ACL direction

vishalpatil86 · ‎07-26-2011

hi,

i have applied following ACL to interface vlan 10 inward direction.

access-list 121 deny ip 10.86.60.0 0.0.0.127 any log

interface vlan 10

ip access-group 121 in

i tried to open google.com from 10.86.60.5, but it is denied.

here i have denied traffic from internet to my lan, then how come it is denying traffic from lan to internet?

cadet alain · ‎07-26-2011

Hi,

ip communication is a bidirectional process.

Regards.

Alain

Don't forget to rate helpful posts.

Latchum Naidu · ‎07-26-2011

Hi Vishal,

The rule what you defined is wrong.

And coming to your issue, when you applied "ip access-group 121 in" It means when the packet entering to inside from the interface it will be denied as per the above defined rule.

So When you try to open google the packet is going out but the reverse packet (reverse route/traffic) is wont come as per the above rule.

So instead of that rule you need to like....

access-list 121 permit ip 10.86.60.0 0.0.0.127 any log

Please rate the helpfull posts.
Regards,
Naidu.

vishalpatil86 · ‎07-26-2011

So When you try to open google the packet is going out but the reverse packet (reverse route/traffic) is wont come as per the above rule.

reverse packet will come since the source will be google and destination will be 10.86.60.5 for packet cuming into vlan 10. out traffic is permitted

Jon Marshall · ‎07-26-2011

Vishal

Is vlan 10 using the subnet 10.86.0.0/25 ?

If so traffic will never get out of that vlan with your acl because you have denied it with your acl.

Jon

vishalpatil86 · ‎07-26-2011

then why do we use direction in or out?

Jon Marshall · ‎07-26-2011

Vishal

an acl applied inbound on a vlan interface filters traffic from clients in that vlan

an acl applied outbound on a vlan interfac filters traffic to clients on that vlan

so you acl is blocking the traffic from 10.86.60.0/25 clients to the internet.

But even if you applied an outbound acl ie.

access-list 101 deny ip any 10.86.0.0 0.0.0.127

int vlan 10

ip access-group 101 out

this still wouldn't work because then the return traffic from google would be blocked.

Basically to do what you want to need a firewall (or reflexive acls). Do you not have a firewall ?

Jon

Latchum Naidu · ‎07-26-2011

Hi Vishal,

The in/out directions will filter the packets within the vlan from its clients.
As i said you need to permit instead of deny to get internet from the clients.

Please rate the helpfull posts.
Regards,
Naidu.

