07-24-2009 06:05 AM - edited 03-06-2019 06:56 AM
I have a 3550 running IOS Version 12.1(14)EA1a
With this ACL on none of my workstations on the 10.90.80.0 segment can get out via http. It looks open to me. Any suggestions would be appreciated. I'm looking to permit http traffic outbound with this acl.
permit udp any any range bootps bootpc
permit ip 10.90.80.0 0.0.0.255 host 10.90.200.65
permit ip 10.90.80.0 0.0.0.255 host 10.90.202.65
permit ip 10.90.80.0 0.0.0.255 host 10.90.204.43
permit ip 10.90.80.0 0.0.0.255 host 10.90.204.44
permit ip 10.90.80.0 0.0.0.255 host 10.90.204.41
permit ip 10.90.80.0 0.0.0.255 host 10.90.204.42
permit ip 10.90.80.0 0.0.0.255 host 10.90.202.42
permit ip host 10.90.204.43 10.90.80.0 0.0.0.255
permit ip host 10.90.204.44 10.90.80.0 0.0.0.255
permit ip host 10.90.200.65 10.90.80.0 0.0.0.255
permit ip host 10.90.202.65 10.90.80.0 0.0.0.255
permit ip host 10.90.204.42 10.90.80.0 0.0.0.255
permit ip host 10.90.204.41 10.90.80.0 0.0.0.255
permit ip host 10.90.202.42 10.90.80.0 0.0.0.255
permit ip host 10.90.1.99 10.90.80.0 0.0.0.255
permit ip 10.90.80.0 0.0.0.255 host 10.90.1.99
permit ip host 10.90.44.140 10.90.80.0 0.0.0.255
permit ip 10.90.80.0 0.0.0.255 host 10.90.44.140
permit ip host 10.90.44.122 10.90.80.0 0.0.0.255
permit ip 10.90.80.0 0.0.0.255 host 10.90.44.122
permit ip 10.90.80.0 0.0.0.255 10.90.80.0 0.0.0.255
permit tcp 10.90.80.0 0.0.0.255 10.90.0.0 0.0.255.255 eq 80
permit tcp 10.90.0.0 0.0.255.255 10.90.80.0 0.0.0.255 eq 80
permit ip 10.90.80.0 0.0.0.255 host 10.90.37.132
permit ip host 10.90.37.132 10.90.80.0 0.0.0.255
permit ip 10.90.80.0 0.0.0.255 host 10.90.44.139
permit ip host 10.90.44.139 10.90.80.0 0.0.0.255
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any time-exceeded
deny tcp any any
07-24-2009 06:38 AM
What direction do you have this acl applied in? Try putting:
permit tcp any any established
before deny tcp any any line and see if that helps. The return traffic may be getting blocked.
HTH,
John
07-24-2009 06:48 AM
I have it as
vlan access-map Phillips-ACCESS-ACL 10
action forward
match ip address Phillips-ACCESS-ACL
vlan filter Phillips-ACCESS-ACL vlan-list 80
07-24-2009 07:22 AM
Hi,
I think that using VLAN ACLs is the problem here. If you use the "vlan filter" as you have indicated, all the traffic that either enters or leaves the VLAN 80 is subject to filtering through your ACL - both inbound and outbound traffic. Clearly, your ACL is made so that the clients in your network can access HTTP servers in other networks but the ACL does not accept HTTP replies when they get back to the VLAN80.
Do you have any special need to use the ACL in this way? Wouldn't it be sufficient for you to place it on your interface VLAN80? If you want to leave it this way, you will need to extend your ACL with additional lines allowing bidirectional communication for your services.
Best regards,
Peter
07-24-2009 07:24 AM
It was put in a long time ago by people who are now long gone. I don't know the reason they did it that way initially. However my core routers are too unstable for me to make any changes, currently. Yes plans are in the works to swap them out but this is how it's got to be until then.
07-24-2009 12:33 PM
Hi,
While I believe that removing that VACL and converting it instead to a classical ACL applied on a VLAN interface should be relatively harmless, you certainly know your network better so the decision is upon you. I still think that there is no need to apply this ACL as a VACL ("vlan filter") but I don't want to push you into a particular solution.
If you decide just to tweak your access list, you have to correct a mistake in it: the two lines regarding the HTTP should correctly read as:
permit tcp 10.90.80.0 0.0.0.255 10.90.0.0 0.0.255.255 eq 80
permit tcp 10.90.0.0 0.0.255.255 eq 80 10.90.80.0 0.0.0.255
Note that the second line has the "eq 80" moved into the source specification part, as it references the HTTP replies that are indeed sent from the port 80.
Best regards,
Peter
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: