Solved: Re: SG300-28 VLAN based ACL not working

Phen10 · ‎10-23-2022

Hi,

I am having some issue with IPv4 based ACE rules. Basically 3 VLAN's 192.168.20.0/24(VLAN20, 192.168.40.0/24(VLan40), 192.168.55.0/24(VLAN 55). Vlan20 is office net, Vlan 40 is guest, Vlan 55 is default route subnet to firewall. all traffic should be allowed Firewall access. I want to deny all traffic from Vlan 40 to Vlan 20. I want to deny all traffic vlan 20 to vlan 40 except some web services on 192.168.40.114:32400 TCP

I have no issues setting up the deny traffic but am struggling getting the permit traffic rule to work. I am binding the ACL to Vlan 20 and 40 as default deny as well

balaji.bandi · ‎10-24-2022

Sure - that is the reason i suggested as below

"Either you need to granular rules like what port you looking to allow. example 80 or 443 and so on, to make a strict rule"

So remove from web server to Local pool permit, and add only required ports and test it.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

balaji.bandi · ‎10-23-2022

How about adding another permit rule from the 192.168.40.114 to the 192.168.20.0 network? is that works ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Phen10 · ‎10-23-2022

No. still not working. Also I dont want 40 to have access to 20.

Phen10 · ‎10-23-2022

Actually, that last attempt I had the subnet wrong. I fixed to 0.0.0.225 and it works. Thanks 40.114 now has access to 20.0/24 now which I don't want. how do I fix that?

balaji.bandi · ‎10-24-2022

This ACL, Device is not FW so it is not a stateful Firewall to remember your connection - so that is a limitation with ACL.

either you need to granular rules like what port you looking to allow. example 80 or 443 so on, to make strict rule.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Phen10 · ‎10-24-2022

I not sure about this solution of having network open in both direction to get the permit rule to work. In this thread the user was able to get it to work for permitting traffic in one direction only.

https://community.cisco.com/t5/small-business-switches/acl-config-on-sg-300-28p/td-p/1858212

balaji.bandi · ‎10-24-2022

Sure - that is the reason i suggested as below

"Either you need to granular rules like what port you looking to allow. example 80 or 443 and so on, to make a strict rule"

So remove from web server to Local pool permit, and add only required ports and test it.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Phen10 · ‎10-24-2022

I have tried it that way and it doesn't work.

balaji.bandi · ‎10-24-2022

First, check 192168.40.114 port 32400 listenings, and change the source port to any

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Phen10 · ‎10-24-2022

still not working.

balaji.bandi · ‎10-24-2022

still not working.

nice to have more information on what is not working. totally broken? or one side working.?

First, check 192168.40.114 port 32400 listening - is this working (I believe and take as working)?

Can you post again the screenshot of ACE and what firmware you running? enable Logging and check what is the error you get?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Phen10 · ‎10-24-2022

I think I finally understand how it works. Thanks for the tip on the logging, it showed me more clearly what ports were traversing the rules and failing.