Solved: ACL Issues

byates · ‎11-27-2018

I have 2 computers one on vlan 2 the other on vlan 3. The computers on vlan 3 are very sensitive and require complete segregation. However, a recent project has come up where one server from vlan 2 needs to talk to a server on vlan 3. I created a vlan interface for vlan 3 and i am able to ping its ip from vlan 2 and vlan 3 so the route is there and its talking.

I created an ACL to lock down traffic to only the specific TCP port(s) i was given that they communicate on. I put those ACLs on the VLAN 3 interface (one Inbound, one outbound)

the ACL looks like this:

ip access-list extended Example_Out
permit tcp host 10.0.1.1 host 172.16.1.1 range 5500 5509
deny ip any any
exit

ip access-list extended Example_IN
permit tcp host 172.16.1.1 host 10.0.1.1 eq 5481
deny ip any any
exit

Communication is not working. When i take the ACL off, communication works. I see the packet count go up on the Deny any any. I'm a bit of a noob so what am i missing here?

byates · ‎11-27-2018

Found the issue.

I examined the packet capture and realized i didnt create a permit for the tcp connection going back to the source port on both inbound and outbound. Feeling a little like a duh moment but happy i fixed it myself. Now my ACL looks clean, packets are being seeing and communication is working. Yes!! lol

View solution in original post

mkazam001 · ‎11-27-2018

ensure cmd on switch - ip routing

then you would need SVIs for both vlans to allow for inter-vlan routing - then create acl inbound on SVIs

note if you're only permitting traffic to 1 host, it can't Get to anything else

you could also use IP in the acl for testing before tie down to specific ports

or you could deny access from 1 vlan to the other first & then do a permit any

regards, mk

byates · ‎11-27-2018

There are SVIs for both VLANs and there are routes. When i take the ACL off i can reach both networks from either side.

i have both ACLs applied to the Sensitive Vlan 3 interface one in and one out. The 2 computers are the only 2 that should be talking and on those ports.

Is my syntax correct? Is applying both ACLs to one SVI causing conflict?

Richard Burts · ‎11-27-2018

We do not know details of what you have done and that makes it difficult to know whether your syntax is correct. As a generality having an ACL that permits specific traffic and then has deny ip any any would kill communication for any other devices in the subnet. Is that what you intended?

As a general statement we can certainly say that applying an inbound and an outbound ACL on an interface is ok and does not cause problems. Please provide the configuration of vlan interfaces for both vlans and the configuration of the ports where each device is connected.

HTH

Rick

HTH

Rick

byates · ‎11-27-2018

Hi Richard

That is my intention. The server from the segregated VLAN (vlan 3) is completely cut off from my production network. I need to open that VLAN just so one server from my production side can communicate (basically pull data from the other server).

I created an SVI for that segregated VLAN on my core switch. That opened traffic up between my segregated Vlan and production network and i was able to confirm communication, so the routes are there.

I need to open up specific ports.

The server on my segregated network needs to talk to my production server on port range 5550 - 5559

My production server needs to talk back on a single port 6441

I created an outbound acl as follows
permit tcp host (Production Server) host (Segregated Server) range 5550 5559

I applied this to the newly created SVI (the svi for the segregated network) in the outbound direction

I then created an Inbound ACL as follows

permit tcp host (Segregated Server) host (Production Server) eq 6441

I applied this to the newly created SVI (the svi for the segregated network) in the inbound direction

If i only apply the outbound list, it seems to work fine. Once i apply the inbound list, it looses connection.

(this config may look a little different from the Orginal post, this is the most ive gotten it to work.)

I cant ping anymore between the computers as to be expected but im nervous that theyre talking on the 5550 5559 port range because right now with only the Outbound ACL applied, they arent specifically stated anywhere, so there must be traffic.

I did a wireshark and indeed i do see ports in that range.

A Bit new to this so im trying to wrap my head around where my mistake is

byates · ‎11-27-2018

Found the issue.

I examined the packet capture and realized i didnt create a permit for the tcp connection going back to the source port on both inbound and outbound. Feeling a little like a duh moment but happy i fixed it myself. Now my ACL looks clean, packets are being seeing and communication is working. Yes!! lol

Richard Burts · ‎11-28-2018

Thanks for the update. Glad to hear that you have solved your own problem - and +5 for that. It is especially gratifying when someone posts about a problem and then is able to find the solution to their own problem. These communities are excellent places to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick

HTH

Rick

byates · ‎11-28-2018

Thanks Rick!

The communities are indeed an excellent source of info.