Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
499
Views
0
Helpful
2
Replies

why doesn't my acl work in firewall?

tyr668
Level 1
Level 1

‎06-02-2023 09:37 AM

tyr668_0-1685723762347.png

tyr668_1-1685723789570.png

my hitcount for firewall doesn't goes up even before i apply acl on my switch outgoing interface

access-list permit_ssh_tech line 1 extended deny tcp any any eq 22(hitcnt=0) 0xd3e8c836

access-list permit_ssh_tech line 2 extended deny ip any any(hitcnt=0) 0x1b8246d2

access-list permit_ssh_tech line 3 extended permit tcp 10.10.1.0 255.255.255.240 any eq 22(hitcnt=0) 0x5c97a83a

 


The Tech vlan are the only ones allowed to do SSH into the
company routers. 

 

why doesn't it work when i implement the acl in my firewall? tried all sorts of combination and it doesn't work . but if i put teh same exact acl on my L3 Switch, it works.

Another thing, why does my web access works for my finance vlan only if I put 'permit ip' but doesn't work when i put in permit tcp xx xxx xxx eq 80? 

 

Labels:
packet_file.zip
0 Helpful
2 Replies 2

srigovi2
Cisco Employee
Cisco Employee

‎06-24-2023 05:01 AM

my hit count for the firewall doesn't go up even before I apply acl on my switch outgoing interface

1 . If SSH  traffic reaches the router then there should be a route in L3 switch pointing towards the destination as an internet router with the next hop as Firewall.
Or the default route should point to Firewall. If there is no route in L3 switch then the packet will drop in L3 switch itself.

2. Check the order of ACL in the firewall if is there any other rule which blocks the traffic with IP level then it works. So please check the ACL order and put acl as more specific allowed policies should be at the top and deny policy should be at the bottom.

3. Placement of the ACL: Double-check the placement of the ACL on your firewall. Ensure that it is applied to the correct interface and in the correct direction (in this case, outgoing). Misconfiguration or applying the ACL to the wrong interface could result in the desired traffic not being filtered or allowed.

Another thing, why does my web access works for my finance vlan only if I put 'permit ip' but doesn't work when i put in permit tcp xx xxx xxx eq 80?

1. Check if the destination port is 80 or any other ports /443. If it's any other port then it won't work . Otherwise, do the packet tracer and capture to check the flow & the TCP connection between source to destination.

0 Helpful

MHM Cisco World
VIP
VIP

‎06-24-2023 05:13 AM

The ssh to asa need acl with keyword control plane' 

The asa use two acl

For traffic pass through fw normal acl

Traffic toward fw need acl with control plane 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card