02-14-2018 02:14 AM - edited 03-08-2019 01:50 PM
I have configure Cisco access list (ACL) in Cisco router to permit access from subnet 10.203.128.0/24 to subnet 10.203.129.0/24 but only to host 10.203.129.254 not whole host of subnet. The configuration of my router like below
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 10 native
ip address 10.203.128.41 255.255.255.0
!
interface FastEthernet0/0.3
encapsulation dot1Q 12
ip address 10.203.129.1 255.255.255.0
ip access-group Block_Access_Net129 out
ip helper-address 10.203.128.45
!
ip access-list extended Block_Access_Net129
permit ip 10.203.128.0 0.0.0.255 host 10.203.129.254
Result seem ok, that I can only ping to 10.203.129.254 from host in subnet 10.203.128.0/24 but the problem is from host in subnet 10.203.129.0/24 I can not ping or access to any host in subnet 10.203.128.0/24, is any idea to correction this configuration? Please see network diagram attached for detail information.
Regards,
Perman
02-14-2018 02:37 AM
Hello Perman,
you need to take in account that there is an implicit deny any any at the end of each ACL
You should rewrite the ACL if you want to get different behaviour
You have now:
>>
ip access-list extended Block_Access_Net129
permit ip 10.203.128.0 0.0.0.255 host 10.203.129.254
You should rewrite it in the following manner:
ip access-list extended Block_Access_Net129
permit icmp 10.203.128.0 0.0.0.255 host 10.203.129.254 echo-request
deny icmp 10.203.128.0 0.0.0.255 10.203.129.0 0.0.0.255 echo-request
permit ip any any
Another note is the following:
it is usually better to write ACL that are applied in the inbound direction. This is the typical case with multilayer switch. And also for security reasons. One of the possible L3 attacks called spoofing uses unexpected source addresses.
On a client Vlan in your case represented by a dot1q subinterface legitimate traffic has source IP address that belongs to the IP subnet configured on the L3 device.
So the best practice would be to apply a modified ACL inbound direction in on each subinterface.
The following ACL could be applied
ip access-list extended Net128_INBOUND
permit icmp 10.203.128.0 0.0.0.255 host 10.203.129.254 echo-request
deny icmp 10.203.128.0 0.0.0.255 10.203.129.0 0.0.0.255 echo-request
permit ip 10.203.128.0 0.0.0.255 any
permit udp host 0.0.0.0 host 255.255.255.255
int fas0/0.1
ip access-group Net128_INBOUND in
to be complete the antispoofing should allow for traffic of DHCP requests this is the meaning of the 4th line of the proposed ACL.
Hope to help
Giuseppe
02-14-2018 08:25 PM
Hi Giuseppe,
When I try to create ACL for icmp echo-request parameter, its parameter command not available in my router only echo and echo-reply as shown below
RTR-JOB-PTJM-JKT(config-ext-nacl)#permit icmp 10.203.128.0 0.0.0.255 host 10.203.129.254 ec?
echo echo-reply
My IOS version as follow
RTR-JOB-PTJM-JKT#show ver
Cisco IOS Software, 2800 Software (C2800NM-SPSERVICESK9-M), Version 12.4(3j), RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Thu 13-Dec-07 21:44 by stshen
ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
RTR-JOB-PTJM-JKT uptime is 29 weeks, 4 days, 21 hours, 51 minutes
System returned to ROM by power-on
System image file is "flash:c2800nm-spservicesk9-mz.124-3j.bin"
Is echo-reply same with echo-request? Thank in advance for your assistance.
02-15-2018 12:59 AM
Hello Perman,
I apologize it was my error in IOS you need to use echo and this stands for the the echo-request that is the packet sent by the sender to the destination.
The ICMP echo-reply is the answer sent back from the destination to the sender of the echo-request.
This is the way how ICMP ping test works.
I didn't check the commands on a real router.
In the ACL you should use the echo keyword as equivalent of echo-request and echo-reply is different as explained above.
Hope to help
Giuseppe
02-25-2018 08:31 PM
Hello
So my access-list configuration will be like below correct?
ip access-list extended Net128_Inbound
permit icmp 10.203.128.0 0.0.0.255 host 10.203.129.254 echo
deny icmp 10.203.128.0 0.0.0.255 10.203.129.0 0.0.0.255 echo
permit ip 10.203.128.0 0.0.0.255 any
permit udp host 0.0.0.0 host 255.255.255.0
Then I need apply it to interface FastEthernet0/0.1 for inbound
int fas0/0.1
ip access-group Net128_INBOUND in
Please your advice before I execute this maater thank in advance for your attention.
Regards,
Perman
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide