Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5012
Views
0
Helpful
5
Replies

ACL to restrict access and Default Gateway, allow or block?

gene.uhl
Level 1
Level 1

‎01-17-2013 07:11 AM - edited ‎03-07-2019 11:08 AM

Have someting strange happening.  Have a VLAN, we will call this  subnet 1 VLAN1.  Have a remote  network that a device on subnet 1 needs  to get to.

The device on subnet 1 is a NAT'd VPN box.  On one side  is a private network, we will say 192.168.x.x.  So the public side of  the NATd VPN box has an IP address on VLAN1 Subnet 1. It tunnels the  traffic to the remote network via EIGRP published routes.  Lets call the  remote network 10.1.1.0/24

So  on the port that the NATd VPN box plugs into on VLAN1 Subnet 1 (the  entire swith is configured at VLAN1 Subnet1) which has a trunk port to a  Layer 3 switch that handles the routing)  I add an extended IP ACL that  Allows the static IP address assigned to the NATd VPN box to ping the  far side VPN box on the 10.1.1.0/24 network and allow any packet it  sends to go to there also (so host VLAN1 IP address host remote network  IP address ANY)

Inherint block on all other traffic.

The  issue is the VPN tunnel between the VLAN1 box and the 10.1.1.0 network  VPN box comes up for about 20 seconds, then dies.   I remove the ACL and  it works fine.  I put it back on, same 20 seconds, then dies.

So,  in the ACL I put a permit from host VLAN 1 IP address (the NATd VPN  box) to host IP address of VLAN1 default gateway ANY and the tunnel  comes up for good, no issues.

The  funny thing is, that the original setup was up and working for days,  then decided to stop and nothing was changed.  I had to add the default  gateway of the VLAN1 IP to the ACL to get it working again and it has  been up for a few days.

Does  not make sense to me so any insight?    I don't know why as the arp for  the remote IP address would return the layer 2 mac of the default  gateway, whihc is layer 2 and the acl should not affect this traffic.     Can't see it being a proxy arp issue either. 

Any insight??

So bottom line, does the default gateway need to be allowed in an ACL or the clients on the subnet can't route out???

Thanks

Gene

Labels:
0 Helpful
5 Replies 5

paul driver
VIP
VIP

‎01-17-2013 07:18 AM

Hello Gene,

Could you post  topolgy for this and if applicable some config.

res

Paul.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

gene.uhl
Level 1
Level 1
In response to paul driver

‎01-17-2013 09:03 AM

Sure, give me some time to collect...appreciate the reply!!!!

0 Helpful

gene.uhl
Level 1
Level 1
In response to paul driver

‎01-17-2013 12:12 PM

In the accompaynying picture some of the vlans/subnets changed from previous post, so I will restate.  Laptop connects to WiFI which is on the private side of the VPN device.   This traffic is tunneled via the VPN device on the 10.x network to go to the VPN Concentrator (10.1.3.1) which then dumps the traffic on the ISP network so they can get to the Internet.  This is a simplified diagram.

I set up an Extended ACL on port 24 of the L2 switch that looked like this:

Extended IP access list WIFI_FILTER

    10 permit icmp any host 10.1.3.1

    20 permit ip host 10.1.1.1 host 10.1.3.1

    30 permit ip host 10.1.3.1 host 10.1.1.1

    40 deny ip any any (14 matches)

on port 24 it has this:

ip access-group WIFI_FILTER in

I figured line 30 in the acl is useless but put it in anyway as the acl only works on traffic IN for the port.

As I stated, this worked and the laptop got to the Interner for weeks, then it stopped.  I took the ACL off, and it worked fine.  When I turned the ACL on again, it works for about 20 seconds, then stops.

I then added to the extended acl:

35 permit ip host 10.1.1.1 host 10.1.1.254

and it started working again with no issues.  Don't understand why?

Do you always need to add the gateway address to the ACL?

Is it because I defined my acl on the port that is L2 and I should move the ACL to the L3 switch trunk port or add it to the L3 Vlan on the L3 switch?

I am trying to make sure that the 192.168.1.x traffic that is encapsulated in the VPN device and tunneled to the VPN concentrator will ONLY go there and no where else on the internal network.  So traffic coming from 10.1.1.1 will only be allowed to go to 10.1.3.1 and vice-versa.

Thanks

Gene

0 Helpful

gene.uhl
Level 1
Level 1
In response to gene.uhl

‎02-28-2013 01:35 PM

Posted Topology as requested.....

0 Helpful

gene.uhl
Level 1
Level 1
In response to paul driver

‎01-22-2013 06:05 AM

Posted toplogy as you requested.

Thanks

Gene

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card