Solved: Re: VLAN Access-map access-list exception

PLScott · ‎03-03-2023

Hello,

I'm trying to deny https traffic to a particular host within a VLAN except when coming from one other host. I created the following

access-list

to be used in an

access-map

ip access-list extended ACL_HTTPS
permit tcp any host 192.168.25.50 eq https

vlan access-map VACL_HTTPS 10
match ip address ACL_HTTPS
action drop

vlan access-map VACL_HTTPS 20
action forward

vlan filter VACL_HTTPS vlan-list 0

As I understand this configuration will drop all https traffic to

192.168.25.50

How may I update

access-list ACL_HTTPS

so all https traffic to

192.168.25.50

is dropped except https traffic coming from

192.168.25.10?

Thank you

MHM Cisco World · ‎03-03-2023

ip access-list extended ACL_HTTPS-ALLOW
permit tcp any host 192.168.25.10 eq https

ip access-list extended ACL_HTTPS
permit tcp any host 192.168.25.50 eq https

vlan access-map VACL_HTTPS 5
match ip address ACL_HTTPS-ALLOW
action forward 

vlan access-map VACL_HTTPS 10
match ip address ACL_HTTPS
action drop

vlan access-map VACL_HTTPS 20
action forward

vlan filter VACL_HTTPS vlan-list 0

View solution in original post

MHM Cisco World · ‎03-03-2023

https server is 192.168.25.10 ? if Yes then 
permit tcp any host 192.168.25.10 eq https
if the 192.168.25.10 is client then 
permit tcp  host 192.168.25.10 any eq https

this VLAN

access-map

so there is no direction but the eq https can prevent ACL work correctly

View solution in original post

paul driver · ‎03-04-2023

Hello
The VL map is read from top to bottom as such you will need to allow (forward)

host-to-host https traffic

(sequence 10) then deny(drop)

any-to-host traffic

(sequence 20) and lastly allow(forward) any other traffic (sequence 99)

Those

access-control

entry's in the extended acls are for bidirectional traffic to/from those hosts to be Forwarded/Dropped based on whatever is matched in VL map sequence and any associated acls.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

paul driver · ‎03-03-2023

Hello

Create an additional acl for communication between those two specific hosts



example:
ip access-list extended ACL_HTTPS
permit tcp any  host 192.168.25.50 eq https
permit tcp host 192.168.25.50 any eq https

ip access-list extended ACL_HTTPS_2
permit tcp host 192.168.25.50 host 192.168.25.10 eq https
permit tcp host 192.168.25.10 host 192.168.25.50 eq https

vlan access-map VACL_HTTPS 10
match ip address ACL_HTTPS_2
action forward

vlan access-map VACL_HTTPS 20
match ip address ACL_HTTPS
action drop

vlan access-map VACL_HTTPS 99
action forward

vlan filter VACL_HTTPS vlan-list 0

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

PLScott · ‎03-03-2023

Hi Paul,

Thank you for your help!

Are the bold lines (below) needed if

192.168.25.10

always initiates the https connection and the default action is set to forward (from statement 99) or can I do without them?

ip access-list extended ACL_HTTPS
permit tcp any  host 192.168.25.50 eq https
permit tcp host 192.168.25.50 any eq https

ip access-list extended ACL_HTTPS_2
permit tcp host 192.168.25.50 host 192.168.25.10 eq https
permit tcp host 192.168.25.10 host 192.168.25.50 eq https

paul driver · ‎03-04-2023

Hello
The VL map is read from top to bottom as such you will need to allow (forward)

host-to-host https traffic

(sequence 10) then deny(drop)

any-to-host traffic

(sequence 20) and lastly allow(forward) any other traffic (sequence 99)

Those

access-control

entry's in the extended acls are for bidirectional traffic to/from those hosts to be Forwarded/Dropped based on whatever is matched in VL map sequence and any associated acls.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

PLScott · ‎03-05-2023

Thank you for confirming the map sequence, Paul.

