Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1193
Views
0
Helpful
7
Replies

ACL Question

Go to solution
jkay18041
Level 3
Level 3

‎10-29-2018 06:54 AM

I have created an ACL to place on our WAN router that connects to the ISP. On port 1 it connects to the ISP with a subnet then port 2 is an IP from our Static IP block. I have a device that host a webserver in our network that I'm trying to filter by IP. 

 

ISP->2901->ASA5516->webserver

 

I'm using the 2901 to filter the traffic and basically I made an ACL as such

 

ip access list extended Block_Stuff

permit tcp host xyz host my webserver public ip

deny tcp any host my webserver public ip eq ftp-data ftp 22 telnet www 443 3389

permit ip any any

 

I was always told that an extended ACL goes closest to the source so I put it on port 1 inbound. However this ACL did not work until i put it on port 2 on the outbound.

 

Why is that?

 

Thank you for the help

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Georg Pauwen
VIP
VIP
In response to jkay18041

‎10-29-2018 07:50 AM

Hello,

 

so the original ACL is working now, inbound on the ISP facing interface ? Good stuff...

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Georg Pauwen
VIP
VIP

‎10-29-2018 07:05 AM

Your webserver has a public IP on the inside of the ASA ?

 

Put IP addresses in the config you posted (you don't have to use the real ones) just so we can see what you are trying to block. Also post the config of the router with the IP addresses of the interfaces...

0 Helpful

Go to solution
jkay18041
Level 3
Level 3
In response to Georg Pauwen

‎10-29-2018 07:11 AM - edited ‎10-29-2018 07:13 AM

Here is part of the ACL

 

permit tcp host 100.200.125.100 host 70.200.220.69 eq www
permit tcp host 100.200.125.100 host70.200.220.74 eq 443
deny tcp any host 70.200.220.70 eq ftp-data ftp 22 telnet www 443
deny tcp any 70.200.220.64 0.0.0.63 eq www 3389
permit ip any any

 

interface GigabitEthernet0/0
description InBound_From_ISP
ip address 50.50.50.190 255.255.255.252
ip access-group ACL in
duplex auto
speed auto

 

interface GigabitEthernet0/1
description To_ASA_
ip address 70.200.220.65 255.255.255.192
ip access-group ACL out
duplex auto
speed auto
!

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to jkay18041

‎10-29-2018 07:14 AM

Hello,

 

what if you apply the access list outbound ?

 

interface GigabitEthernet0/0
description InBound_From_ISP
ip address 50.50.50.190 255.255.255.252
ip access-group ACL out
duplex auto
speed auto

0 Helpful

Go to solution
jkay18041
Level 3
Level 3
In response to Georg Pauwen

‎10-29-2018 07:27 AM

If it's on the out on the interface that connects to the ISP I can still get to the web server.

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to jkay18041

‎10-29-2018 07:34 AM

Hello,

 

put the 'log' keyword at the end of your access list statements, that should show you what is being blocked and what is being let through...

0 Helpful

Go to solution
jkay18041
Level 3
Level 3
In response to Georg Pauwen

‎10-29-2018 07:48 AM

Strange thing, I removed the ACL from the interfaces, then deleted the ACL and re created it and put it on the ISP side and did it inbound and it worked.

 

I'm not sure what caused it.

 

Thanks for your help

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to jkay18041

‎10-29-2018 07:50 AM

Hello,

 

so the original ACL is working now, inbound on the ISP facing interface ? Good stuff...

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card