Re: ACL

somnath21 · ‎09-11-2008

Hi,

We have two branches A and B connected by MPLS link.Now in A side we have total 4 ranges of IP:

10.138.74.0/24 , 10.138.75.0/24 , 10.138.76.0/24 , 10.138.77.0/24.

B side we have 3 ranges of IP .

10.138.78.0/24 , 10.138.79.0/24 , 10.138.80.0/24.

Now I want to cinfigure ACL in MPLS router of the both end..

like from B (any host )they should get access of 10.138.77.0/24 of A and from A (any host) they should get access of 10.138.79.0/24 and 10.138.80.0/24 only.

I have configured like that

access-list 110 permit ip 10.138.78.0 255.255.255.0 10.138.77.0 255.255.255.0

access-list 110 permit ip 10.138.79.0 255.255.255.0 10.138.77.0 255.255.255.0

access-list 110 permit ip 10.138.80.0 255.255.255.0 10.138.77.0 255.255.255.0

apply it in the multilink interface of router A.

But after applying it from 10.138.74.0,10.138.75.0,10.138.76.0 range the access is blocked.

please guide how to configure it..

Marwan ALshawi · ‎09-11-2008

first u need to kkep in mind that when u have an ACL with permit or deny there is implicit deny all at the end so for example with ur ACL 110 any traffic not permited by this ACL will be blocked unless u put explicit permit or put permit any any at the end which is not likly good in ur case

secondly u have to consider where to apply the ACL

for example if u wann limit access by useing extended ACL it is better to apply it as close to the source as possible

like in the internal interface in the inbound direction of each router

if helpful Rate

somnath21 · ‎09-11-2008

Hi,

I want to control the access of Site A resources by Site B.

Site B can get access of only 10.138.77.0/24 and 10.138.76.0/24 range of Site A.

Site A will get access of all the resources of site B.

Site A Router configuration:

access-list 110 deny ip 10.138.78.0 255.255.255.0 10.138.74.0 255.255.255.0

access-list 110 deny ip 10.138.79.0 255.255.255.0 10.138.74.0 255.255.255.0

access-list 110 deny ip 10.138.80.0 255.255.255.0 10.138.74.0 255.255.255.0

access-list 110 deny ip 10.138.78.0 255.255.255.0 10.138.75.0 255.255.255.0

access-list 110 deny ip 10.138.79.0 255.255.255.0 10.138.75.0 255.255.255.0

access-list 110 deny ip 10.138.80.0 255.255.255.0 10.138.75.0 255.255.255.0

access-list 110 permit ip any any

Int multilink 1

Ip access-group 110 in

Is it ok?

Marwan ALshawi · ‎09-11-2008

in ur case there will be problem

which is u deny for example one network in site B to talk with one in site A while u want all site A to talk with all aite B network the reterun traffic will be denied based on the deny from B to A

u need to configure stateful ACL that contail established word in the ACL statment so that if the connection is established from A will be permited even if it is blocked in the direction from B to A i mean the returen way

also know as Reflexive Access Lists

on router A outside interface do the fllowing

access-list 110 permit ip 10.138.74.0 0.0.3.255 10.38.78.0 0.0.3.255 reflect site_A

access-list 120 evaluate site_A

access-list 120 permit ip 10.38.78.0 0.0.3.255 10.38.76.0 0.0.0.255

access-list 120 permit 10.38.78.0 0.0.3.255 10.38.77.0 0.0.0.255

on the router on site A outside interface do the following

ip access-group 110 out

ip access-group 120 in

by the way on acl 120 and 110 only the traffic permited wil pass any thing els wil be denied as mentioned there is implicit deny if u put on acl 120 permit any any u need to make the ACL to deny keep as it is and try it

good luck

if helpful Rate

amikat · ‎09-11-2008

Hi,

within access-list we use wildcards, eg. to permit 10.138.78.0/24 this should read 10.138.78.0 0.0.0.255 not 10.138.78.0 255.255.255.0 (contrary to PIX/ASA access-list configuration).

Best regards,

Antonin