vishalpatil86 · ‎07-26-2011

no access-list 111

access-list 111 permit icmp 10.86.60.16 0.0.0.15 10.86.60.0 0.0.0.15

access-list 111 permit icmp 10.86.60.64 0.0.0.31 10.86.60.0 0.0.0.15

access-list 111 permit icmp 10.86.60.128 0.0.0.31 10.86.60.0 0.0.0.15

access-list 111 permit tcp 10.86.60.64 0.0.0.31 eq 53 10.86.60.0 0.0.0.15

access-list 111 permit udp 10.86.60.64 0.0.0.31 eq 53 10.86.60.0 0.0.0.15

access-list 111 permit udp 10.86.60.16 0.0.0.15 eq 161 10.86.60.0 0.0.0.15

access-list 111 permit udp 10.86.60.64 0.0.0.31 eq 161 10.86.60.0 0.0.0.15

access-list 111 permit udp 10.86.60.128 0.0.0.31 eq 161 10.86.60.0 0.0.0.15

access-list 111 permit udp 10.86.60.16 0.0.0.15 10.86.60.0 0.0.0.15 eq 161

access-list 111 permit udp 10.86.60.64 0.0.0.31 10.86.60.0 0.0.0.15 eq 161

access-list 111 permit udp 10.86.60.128 0.0.0.31 10.86.60.0 0.0.0.15 eq 161

access-list 111 permit tcp 10.86.60.64 0.0.0.31 eq 389 10.86.60.0 0.0.0.15

access-list 111 permit udp 10.86.60.64 0.0.0.31 eq 389 10.86.60.0 0.0.0.15

access-list 111 permit tcp 10.86.60.16 0.0.0.15 10.86.60.0 0.0.0.15 eq 445

access-list 111 permit tcp 10.86.60.64 0.0.0.31 10.86.60.0 0.0.0.15 eq 445

access-list 111 permit tcp 10.86.60.128 0.0.0.31 10.86.60.0 0.0.0.15 eq 445

access-list 111 permit tcp 10.86.60.16 0.0.0.15 eq 445 10.86.60.0 0.0.0.15

access-list 111 permit tcp 10.86.60.64 0.0.0.31 eq 445 10.86.60.0 0.0.0.15

access-list 111 permit tcp 10.86.60.128 0.0.0.31 eq 445 10.86.60.0 0.0.0.15

access-list 111 permit tcp 10.86.60.16 0.0.0.15 eq 443 10.86.60.0 0.0.0.15

access-list 111 permit tcp 10.86.60.64 0.0.0.31 eq 443 10.86.60.0 0.0.0.15

access-list 111 permit tcp 10.86.60.128 0.0.0.31 eq 443 10.86.60.0 0.0.0.15

access-list 111 permit udp 10.86.60.16 0.0.0.15 eq 500 10.86.60.0 0.0.0.15

access-list 111 permit udp 10.86.60.64 0.0.0.31 eq 500 10.86.60.0 0.0.0.15

access-list 111 permit udp 10.86.60.128 0.0.0.31 eq 500 10.86.60.0 0.0.0.15

access-list 111 permit tcp 10.86.60.16 0.0.0.15 eq 1026 10.86.60.0 0.0.0.15

access-list 111 permit tcp 10.86.60.64 0.0.0.31 eq 1026 10.86.60.0 0.0.0.15

access-list 111 permit tcp 10.86.60.128 0.0.0.31 eq 1026 10.86.60.0 0.0.0.15

access-list 111 permit tcp 10.86.60.64 0.0.0.31 10.86.60.0 0.0.0.15 eq 1521

access-list 111 permit tcp 10.86.60.16 0.0.0.15 eq 3268 10.86.60.0 0.0.0.15

access-list 111 permit udp 10.86.60.191 0.0.0.63 10.86.60.0 0.0.0.15 eq 7301

access-list 111 permit udp 10.86.61.0 0.0.0.127 10.86.60.0 0.0.0.15 eq 7301

access-list 111 permit tcp 10.86.60.191 0.0.0.63 eq 9100 10.86.60.0 0.0.0.15

access-list 111 permit tcp 10.86.61.0 0.0.0.127 eq 9100 10.86.60.0 0.0.0.15

access-list 111 permit udp 10.86.60.191 0.0.0.63 eq 10004 10.86.60.0 0.0.0.15

access-list 111 permit udp 10.86.61.0 0.0.0.127 eq 10004 10.86.60.0 0.0.0.15

access-list 111 permit tcp 10.86.60.191 0.0.0.63 10.86.60.0 0.0.0.15 range 1024 65535

access-list 111 permit tcp 10.86.61.0 0.0.0.127 10.86.60.0 0.0.0.15 range 1024 65535

access-list 111 permit tcp 10.86.63.0 0.0.0.255 10.86.60.0 0.0.0.15 range 1024 65535

