Re: Need Clarification on router ACL

Chandhuru · ‎12-20-2017

Hello All,

Please clarify my router ACL doubt. Below is my question,

Source - host(server/specific IP)

Destination - any

Port - object-group(service object - it contains tcp/udp ports)

My question is how to add ACL in specific interface. Actually it is inbound traffic.

Can I add this ACL "permit object-group SERVER-PORTS host xx.xx.xx.xx any"?

Regards,

Chandhuru

Chandhuru · ‎12-20-2017

Hello All,

Any one can help on this. Its little urgent.

Your valuable information most appreciated.

Thanks in advance.

Regards,

Chandhuru

Julio E. Moisa · ‎12-20-2017

Hi

I have my doubts about that statement, is it for a router or firewall ASA?

It looks like a firewall ACL line:

Example:

access-list TEST extended permit object-group PROTOCOL host 1.1.1.100 any eq 53

So you will apply it through access-group

access-group <ACL name: TEST> in interface <nameif>

Note: It is applied to the traffic originated into the firewall, for example:

interface g0

nameif LAN

security-level 100

ip address 1.1.1.1 255.255.255.0

no shutdown

access-list TEST extended permit object-group PROTOCOL host 1.1.1.100 any eq 53

access-group TEST in interface LAN

Note: 1.1.1.100 is part of the network 1.1.10/24

On ASA usually is used in only. Im not really sure how it is configured but it should work.

Hope it is useful

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Chandhuru · ‎12-20-2017

Thanks for the reply Julio!

Its for 1921 router.

interface GigabitEthernet0/1.16
description TEST
encapsulation dot1Q 16
ip address 192.168.1.161 255.255.255.240
ip access-group TEST-in in

ip access-list extended TEST-in
permit tcp any eq 80 host XX.XX.XX.XX(Here i want to add object group instead of 80 port alone)
deny ip any any log

Note: Host(XX.XX.XX.XX) is out of Network so this is inbound connection.

Hope you got answer for your question. Thanks in advance!

Regards,

Chandhuru

Julio E. Moisa · ‎12-20-2017

Hi

Thank you, yes your config is fine

interface GigabitEthernet0/1.16
description TEST
encapsulation dot1Q 16
ip address 192.168.1.161 255.255.255.240
ip access-group TEST-in in

You can also verify the hits, using:

show access-list TEST

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Chandhuru · ‎12-20-2017

Hello Julio,

I want to add object-group instead of 80 port there in ACL for inbound access.

Service object group SERVER-PORTS
tcp eq www
tcp eq 69
udp eq 6700
udp eq 6800
udp eq 6900

ip access-list extended TEST-in
permit tcp any eq 80 host XX.XX.XX.XX(Here i want to add object group instead of 80 port alone)

But the thing is not working. For object-group is there any specific syntax for object group.

Chandhuru · ‎12-20-2017

Hello Julio,

Hope you got my point/question. If not please tell me, I will try to explain more clearly.

Thanks!

Regards,

Chandhuru

Julio E. Moisa · ‎12-20-2017

Hi

You could have something like:

Service object group SERVER-PORTS
tcp eq www
tcp eq 69
udp eq 6700
udp eq 6800
udp eq 6900

ip access-list extended TEST-in
permit tcp any any object-group SERVER-PORTS

permit udp any any object-group SERVER-PORTS

Im not really sure the sintax on router but you can try.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Chandhuru · ‎12-20-2017

Hello Julio,

I want source port to be opened but in your syntax mentioned like Destination port.

I have already tried. I want source port syntax with object group.

I want to ensure this is possible in router or not?

Thanks!

Regards,

Chandhuru

Chandhuru · ‎12-21-2017

Any update on this?

Regards,

Chandhuru