Re: ACL help on simple 2 router OSPF Lab - Page 2

whiteford · ‎04-13-2009

Hello,

I'm trying to practise with some ACL's in my small 2 router lab. On Router0 I want to be able to deny and log access from 192.168.100.192/27 (Router1 LAN) to 192.168.100.97/27 (Loopback0 LAN).

As you can see on Router0 I have created an Extended ACL and bound this to the destination interface which is the loopback0 in the "outbound" direction to the LAN. This how I have been taught to do it anyway, set the ACL on the destination interface and to outbound to the LAN of the interface.

Router0#sh run

!

interface Loopback0

ip address 192.168.100.97 255.255.255.224

ip access-group inbound out

!

interface FastEthernet0/0

ip address 192.168.100.129 255.255.255.252

duplex auto

speed auto

!

interface Serial0/0

description WAN link to RouterA

ip address 10.10.10.13 255.255.255.252

no fair-queue

!

interface Serial0/1

no ip address

!

router ospf 1

log-adjacency-changes

network 10.10.10.12 0.0.0.3 area 0

network 192.168.100.96 0.0.0.31 area 0

network 192.168.100.128 0.0.0.3 area 0

!

ip http server

no ip http secure-server

ip classless

!

ip access-list extended inbound

deny ip 192.168.100.192 0.0.0.31 any log

permit ip any any log

!

----------------------------------------------------------------

Router1#sh run

!

ip dhcp pool client

network 192.168.100.192 255.255.255.224

default-router 10.10.10.14

!

interface FastEthernet0/0

ip address 192.168.100.193 255.255.255.224

ip nat inside

duplex auto

speed auto

!

interface Serial0/0

ip address 10.10.10.14 255.255.255.252

ip nat outside

no fair-queue

clock rate 4000000

!

interface Serial0/1

no ip address

shutdown

!

router ospf 1

log-adjacency-changes

network 10.10.10.12 0.0.0.3 area 0

network 192.168.100.192 0.0.0.31 area 0

!

Thanks

whiteford · ‎04-14-2009

I think it's the way I look at it:

I see it as, I'm 192.168.21.x (the source) so:

Source-Address : 192.168.21.x (server)

Destination-Address : 10.20.20.2 (PC)

And permit ip 10.20.20.0 0.0.0.255 192.168.21.0 0.0.0.255 log doesn't fit.

:S

Thotsaphon Lueangwattanaphong · ‎04-14-2009

Andy,

What do you mean that log doesn't fit?

10.20.20.0 0.0.0.255 should be hosts,10.20.20.1-10.20.20.254.

I'm now a bit headache. (Grin)

Toshi

whiteford · ‎04-14-2009

Sorry (my London lingo)

And permit ip 10.20.20.0 0.0.0.255 192.168.21.0 0.0.0.255 log.

I mean I would expect this to say:

permit ip 192.168.21.0 0.0.0.255 10.20.20.0 0.0.0.255 log

I see as I'm the source (192.168.21.x) so permit 192.168.21.x to 10.20.20.x

Thotsaphon Lueangwattanaphong · ‎04-14-2009

Andy,

You applied the ACL as outbound direction.

!

interface FastEthernet0/0

ip access-group MYACL1 out

!

It means, the traffic going out of the router via FastEthernet0/0. Then hit the ACL. So It's not possible to see the source as 192.168.21.X. The source would be your lan,10.20.20.x.

HTH,

Toshi

whiteford · ‎04-14-2009

That is the part I understand, I wanted to allow 10.20.20.x outbound access only to those 3 subnets and that works, but what gives the 3 remote subnets access backwards to the 10.20.20.x?

Is it because I don't have an access inbound to the 10.20.20.x network all is allowed?

Thotsaphon Lueangwattanaphong · ‎04-14-2009

Andy,

ACL is state-less. It's not FIREWALL. You have to think about the direction you apply. Yes, 3 remote subnets can access to 10.20.20.x. Because you didn't have inbound ACL to block them. What happens if you do that. Connecting from 10.20.20.x to 192.168.X.y network may not work when packets routed back from 3 remote subnets.

My 2 cents

Toshi

whiteford · ‎04-14-2009

This makes a lot more sense. I've tested and all 3 subnets can access this, however a new subnet 192.168.90.x can't?

Also I was to restrict access would I simple add a new access list to fa0/1 inbound?

Thotsaphon Lueangwattanaphong · ‎04-14-2009

Andy,

New remote subnet 192.168.90.x added? Well,let's modify ACL to allow them.

You want to restrict accessing by using inbound ACL. Well, let's test it out. You will see what's going on.

Toshi

whiteford · ‎04-14-2009

What I mean is before adding the inbound acl 192.168.90.x should have access to 10.20.20.x as there are no acl's inbound to stop this? Well it can't, but the 3subnets can.

Thotsaphon Lueangwattanaphong · ‎04-14-2009

Andy,

We are now in page number2 for this thread. (grin) What I told you is that you have assigned the outbound ACL. let's modify things as follows:

!

ip access-list extended MYACL1

permit ip 10.20.20.0 0.0.0.255 192.168.28.0 0.0.0.255 log

permit ip 10.20.20.0 0.0.0.255 192.168.21.0 0.0.0.255 log

permit ip 10.20.20.0 0.0.0.255 192.168.20.0 0.0.0.255 log

permit ip 10.20.20.0 0.0.0.255 192.168.90.0 0.0.0.255 log

deny ip any any log

!

Like I said, It's not a firewall. Just think about how the packets go back and forth.

Toshi

bh · ‎04-14-2009

Just to add the how the communication work

when you access the remote network 192.168.x.y. through 10.20.20.x

packet will be source : 10.20.20.x and destination will be : 192.168.x.y

this will reach the destination now its time to respond through host in 192.168.x.y to 10.20.20.x the respond packet will be source : 192.168.x.y and destination will be : 10.20.20.x

so this is how the process goes.