Solved: Re: ACL issue on a CBS 250 again

peat · ‎02-20-2024

I had an issue a while ago with ACLs on the CBS250 8 port switch.

I got past my problem and could get port 81 working one way. but the customer has said he wants the port 81 traffic working both ways. Currently I have the D network being able to access a webserver on the A network.

Can someone look at my config and tell me what i have done wrong? Do i need to make more ACLs and apply it outbound as well as inbound on the interfaces?

(the 172.16.200.253 entry in the ACL can be ignored. Thats to allow a management device get access everywhere)

!
unit-type-control-start 
unit-type unit 1 network gi uplink none 
unit-type-control-end 
!
vlan database
vlan 3 
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone
voice vlan oui-table add 00036b Cisco_phone
voice vlan oui-table add 00096e Avaya
voice vlan oui-table add 000fe2 H3C_Aolynk
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone
voice vlan oui-table add 00e075 Polycom/Veritel_phone
voice vlan oui-table add 00e0bb 3Com_phone
bonjour interface range vlan 1
ip access-list extended D_to_A
permit icmp 192.168.2.0 0.0.0.255 any any any ace-priority 1
permit tcp 192.168.2.0 0.0.0.255 81 172.16.200.0 0.0.0.255 any ace-priority 2
permit tcp 192.168.2.0 0.0.0.255 any 172.16.200.0 0.0.0.255 81 ace-priority 3
exit
ip access-list extended A_to_D
permit icmp 172.16.200.0 0.0.0.255 192.168.2.0 0.0.0.255 any any ace-priority 1
permit tcp 172.16.200.0 0.0.0.255 any 192.168.2.0 0.0.0.255 81 ace-priority 2
permit tcp 172.16.200.0 0.0.0.255 81 192.168.2.0 0.0.0.255 any ace-priority 3
permit ip 172.16.200.253 0.0.0.255 any ace-priority 4
exit
hostname switch
username admin password encrypted xxxx
!
interface vlan 1
 name D 
 ip address 192.168.2.252 255.255.255.0 
 no ip address dhcp 
 no snmp trap link-status 
!
interface vlan 3
 name A 
 ip address 172.16.200.252 255.255.255.0 
 no snmp trap link-status 
!
interface GigabitEthernet1
 service-acl input A_to_D
 switchport access vlan 3 
!
interface GigabitEthernet2
 service-acl input A_to_D
 switchport access vlan 3 
!
interface GigabitEthernet3
 service-acl input A_to_D 
 switchport access vlan 3 
!
interface GigabitEthernet4
 service-acl input A_to_D
 switchport access vlan 3 
!
interface GigabitEthernet5
 service-acl input A_to_D
 switchport access vlan 3 
!
interface GigabitEthernet6
 service-acl input D_to_A
!
interface GigabitEthernet7
 service-acl input D_to_A 
!
interface GigabitEthernet8
 service-acl input D_to_A
!
exit

peat · ‎02-22-2024

If its any use to anyone, I found out my issue was nothing to do with my ACL setup but was a windows 11 issue where even having windows firewall turned off it was still blocking port 81. My windows 10 laptop was fine and didnt need the additional port being allowed.

View solution in original post

balaji.bandi · ‎02-20-2024

but the customer has said he wants the port 81 traffic working both

need to provide more information both the way ? so outside inside web server running on 81 is ok ?

web server initiate the traffic using 81 port as source ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

peat · ‎02-21-2024

Sorry. Customer wants the port 81 service being accessible from network B to A and also A to B. Basically the same as the firewall ACLs.

access-list acl_in extended permit tcp 192.168.2.0 255.255.255.0 172.16.200.0 255.255.255.0 eq 81
access-list acl_in extended permit icmp 192.168.2.0 255.255.255.0 172.16.200.0 255.255.255.0
access-list acl_in extended permit icmp any any

access-list acl_dmz extended permit ip host 172.16.200.253 any
access-list acl_dmz extended permit tcp 172.16.200.0 255.255.255.0 192.186.2.0 255.255.255.0 eq 81
access-list acl_dmz extended permit icmp 172.16.200.0 255.255.255.0 192.168.2.0 255.255.255.0

Both networks A and B are internal.

peat · ‎02-22-2024

If its any use to anyone, I found out my issue was nothing to do with my ACL setup but was a windows 11 issue where even having windows firewall turned off it was still blocking port 81. My windows 10 laptop was fine and didnt need the additional port being allowed.