I was considering dropping the bold lines as I can't think of a situation where 192.168.25.50 would communicate with 192.168.25.10 on port 443 (only the other direction). Doesn't the port used in the acl refer to the port used on the destination host? So an https connection from 192.168.25.10 to 192.168.25.50 would only use port 443 on 192.168.25.50.

I don't see negative side-effects of leaving the bold lines but was wondering whether they were necessary in this case.

MHM Cisco World · ‎03-03-2023

ip access-list extended ACL_HTTPS-ALLOW
permit tcp any host 192.168.25.10 eq https

ip access-list extended ACL_HTTPS
permit tcp any host 192.168.25.50 eq https

vlan access-map VACL_HTTPS 5
match ip address ACL_HTTPS-ALLOW
action forward 

vlan access-map VACL_HTTPS 10
match ip address ACL_HTTPS
action drop

vlan access-map VACL_HTTPS 20
action forward

vlan filter VACL_HTTPS vlan-list 0

PLScott · ‎03-03-2023

Hi MHM Cisco World,

Thank you for your help!

Shouldn't I use the following statements for the

ACL_HTTPS-ALLOW access list instead?

ip access-list extended ACL_HTTPS-ALLOW
permit tcp host 192.168.25.10 any eq https

MHM Cisco World · ‎03-03-2023

https server is 192.168.25.10 ? if Yes then 
permit tcp any host 192.168.25.10 eq https
if the 192.168.25.10 is client then 
permit tcp  host 192.168.25.10 any eq https

this VLAN

access-map

so there is no direction but the eq https can prevent ACL work correctly

Joseph W. Doherty · ‎03-04-2023

"I'm trying to deny https traffic . . ."

BTW, if you're truly trying to deny HTTPS traffic, "eq https" cannot guarantee that.

This, because, you're blocking on the default HTTPS port, which HTTPS does not need to use.

Other ports known to be used for HTTPS:
8443: Apache Tomcast
832: NETCONF for SOAP over HTTPS
5989: WBEM CIM-XML (HTTPS)
8243: Synapse Non-Blocking HTTPS
16993: Intel(R) AMT SOAP/HTTPS
20003: Commtact HTTPS

To truly block HTTPS, you need something that does much deeper packet inspection, like FWs tend to do, or Cisco NBAR.

That said, blocking on the port 443, will probably block 99%, if not more, typical HTTPS setups, but again, it's not 100%.

Also, since you're actually blocking a port, and other services could use that port, you're blocking them too. (Again, this too would be highly "unusual" that something like a FTP server is using port 443, but, it's possible.)

I mention the forgoing, because in real-world networking, these subtle distinctions can cause you grief.

Example case: Years ago I had setup a QoS environment, where our remote network admin, via telnet or SSH, was given much priority over other traffic. Worked great, until the day one branch complained network performance fell through the floor. Turned out problem was someone had started to use SCP for bulk file copying, which, to the QoS policy, SCP looked the same as SSH (just a "tad" more bandwidth demanding [laugh]). Oops!

PLScott · ‎03-05-2023

Thank you for providing perspective, Joseph! It looks like I may need to add another host to the allow list in the event it uses port 443 for communication with 192.168.25.50.

MHM Cisco World · ‎03-04-2023

I will try run lab and share result here

MHM Cisco World · ‎03-05-2023

this is flow of VACL (I build Flow for each cisco process I know and I can build one for it)

the Q and Answer
1- we use ACL with VACL what I use in ACL permit or deny ??
Answer is Permit
then you can config action which can forward or drop
2- we use ACL do we need add deny ip any any in end of ACL or add any deny in end of ACL that we use to match traffic ??
NO need
because when the traffic match deny the packet will not drop but the VACL will check next ACL line and if no line and deny is at end then next VACL seq (seq meaning the number we enter when we config vlan

access-map

MHM X<<-)
3- what did we need in end of VACL ?
we need only new Seq with action forward ? but why ??
because the traffic NOT only IP traffic need to forward
this also prevent of drop DHCP,ARP ..... traffic
4- this config need something else ?
Yes
it need VLAN is UP
it need ip routing in SW <<- this point I read in CCIE but NOT so sure it need.