permit traffic from the 172.17 network to host 172.16.1.7. Isn't that OUTBOUND from the interface instead of IN? By the way, I have no issue with the way the current ACLs are working, Im just confused about the "in" and "out" (and I want to be able to add the ability of 172.16 accessing 172.17 network).
Thank you again for your time.
07-20-2010 09:44 AM
Nick
One of the (several) potentially confusing things about access lists is the issue of direction. So your confusion is understandable. The in and out of the access list is from the perspective of the router interface. Ethernet1 is in subnet 172.17.0.0 and traffic coming IN to the interface from hosts in that subnet will have 172.17.0.x as the source address. And traffic going OUT of that interface will have 172.17.0.x as the destination.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide