Hi Pete,

Pete Bauer · ‎08-21-2015

I need some help. I'm trying to setup an access list / lists that will help isolate traffic to and from a specific subnet (172.16.54.0/25)

Interface Vlan 6 - 172.16.54.0 /25

Traffic on this subnet should be able talk out to any on port 443, 9120, and talk to the 192.168.54.0/25 subnet on port 10009.

The only traffic allow to talk into this subnet should be 192.168.54.0/25 on port 10009

Does this look correct or look like it should work?

interface Vlan6

Des CC
ip address 172.16.54.126 255.255.255.128
ip access-group 150 in
ip access-group 155 out
ip virtual-reassembly

access-list 150 permit icmp any any
access-list 150 permit tcp 172.16.54.0 0.0.0.127 any eq 443
access-list 150 permit udp 172.16.54.0 0.0.0.127 any eq 443
access-list 150 permit tcp 172.16.54.0 0.0.0.127 any eq 9120
access-list 150 permit udp 172.16.54.0 0.0.0.127 any eq 9120
access-list 150 permit tcp 172.16.54.0 0.0.0.127 192.168.54.0 0.0.0.127 eq 10009
access-list 150 permit udp 172.16.54.0 0.0.0.127 192.168.54.0 0.0.0.127 eq 10009
access-list 150 deny ip any any

access-list 155 permit icmp any any
access-list 155 permit tcp 192.168.54.0 0.0.0.127 172.16.54.0 0.0.0.127 eq 10009
access-list 155 permit udp 192.168.54.0 0.0.0.127 172.16.54.0 0.0.0.127 eq 10009
access-list 155 deny ip any any

Any help would be great or suggestions would be great.

Thank you,

Pete

eric.ahernandez · ‎08-21-2015

Hi Pete,

Just a couple of questions/observations:

1.- Do you know if the ports you need to talk with are TCP and UDP or just TCP? Because if it's just TCP I don't see the need to add both TCP/UDP on the ACL.

2.- The deny ip any any is implicit so you don't need to add it on the configuration, no big deal though it has no affectation whatsoever.

3.- Don't know how that application which uses port 10009 works but It caught my attention that it uses port 1009 on both ways, just ensure this is correct. Maybe you want only the return traffic to pass so you have to permit traffic from 192.168.54.0/25 source port 1009 to 172.16.54.0/25 (any port since it can be whatever random port it' answering), in that case you would need something like this:

access-list 155 permit tcp 192.168.54.0 0.0.0.127 eq 10009 172.16.54.0 0.0.0.127
access-list 155 permit udp 192.168.54.0 0.0.0.127 eq 10009 172.16.54.0 0.0.0.127

The ACLs look just fine though I just wanted to make sure it matches what you're trying to achieve.

Pete Bauer · ‎08-21-2015

I appreciate the feedback. Good call on changing it to accept any on the return port.

This is for a credit card / server setup and unfortunately I don't have great info from the vendor about the exact ports etc. I'm just going on what the vendor is relaying to me to meet PCI standards.

I tested with him prior to posting this and it wasn't work, just incrementing the deny hit counter so I'm guessing there are more ports that I wasn't told about.

eric.ahernandez · ‎08-21-2015

Hi Pete, I feel your pain about the vendors hehe I've been there... You can always add a deny ip any any log at then end of the access-list, do a terminal monitor and do some tests to see what's going on.

EDIT: Oh yeah, you should also add all the rest of the ports return traffic, although I think you already caught that...

Pete Bauer · ‎09-02-2015

Well, heard back and it's still not working. Maybe I'm missing something basic here?

172.16.54.0 need to talk out on 443 and 9120 to the internet, and talk on 10009 to the 192.168.54.0 subnet.

192.168.54.0 needs to talk into the 172.16.54.0 subnet on port 10009

Here is my ACL

access-list 150 permit icmp any any
access-list 150 permit tcp 172.16.54.0 0.0.0.127 eq 443 any
access-list 150 permit udp 172.16.54.0 0.0.0.127 eq 443 any
access-list 150 permit tcp 172.16.54.0 0.0.0.127 eq 9120 any
access-list 150 permit udp 172.16.54.0 0.0.0.127 eq 9120 any
access-list 150 permit tcp 172.16.54.0 0.0.0.127 eq 10009 192.168.54.0 0.0.0.127
access-list 150 permit udp 172.16.54.0 0.0.0.127 eq 10009 192.168.54.0 0.0.0.127
access-list 150 deny ip any any
access-list 155 permit icmp any any
access-list 155 permit tcp 192.168.54.0 0.0.0.127 eq 10009 172.16.54.0 0.0.0.127
access-list 155 permit udp 192.168.54.0 0.0.0.127 eq 10009 172.16.54.0 0.0.0.127
access-list 155 deny ip any any

I applied it to the 172.16.54.0 L3 VLAN

ip access-group 150 in
ip access-group 155 out

Any help would be great.

Thanks,

Pete

eric.ahernandez · ‎09-02-2015

Hi Pete,

For this to work you have to properly identify the source and destination ports to be able to add the right permit sentences on the ACL. So:

172.16.54.0 need to talk out on 443 and 9120 to the internet, and talk on 10009 to the 192.168.54.0 subnet.

I'm assuming these ports are destination ports, right now you have it as source ports, it should be something like this:

access-list 150 permit icmp any any
access-list 150 permit tcp 172.16.54.0 0.0.0.127 any eq 443
access-list 150 permit udp 172.16.54.0 0.0.0.127 any eq 443
access-list 150 permit tcp 172.16.54.0 0.0.0.127 any eq 9120
access-list 150 permit udp 172.16.54.0 0.0.0.127 any eq 9120
access-list 150 permit tcp 172.16.54.0 0.0.0.127 192.168.54.0 0.0.0.127 eq 10009
access-list 150 permit udp 172.16.54.0 0.0.0.127 192.168.54.0 0.0.0.127 eq 10009

Also you have to permit return traffic for this sessions to work, in this cases the previous destination ports should be source ports now because traffic is returning and destination ports are any random port, like this:

access-list 155 permit icmp any any
access-list 155 permit tcp 192.168.54.0 0.0.0.127 eq 10009 172.16.54.0 0.0.0.127
access-list 155 permit udp 192.168.54.0 0.0.0.127 eq 10009 172.16.54.0 0.0.0.127

access-list 155 permit tcp any eq 443 172.16.54.0 0.0.0.127
access-list 155 permit udp any eq 443 172.16.54.0 0.0.0.127

access-list 155 permit tcp any eq 9120 172.16.54.0 0.0.0.127
access-list 155 permit udp any eq 9120 172.16.54.0 0.0.0.127

The deny ip any any is implicit so you don't have to add it, though I would also recommend adding a deny ip any any log at the end, do a terminal monitor and test the applications you are trying to use, this way you can monitor which kind of traffic is getting denied when you do the tests and see if you're missing something.

Hope this helps!

paul driver · ‎09-02-2015

Hello

Is this just tcp or udp/icmp etc also?

Do you want statefull connections only or do these hosts need to be able to initate conection?

So depending on what site initates the connection depend on the remote end establishing a dynamic ephemeral port over 1023

The issue you have is you dont given a internet source just ports- however based on what you have stated try this:

This acl for instance should:

allow icmp echo-reply from any remote hosts
allow any udp traffic on ports 443 9120
allow any established tcp return traffic
log all denied traffic

ip access-list extended VLAN6-acl
permit icmp any any echo-reply
permit udp 192.168.54.0 0.0.254.255 any eq 10009
permit udp any any eq 443
permit udp any any eq 9120
permt tcp any any eq established
deny ip any any log

Interface Vlan 6
ip access-group VLAN6-acl out
no ip unreachables

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

ACL on Int VLAN Help