Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
452
Views
0
Helpful
3
Replies

ACL questions

Ryan17
Level 1
Level 1

‎09-11-2017 08:23 AM - edited ‎03-08-2019 11:59 AM

Hello,

I have some questions on implementing ACLs.

(I've only really used them for restricting access to VTY and this has never come up)

 

So the scenario is I've been asked to restrict access to some managment interfaces to only a few managment workstations.

 

this ACL consists of permit source rules for each managment workstation and a deny all at the end.

 

I apply this outbound on the switch interface connected to the managment interface that needs protection.

 

This part works, as far as allowing the workstations and blocking the rest.

 

My issue is that, that managment interface now can't reach certain systems in the other direction.

 

I'm guessing this is due to ACLs not being stateful, so the return traffic from those connections do not match the ACL and are blocked. For example, SMTP from the managment interface now fails. 

 

Is there something I'm missing here?

Do I really need to explicitly allow everything my managment interface my need to speak with even if I'm only looking to restrict what talks to the management interface. 

 

or do I need a stateful firewall? 

Labels:
0 Helpful
3 Replies 3

Mark Malone
VIP Alumni
VIP Alumni

‎09-11-2017 08:38 AM

Hi

You need to have each ACL in reverse too  so it can come in and out like example below i control our mgmt interfaces with 2 specific acls 1 in and 1 out , if i understood you correctly

 

access-list 153 permit udp host 172.21.7.119 172.18.47.0 0.0.1.255 eq ntp
access-list 154 permit udp 172.18.47.0 0.0.1.255 eq ntp host 172.21.7.119

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame

‎09-11-2017 09:00 AM

 

The short answer is yes you do need to explicitly allow it for the reason you give. 

 

Possible solutions (other than explicitly allowing all traffic in another acl) - 

 

1) using the established keyword with TCP only connections (does not support UDP) 

2) using reflexive acls but these are not supported on the majority of switches

3) stateful firewall as you say

 

Jon

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎09-11-2017 11:33 AM

I apply this outbound on the switch interface connected to the managment interface that needs protection.

 

Or you rewrite the ACL as an ingress ACL and apply to VTY. This will also protect your logical management from any physical interface.

 

Or you could add reflective ACEs to your ACL.  The would be FW like, and preclude to write and many ingress allow ACEs.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card