06-13-2019 11:19 PM - edited 06-13-2019 11:20 PM
Goo day,
I have a scenario and an access lsit. I would like to get feedback if I'm doing it right before applying to live environment.
192.168.0.0/24 : client net
192.168.1.0/24: server net 1
192.168.2.0/24: server net 2
now here are the rules:
1) clients must have access to ports outside company (WAN): 80, 443 (
2) clients must have access to only specific ports to specific servers in vlan-b and vlan-c TCP 80, 443 and 1433
3) clients must not have any other access to any ports or any other devices in vlan-b and vlan-c
so here is what bugs me:
a) if access list looks like this below, then clients will not have access to 80 and 443 port not only outside lan but to other servers in vlan-b and vlan-c:
access-list 100 permit tcp any any eq domain
access-list 100 permit udp any any eq domain
access-list 100 permit udp any any eq bootc
access-list 100 permit ip any any eq 80
access-list 100 permit ip any any eq 443
access-list 100 permit ip any host 192.168.1.10 eq 80
access-list 100 permit ip any host 192.168.2.10 eq 443
access-list 100 permit ip any host 192.168.2.11 eq 1443
access-list 100 deny ip any 192.168.1.0 0.0.0.255
access-list 100 deny ip any 192.168.2.0 0.0.0.255
access-list 100 deny ip any any
b) if access-list looks like this, I'm not entirely sure it will work:
access-list 100 permit tcp any any eq domain
access-list 100 permit udp any any eq domain
access-list 100 permit udp any any eq bootc
access-list 100 permit ip any host 192.168.1.10 eq 80
access-list 100 permit ip any host 192.168.2.10 eq 443
access-list 100 permit ip any host 192.168.2.11 eq 1443
access-list 100 deny ip any 192.168.1.0 0.0.0.255
access-list 100 deny ip any 192.168.2.0 0.0.0.255
access-list 100 permit ip any any eq 80
access-list 100 permit ip any any eq 443
access-list 100 deny ip any any
any suggestions?
Solved! Go to Solution.
06-14-2019 12:48 AM - edited 06-14-2019 12:49 AM
The second acl is correct assuming you apply the acl inbound on the L3 interface for the client subnet.
Why do you think it won't work ?
Jon
06-14-2019 06:41 AM
Yes it's fine, acls are processed line by line from top to bottom so what you have done is correct and is the only way to achieve what you want.
Jon
06-14-2019 12:48 AM - edited 06-14-2019 12:49 AM
The second acl is correct assuming you apply the acl inbound on the L3 interface for the client subnet.
Why do you think it won't work ?
Jon
06-14-2019 02:26 AM
Yes, your assumptions are correct regarding subnet interface.
Well until now I put "allow source destination" rulles on top and "deny source destination" at the end. Never tried to put "deny source destination" in middle or beginning assuming that it could block some usefull traffic as well.
Just wanted to make sure that its ok to put "deny" rule anywhere I seem it fit.
06-14-2019 06:41 AM
Yes it's fine, acls are processed line by line from top to bottom so what you have done is correct and is the only way to achieve what you want.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide