Solved: ACL problem: one-way access not working, please help.

sean chang · ‎05-18-2011

Hi, everyone,

I have a catalyst 3560X (12.2(53)SE2), I messed up during upgrade but I called Cisco and they gave me the original IOS image, everything seems working except Access-control, here is the exact situation:

Vlan168: 192.168.1.0/24

Vlan1: 10.1.0.0/16

Goal: Allow one way access from Vlan 168-->vlan 1, but not the other way around.

Problem: I can only get the access working on 2-way-deny or 2-way-allow( if no access-list, it's 2-way allow)

Here is my exact configuration:

interface Vlan168
ip address 192.168.1.1 255.255.255.0

interface Vlan1
ip address 10.1.1.1 255.255.0.0

access-list 161 deny ip 10.1.0.0 0.0.255.255 192.168.1.0 0.0.0.255
access-list 161 permit ip 10.1.0.0 0.0.255.255 any

# I tried to attach access list 161 to Vlan 168, if IN, 2-way allowed, if OUT 2 way-deny

## if I tried to attach access-list to vlan 1, if IN, both denied, if out both-allowed

Please help. Any suggestions and advises are greatly appreciated.

( I have received lots of help already from experts from this great discussion group )

milan.kulik · ‎05-18-2011

Hi,

you mean to permit sessions initiated from one VLAN to the second but not the opposite direction?

For TCP it's possible using either established option in the ACL configuration or a reflexive ACL.

See http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#reflexacl

(or http://www.cisco.com/image/gif/paws/23602/confaccesslists.pdf)

for details.

But I'm not sure if supported on 3560s.

HTH,

Milan

View solution in original post

milan.kulik · ‎05-19-2011

Hi,

here is an example for you:

http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml#internalnetworks

(or see "Allow Only Internal Networks to Initiate a TCP Session" section in http://www.cisco.com/application/pdf/paws/26448/ACLsamples.pdf ).

HTH,

Milan

View solution in original post

milan.kulik · ‎05-22-2011

Hi,

yes, the ACL needs to be applied on an L3 interface.

So if you are routing between your VLANs and you want to restric connections from one VLAN to another, you need to apply the ACLs on SVIs.

If you are still in trouble, paste the config with your PC connection details here.

BR,

Milan

View solution in original post

milan.kulik · ‎05-18-2011

Hi,

you mean to permit sessions initiated from one VLAN to the second but not the opposite direction?

For TCP it's possible using either established option in the ACL configuration or a reflexive ACL.

See http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#reflexacl

(or http://www.cisco.com/image/gif/paws/23602/confaccesslists.pdf)

for details.

But I'm not sure if supported on 3560s.

HTH,

Milan

sean chang · ‎05-19-2011

Thanks , Milan,

it appears ESTABLISHED keyword works, here I changed to this way:

>access-list 161 DENY tcp 192.168.1.0 0.0.0.255 10.1.0.0 0.0.255.255 established

then attach to vlan1 ( the lower security Lan) as OUT, it seems working, though I don't fully understand what it does ( tried many different combinations and found this one works).

Thank you very much for the help ( the other way REflective looks more complex , I did not try out)

milan.kulik · ‎05-19-2011

Hi,

interesting!

If I remeber correctly, the ESTABLISHED ACL should be checking the presence of SYN bit in the TCP header and deny packets with this bit set.

So I'd expect to configure it as a permit ACL entry inbound direction on the int VLANx (that one not permitted to initiate the session).

BR,

Milan

sean chang · ‎05-19-2011

you are right : I spoke too early, our users in this accounting department report they can't access the main network (10.1/16) ,I just disabled the access-list and have been since fighting with this ACL thing, so far I tried PERMIT with established , also reflective thing, none is working right now....

milan.kulik · ‎05-19-2011

Hi,

here is an example for you:

http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml#internalnetworks

(or see "Allow Only Internal Networks to Initiate a TCP Session" section in http://www.cisco.com/application/pdf/paws/26448/ACLsamples.pdf ).

HTH,

Milan

sean chang · ‎05-20-2011

Thank you Milan,

the sample looks simple enough, when I tried in my enviroment, it does not work, I may know why: here I don't use ROUTE Port, I configure switch like this:

Vlan 168: 192.168.1.1 /24

Vlan 1: 10.1.1.1 /16

IP route 0.0.0.0 0.0.0.0 10.1.1.254 ( which is PIX 515E)

when I put ACL like: Access-list 102 permit tcp any any gt 1023 established, I go one PC on Lan 168 and ping 10.1 ( a Linux ) , it says 192.168.1.1 packet filtering , if I try >ssh -l mynamne 10.1.1.5 , it says NO ROUTER to the host, but if I take out the ACL from Vlan 168, everything is fine, albeit it's open access for all ( Lan 1<--->Lan 168)

Do you think is there a way to control by using SVI only ( Not route port)? thanks.

milan.kulik · ‎05-22-2011

Hi,

yes, the ACL needs to be applied on an L3 interface.

So if you are routing between your VLANs and you want to restric connections from one VLAN to another, you need to apply the ACLs on SVIs.

If you are still in trouble, paste the config with your PC connection details here.

BR,

Milan

sean chang · ‎05-22-2011

Thanks a lot, Milan,

It works now, I messed up during the configurations, here is what works for me:

> access-list 102 permit udp any any ( for DNS server access)

>access-list 102 permit tcp any any established

Then attach the rule to Vlan 168 ( the LAN with higher security than other vlans)

> ip access-group 102 OUT

I tried it as IN and it works the other way around(I found out later) The whole access-rule looks simple enough and it does make sense for me now, but I could not figure this out by myself, your help indeed made a huge difference. Once again I want express my great appreciation for your expert advices.