Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1668
Views
0
Helpful
7
Replies

ACL Help for deny traffic for proxy

AvidPontoon1
Level 1
Level 1

‎03-25-2018 05:40 AM - edited ‎03-08-2019 02:23 PM

So I am setting up a proxy, and in an attempt to combat people not using the proxy or disabling it. I need some ACL's for our 2811 router. So that www traffic is denied unless through the proxy.

 

So the proxy has the IP: 10.1.1.78 and my new acl's want only that host to be able to go out via http and https (port 80 and 443). All other hosts except the proxy still want access to the internet but to deny http and https traffic so things like updates and ssh work fine for example. What this means for the network is, only traffic passing through the proxy can actually get out to webpages.

 

My ip structure is 10.1.x.0/24

Where x is the VLAN id (1,10,20,30,100)

 

I have tried this:


access-list 100 permit tcp host 10.1.1.78 any eq www
access-list 100 permit tcp host 10.1.1.78 any eq 443
access-list 100 deny tcp host 10.1.1.0 any eq www
access-list 100 deny tcp host 10.1.1.0 any eq 443
access-list 100 permit ip 10.1.1.0 0.0.0.255 any

 

But it does not work, all clients can still access webpages

 

Please could someone help?

 

 

Labels:
0 Helpful
7 Replies 7

Peter Paluch
Cisco Employee
Cisco Employee

‎03-25-2018 05:48 AM

Hi,

I think that the 3rd and 4th entries in your ACL are not correct - you are denying packets from a host whose exact IP address is 10.1.1.0. Likely you wanted to refer to the complete network.

I believe the correct ACL would be:

access-list 100 permit tcp host 10.1.1.78 any eq www
access-list 100 permit tcp host 10.1.1.78 any eq 443
access-list 100 deny tcp 10.1.1.0 0.0.0.255 any eq www
access-list 100 deny tcp 10.1.1.0 0.0.0.255 any eq 443
access-list 100 permit ip 10.1.1.0 0.0.0.255 any

Can you try this out? :)

Best regards,
Peter

0 Helpful

AvidPontoon1
Level 1
Level 1
In response to Peter Paluch

‎03-25-2018 05:56 AM - edited ‎03-25-2018 06:04 AM

@Peter Paluch wrote:

Hi,

I think that the 3rd and 4th entries in your ACL are not correct - you are denying packets from a host whose exact IP address is 10.1.1.0. Likely you wanted to refer to the complete network.

I believe the correct ACL would be:

access-list 100 permit tcp host 10.1.1.78 any eq www
access-list 100 permit tcp host 10.1.1.78 any eq 443
access-list 100 deny tcp 10.1.1.0 0.0.0.255 any eq www
access-list 100 deny tcp 10.1.1.0 0.0.0.255 any eq 443
access-list 100 permit ip 10.1.1.0 0.0.0.255 any

Can you try this out? :)

Best regards,
Peter

Adding the wildcard works!

But now none of my clients can get dhcp from the router?

 

Thanks

Nick

0 Helpful

Peter Paluch
Cisco Employee
Cisco Employee
In response to AvidPontoon1

‎03-25-2018 06:07 AM

Nick,

Hm, the DHCP failure now is not surprising - the DHCP client packets are sourced from 0.0.0.0 which is not permitted in your ACL.

Perhaps you would like to modify the ACL like this:

access-list 100 permit tcp host 10.1.1.78 any eq www
access-list 100 permit tcp host 10.1.1.78 any eq 443
access-list 100 deny tcp 10.1.1.0 0.0.0.255 any eq www
access-list 100 deny tcp 10.1.1.0 0.0.0.255 any eq 443
access-list 100 permit ip any any

This will essentially make sure that the HTTP(S) access in particular is permitted only to the proxy server, no one else; and nothing else is limited in any way.

Best regards,
Peter

0 Helpful

AvidPontoon1
Level 1
Level 1
In response to Peter Paluch

‎03-25-2018 06:12 AM

@Peter Paluch wrote:

Nick,

Hm, the DHCP failure now is not surprising - the DHCP client packets are sourced from 0.0.0.0 which is not permitted in your ACL.

Perhaps you would like to modify the ACL like this:

access-list 100 permit tcp host 10.1.1.78 any eq www
access-list 100 permit tcp host 10.1.1.78 any eq 443
access-list 100 deny tcp 10.1.1.0 0.0.0.255 any eq www
access-list 100 deny tcp 10.1.1.0 0.0.0.255 any eq 443
access-list 100 permit ip any any

This will essentially make sure that the HTTP(S) access in particular is permitted only to the proxy server, no one else; and nothing else is limited in any way.

Best regards,
Peter

Peter! Your a hero!

 

My new config:

access-list 100 permit tcp host 10.1.1.78 any eq www
access-list 100 permit tcp host 10.1.1.78 any eq 443
access-list 100 deny tcp 10.1.0.0 0.0.255.255 any eq www
access-list 100 deny tcp 10.1.0.0 0.0.255.255 any eq 443
access-list 100 permit ip any any

Allows only the proxy web access and DHCP now works!

 

Thanks

Nick

0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni

‎03-25-2018 05:58 AM

Hi, 

Check you Line number 3rd and 4th, Why is it host? It must be a subnet as

 

access-list 100 permit tcp host 10.1.1.78 any eq www
access-list 100 permit tcp host 10.1.1.78 any eq 443
access-list 100 deny tcp 10.1.1.0 0.0.0.255 any eq www
access-list 100 deny tcp 10.1.1.0 0.0.0.255 any eq 443
access-list 100 permit ip 10.1.1.0 0.0.0.255 any

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

AvidPontoon1
Level 1
Level 1
In response to Deepak Kumar

‎03-25-2018 06:04 AM

@Deepak Kumar wrote:

Hi, 

Check you Line number 3rd and 4th, Why is it host? It must be a subnet as

 

access-list 100 permit tcp host 10.1.1.78 any eq www
access-list 100 permit tcp host 10.1.1.78 any eq 443
access-list 100 deny tcp 10.1.1.0 0.0.0.255 any eq www
access-list 100 deny tcp 10.1.1.0 0.0.0.255 any eq 443
access-list 100 permit ip 10.1.1.0 0.0.0.255 any

 

Regards,

Deepak Kumar

Adding the wildcard works!

But now none of my clients can get dhcp from the router?

 

Thanks

0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni
In response to AvidPontoon1

‎03-25-2018 06:10 AM - edited ‎03-25-2018 06:12 AM

Hi,

We blocked only TCP port 80 & 443 and you need to allow 0.0.0.0 subnet for DHCP.

access-list 100 permit tcp host 10.1.1.78 any eq www
access-list 100 permit tcp host 10.1.1.78 any eq 443
access-list 100 deny tcp 10.1.1.0 0.0.0.255 any eq www
access-list 100 deny tcp 10.1.1.0 0.0.0.255 any eq 443
access-list 100 permit ip 10.1.1.0 0.0.0.255 any

access-list 100 permit ip any any

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card