Re: Access-list not fonctionnel in the cisco switch Core C9500

ksoltani · ‎03-31-2022

I have a vlan 10 for (users) in my company with subnet following 10.200.40.0/23 and the Server IP: 10.220.41.180
The access list role allows you to open the traffic on vlan 10 with server (10.220.41.180) in specific ports (20,21, 80,23, 161,162) and then deny traffic for the others
Below is the configuration syntax;

!

ip access-list extended FILTER_Ports
permit tcp host 10.220.41.180 any eq ftp-data
permit tcp host 10.220.41.180 any eq ftp
permit tcp host 10.220.41.180 any eq www
permit tcp host 10.220.41.180 any eq telnet
permit udp host 10.220.41.180 any eq snmp
permit udp host 10.220.41.180 any eq snmptrap
deny tcp any any eq ftp-data
deny tcp any any eq ftp
deny tcp any any eq www
deny tcp any any eq telnet
deny udp any any eq snmp
deny udp any any eq snmptrap
permit ip any any

!

interface Vlan10
description users
ip address 10.200.40.252 255.255.252.0
ip access-group FILTER_Ports in
end

Since I did a test, I’m in another Vlan 20, I managed to access a printer ip in vlan 10 by http
I have a printer in vlan 10 with ip 10.200.40.10
I managed to open in http://10.200.40.10 despite the rule I have
set "deny tcp any any eq www"

I don't know why I managed to open the printer in http despite I did deny ???

Georg Pauwen · ‎03-31-2022

Hello,

make sure your access list does not have a typo. The host you are blocking has 220 as the second octet, this is not the same subnet as Vlan 10 (200 as second octet).

--> permit tcp host 10.220.41.180 any eq www

interface Vlan10
description users
--> ip address 10.200.40.252 255.255.252.0

ksoltani · ‎03-31-2022

@Georg Pauwen I want permit trafic bettwen vlan 10 (10.200.40.0/23) and the server in the other vlan X (10.220.41.180)

next deny traffic for all deny tcp any any eq www

I'am in the other vlan 20 (10.189.44.11), and i access http in the printer on 10.200.40.10 , tech note and i do deny tcp any any eq www

I do now why i access http in the printer and i do deny

interface Vlan10
description users
ip address 10.200.40.252 255.255.252.0
ip access-group FILTER_Ports in

!

David Ruess · ‎03-31-2022

Hello,

You could try putting a 'log' command after the "deny tcp any any eq www" statement to see if you are getting hits on that line of the access list. You should also be able to do a 'show log' and see the denied traffic if its hitting it.

You could also try putting a specific line after the deny www one of something like this:

deny tcp any any eq www

deny tcp <vlan 20 IP subnet> <wildcard> 10.200.40.0 0.0.1.255 (log is optional but will see if its hitting the ACL)

You can insert lines by looking at the show run for the ACL and seeing which sequence # it is and then add a sequence # to put it right below the other deny www traffic

Also as a test you could remove the www from your deny statement just to see if that makes it through as well.

**Please rate posts you find helpful**

Jon Marshall · ‎03-31-2022

You will be able to access the printer because your acl is not denying it.

You would need the following line in your acl -

deny tcp any eq www <vlan 20 subnet> <subnet mask>

It is also not clear what you are trying to do with the server ie. if those ports (20,21, 80,23, 161,162) are meant to be accessed on the server then your acl won't do that.

Perhaps you can clarify exactly what you are trying to do ?

Jon

ksoltani · ‎03-31-2022

@David Ruess @Jon Marshall thanks for precieus information

our need is just to authorize access between vlan users (10) and server with IP (XXXX) on the port specific

Access list is bellow :

ip access-list extended FILTER_Ports
permit tcp host 10.220.41.180 any eq ftp-data
permit tcp host 10.220.41.180 any eq ftp
permit tcp host 10.220.41.180 any eq www
permit tcp host 10.220.41.180 any eq telnet
permit udp host 10.220.41.180 any eq snmp
permit udp host 10.220.41.180 any eq snmptrap
deny tcp any any eq ftp-data
deny tcp any any eq ftp
deny tcp any any eq www
deny tcp any any eq telnet
deny udp any any eq snmp
deny udp any any eq snmptrap
permit ip any any

!

Now i do modify is change the last line "permit ip any any" to "permit "icmp any any" is work

i'm in the vlan 20 and i can't open printer in the vlan 10

i do now why , in an access list , it must read line by line and when you saw this ligne "deny tcp any any eq www" it stops access to the printer by http

but I see that when changing last line is functional normally the line "permit ip any any" to permit "icmp any any" is work ????

David Ruess · ‎03-31-2022

Good info,

I think my suspicions are confirmed and just like @Jon Marshall said. Your ACL is not denying what you want. When you removed the permit ip any any statement the automatic thing to do after the ACL completes is to deny anything and everything. So its not that it denied www traffic because you put "permit icmp any any. I believe it denied the www traffic because it hit the "invisible" deny everything at the end instead of permitting everyting.

Jon Marshall · ‎03-31-2022

This line "deny tcp any any eq www" does not stop access to the printer in vlan 10 because the acl is applied inbound on the vlan 10 interface.

The above line means deny any traffic coming from devices in vlan 10 with a destination port of 80 ie. note it is traffic coming from vlan 10 devices.

So the client in vlan 20 sends a packet to the printer with a destination port of 80, the printer responds with a packet back to the client with the source port 80 (not the destination port) and this packet is checked against your acl but it is allowed through because it does not match the deny line you think it does.

The deny line I posted would block the traffic.

If you applied the acl outbound on the vlan 10 interface then you would block access to the printer but some of those entries in your acl regarding the server don't make sense if you applied the acl outbound.

You need to rethink the acl and also focus on the direction.

Jon

MHM Cisco World · ‎03-31-2022

can I see show ip access-list ?

ksoltani · ‎03-31-2022

@MHM Cisco World

Extended IP access list FILTER_Ports
130 permit tcp host 10.220.41.180 any eq ftp-data
140 permit tcp host 10.220.41.180 any eq ftp
150 permit tcp host 10.220.41.180 any eq www
160 permit tcp host 10.220.41.180 any eq telnet
170 permit udp host 10.220.41.180 eq snmp
180 permit udp host 10.220.41.180 any eq snmptrap
190 deny tcp any any eq ftp-data (19 matches)
200 deny tcp any any eq ftp (100 matches)
210 deny tcp any any eq www
220 deny tcp any any eq telnet (89 matches)
230 deny udp any any eq snmp (1074872 matches)
240 deny udp any any eq snmptrap
250 permit icmp any any (36 matches)

As I explained, following the last rule change 250 permit icmp any any (36 matches) before is 250 permit ip any any

MHM Cisco World · ‎03-31-2022

http:// 10.200.40.10
no match permit nor deny eq http.

so there is some thing wrong in the routing, the traffic never hit this SVI!!
do you have other L3SW connect and share same L2 VLAN 10 ??
do you have HSRP?

also can you more elaborate more about what is work with permit ICMP any any ??