Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
912
Views
0
Helpful
12
Replies

ACL to Internet

samudro94
Level 1
Level 1

‎11-11-2022 07:23 PM

Hello All,

I have a server(centos 7) and I created a VLAN (Vlan 9) for the server, I created an ACL to access the server. I put the ACL in the VLAN server (Vlan 9) with IP access-group **** out, but the server cannot access the internet like ping to google. If I remove the ACL on the VLAN server(VLAN 9), the server is able to access the internet. I also use Fortigate for the firewall. How about it, ?

Thank you,

Labels:
0 Helpful
12 Replies 12

Richard Burts
Hall of Fame
Hall of Fame

‎11-11-2022 09:38 PM

You describe a problem but do not give us enough information to understand the issue or to make good suggestions. At a minimum please post the configuration of the vlan interface and of the access list that you configured. Even better would be to post the complete running config (obscuring any Public IP or other sensitive information).

HTH

Rick
0 Helpful

samudro94
Level 1
Level 1
In response to Richard Burts

‎11-11-2022 09:55 PM

Sorry,

The IP server is 172.**.**.4

The int vlan :

interface Vlan9
description "DATA-SRV"
ip address 172.**.**.1 255.255.255.248
ip access-group ** out
no ip redirects
no ip unreachables
no ip proxy-arp

The access list :

Standard IP access list **
40 permit 10.255.**.**
70 permit 10.255.**.**
75 permit 10.255.**.** (6 matches)
150 permit 10.255.**.** (10 matches)
20 permit 10.255.**.**
110 permit 10.255.**.**

no ip public in access-list.

I cannot connect to internet from server but if access list removed from vlan, I can connect internet from server

 

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to samudro94

‎11-11-2022 10:19 PM

Thanks for the additional information. My first comment is why are you obscuring middle octets of IP addresses that are in the Private IP range? If there were Public IP involved I would understand obscuring them. But why do this for Private IP?

Your problem is clear. I start with 3 observations:

1) an access class applied outbound will filter traffic from the router/switch to the destination device.

2) a standard access list filters traffic based on the source address.

3) at the end of every access list is an implied statement that denies any traffic that has not been permitted.

So the access list/access class will filter traffic being forwarded to your server. The access list permits some subnets in network 10.0.0.0 and denies every thing else. When your server attempts to access the Internet the response coming back to the server will have a source address that is not in network 10.0.0.0 and so is denied.

HTH

Rick
0 Helpful

Georg Pauwen
VIP
VIP
In response to samudro94

‎11-12-2022 12:33 AM

Hello,

I could be missing something obvious here, but your access list does not allow the 172.**.**.0 subnet ? What if you add that to your access list ?

Standard IP access list **
40 permit 10.255.**.**
70 permit 10.255.**.**
75 permit 10.255.**.** (6 matches)
150 permit 10.255.**.** (10 matches)
20 permit 10.255.**.**
110 permit 10.255.**.**
--> 120 permit 172.**.**.0

0 Helpful

samudro94
Level 1
Level 1

‎11-11-2022 10:33 PM

Thank you for the explanation,

But how to make the server access internet, should I add to permit the IP public on access list ?

Thank you

0 Helpful

paul driver
VIP
VIP
In response to samudro94

‎11-12-2022 12:19 AM

Hello
The server vlan and the addressing stated in the acl are non routeable on the internet as such I assume your FW is performing Network translation for your server subnet to reach the internet and the return traffic from the internet is also coming in via the fw however the FWs interface/ip address used to connect to your server subnet is being denied by your acl so you need to permit that fw address so traffic is allowed 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to samudro94

‎11-12-2022 12:51 AM

The original poster responds "But how to make the server access internet, should I add to permit the IP public on access list ?" Yes indeed that is what you need to do.

I am puzzled about Paul's comment about NAT and the firewall address needing to be added to the acl. Yes indeed there is almost certainly NAT at the firewall. But that has to do with the server address in the packet. The issue here is about the Public IP in the response source address. Adding the FW IP to the acl will not solve this issue.

I am also puzzled by Georg's response about the 172 address and whether it should be added to the acl. We have no information about this networking environment and whether there are other subnets in the 172 address space. Id there are other subnets in that address space then probably they should be added to the acl. But the problem in the original post was about Internet access for the server. And adding 172 to the acl will not solve that issue.

HTH

Rick
0 Helpful

Georg Pauwen
VIP
VIP
In response to Richard Burts

‎11-12-2022 01:14 AM

Hello,

I just lab tested this, and maybe I am really missing the obvious, but:

Server IP: 172.**.**.4

interface Vlan9
ip address 172.**.**.1 255.255.255.248
ip access-group ** out

Standard IP access list **
40 permit 10.255.**.**
70 permit 10.255.**.**
75 permit 10.255.**.** (6 matches)
150 permit 10.255.**.** (10 matches)
20 permit 10.255.**.**
110 permit 10.255.**.**

As soon as I add 172.**.**.4 to the access list, traffic from the server goes through. How is the server supposed to pass the access list when it is not allowed ? 

0 Helpful

Georg Pauwen
VIP
VIP
In response to samudro94

‎11-12-2022 01:28 AM

Hello,

adding the IP address of the server to the access list is absolutely necessary.

--> .If I remove the ACL on the VLAN server(VLAN 9), the server is able to access the internet

That means that the only obstacle is the ACL, and the Fortigate routes and NATs that address space.

0 Helpful

MHM Cisco World
VIP
VIP

‎11-12-2022 01:21 AM

I will assume that the IP list in your ACL is source of traffic toward your server, and these IP is from other VLAN ?
Standard IP access list **
40 permit 10.255.**.**.....erc. 

You have one approach to solve issue 
config ACL IN in other VLAN instead of using ACL OUT in Server VLAN
you need to use extended ACL not standard ACL 

any other approach can not solve you issue because accessing internet meaning the IP need to connect to server is ANY and that broke your first requriment which is prevent some ip access your server.

0 Helpful

samudro94
Level 1
Level 1
In response to MHM Cisco World

‎11-12-2022 02:34 AM

Yes, these IP from other vlan.

Actually, Vendor from Public IP need to access database the server and I also restrictedthe local vlan(local user) to access the server

0 Helpful

MHM Cisco World
VIP
VIP
In response to samudro94

‎11-12-2022 03:18 AM

so do as I suggest use ACL close to source of traffic, i.e. config ACL IN in other VLAN not config ACL OUT in your server VLAN

0 Helpful
Customers Also Viewed These Support Documents