access-list 111 permit icmp 140.95.0.0 0.0.255.255 10.86.60.0 0.0.0.15

access-list 111 permit tcp 140.95.0.0 0.0.255.255 eq 80 10.86.60.0 0.0.0.15

access-list 111 permit tcp 140.95.0.0 0.0.255.255 eq 443 10.86.60.0 0.0.0.15

access-list 111 permit tcp 140.95.0.0 0.0.255.255 10.86.60.0 0.0.0.15 eq 80

access-list 111 permit tcp 140.95.0.0 0.0.255.255 10.86.60.0 0.0.0.15 eq 443

access-list 111 permit tcp 140.95.0.0 0.0.255.255 10.86.60.0 0.0.0.15 eq 1521

access-list 111 permit tcp 140.95.0.0 0.0.255.255 10.86.60.0 0.0.0.15 eq 9001

access-list 111 permit tcp 208.89.43.0 0.0.0.255 eq 3995 10.86.60.0 0.0.0.15

access-list 111 permit tcp 172.16.0.0 0.0.0.255 eq 2463 10.86.60.0 0.0.0.15

access-list 111 permit tcp host 192.168.89.33 10.86.60.0 0.0.0.15 eq 80

access-list 111 permit tcp host 192.168.89.33 10.86.60.0 0.0.0.15 eq 3389

access-list 111 deny ip any 10.86.60.0 0.0.0.15 log

no access-list 121

access-list 121 permit ip 10.86.60.0 0.0.0.15 10.86.60.16 0.0.0.15

access-list 121 permit ip 10.86.60.0 0.0.0.15 10.86.60.64 0.0.0.31

access-list 121 permit ip 10.86.60.0 0.0.0.15 10.86.60.128 0.0.0.31

access-list 121 permit ip 10.86.60.0 0.0.0.15 10.86.60.191 0.0.0.63

access-list 121 permit ip 10.86.60.0 0.0.0.15 10.86.61.0 0.0.0.127

access-list 121 permit ip 10.86.60.0 0.0.0.15 10.86.63.0 0.0.0.255

access-list 121 permit tcp 10.86.60.0 0.0.0.15 140.95.0.0 0.0.255.255 eq 80

access-list 121 permit tcp 10.86.60.0 0.0.0.15 140.95.0.0 0.0.255.255 eq 443

access-list 121 permit tcp 10.86.60.0 0.0.0.15 eq 80 140.95.0.0 0.0.255.255

access-list 121 permit tcp 10.86.60.0 0.0.0.15 eq 1521 140.95.0.0 0.0.255.255

access-list 121 permit tcp 10.86.60.0 0.0.0.15 172.16.0.0 0.0.0.255 eq 2463

access-list 121 permit icmp 10.86.60.0 0.0.0.15 any

access-list 121 deny ip 10.86.60.0 0.0.0.15 any log

interface vlan 10

ip access-group 111 out

ip access-group 121 in

thats the access list i have configured.

I didn't understand above explanation

Jon Marshall · ‎07-26-2011

Vishal

What is the subnet used with vlan 10 ie. what is the IP address + subnet mask assigned to vlan 10 interface ?

As i said before -

inbound acl - this will filter traffic coming from clients in that vlan. So if you apply acl 121 inbound on vlan 10 then it will filter traffic from clients in vlan 10

outbound acl - if you apply acl 111 outbound on vlan 10 then it will filter traffic going to clients in vlan 10.

Jon

Latchum Naidu · ‎07-26-2011

Hi Vishal,

ip access-group 111 in..
Applied when packet coming to the clients in that vlan

ip access-group 111 in..
Applied when packet going out from the clients in that vlan

Coming to your access-list rules there are lot of unnecessary rules defined.
Tell us clearly what is the subnet you gave for vlan 10 and what is needs to be permit and what not.

Please rate the helpfull posts.
Regards,
Naidu.

vishalpatil86 · ‎07-26-2011

vlan 10 ip 10.86.60.3 255.255.255.240

Latchum Naidu · ‎07-26-2011

Hi Vishal,

According to your ip and subnet mask of vlan 10 try to configure like below to get internet access.

ip access-list extended 121
ip permit 10.86.60.0 0.0.0.15 any

interface vlan 10
ip access-group 121 in

Please rate the helpfull posts.
Regards,
Naidu.

Jon Marshall · ‎07-26-2011

Well, your acls will deny internet traffic anyway because nowhere do you allow an "any" except to deny it at the end.

Please read what has been posted about direction of traffic. If you have both an in and an out acl and you want to allow internet or http traffic you would need before the last line of your acls -

access-list 111 permit tcp any 10.86.0.0 0.0.0.15 eq http

access-list 121 permit tcp 10.86.0.0 0.0.0.15 any eq http

Jon

gazillion_dwolfe · ‎07-26-2011

something great I found on a cisco forum somewhere that has always helped me to determine what direction is correct.

The "in" ACL has a source on a segment of the interface to which it is applied and a destination off of any other interface. The "out" ACL has a source on a segment of any interface other than the interface to which it is applied and a destination off of the interface to which it is applied.

maybe that will help someone else

netengdj