cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1101
Views
5
Helpful
3
Replies

access-list sequencing

amaoxrebeli
Level 1
Level 1

Goo day,

I have a scenario and an access lsit. I would like to get feedback if I'm doing it right before applying to live environment.

192.168.0.0/24 : client net

192.168.1.0/24: server net 1

192.168.2.0/24: server net 2

now here are the rules:

1) clients must have access to ports outside company (WAN): 80, 443 (

2) clients must have access to only specific ports to specific servers in vlan-b and vlan-c TCP 80, 443 and 1433

3) clients must not have any other access to any ports or any other devices in vlan-b and vlan-c

 

so here is what bugs me:

a) if access list looks like this below, then clients will not have access to 80 and 443 port not only outside lan but to other servers in vlan-b and vlan-c:

 

access-list 100 permit tcp any any eq domain

access-list 100 permit udp any any eq domain

access-list 100 permit udp any any eq bootc

access-list 100 permit ip any any eq 80

access-list 100 permit ip any any eq 443

access-list 100 permit ip any host 192.168.1.10 eq 80

access-list 100 permit ip any host 192.168.2.10 eq 443

access-list 100 permit ip any host 192.168.2.11 eq 1443

access-list 100 deny ip any 192.168.1.0 0.0.0.255

access-list 100 deny ip any 192.168.2.0 0.0.0.255

access-list 100 deny ip any any

 

b) if access-list looks like this, I'm not entirely sure it will work:

 

access-list 100 permit tcp any any eq domain

access-list 100 permit udp any any eq domain

access-list 100 permit udp any any eq bootc

access-list 100 permit ip any host 192.168.1.10 eq 80

access-list 100 permit ip any host 192.168.2.10 eq 443

access-list 100 permit ip any host 192.168.2.11 eq 1443

access-list 100 deny ip any 192.168.1.0 0.0.0.255

access-list 100 deny ip any 192.168.2.0 0.0.0.255

access-list 100 permit ip any any eq 80

access-list 100 permit ip any any eq 443

access-list 100 deny ip any any

 

 

any suggestions?

2 Accepted Solutions

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

 

The second acl is correct assuming you apply the acl inbound on the L3 interface for the client subnet. 

 

Why do you think it won't work ? 

 

Jon

View solution in original post

 

Yes it's fine, acls are processed line by line from top to bottom so what you have done is correct and is the only way to achieve what you want. 

 

Jon

View solution in original post

3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

 

The second acl is correct assuming you apply the acl inbound on the L3 interface for the client subnet. 

 

Why do you think it won't work ? 

 

Jon

Yes, your assumptions are correct regarding subnet interface.

Well until now I put "allow source destination" rulles on top and "deny source destination" at the end. Never tried to put "deny source destination" in middle or beginning assuming that it could block some usefull traffic as well.

Just wanted to make sure that its ok to put "deny" rule anywhere I seem it fit.

 

Yes it's fine, acls are processed line by line from top to bottom so what you have done is correct and is the only way to achieve what you want. 

 

Jon