Solved: Re: [Cisco 861] AccessList not working

ArendvanDijk · ‎11-14-2012

In a test environment (before going to the production environment) I've installed a router with 2 VLAN's.

VLAN 1 is for the customer and VLAN 2 is for the suppliers of the customer.

I want so that VLAN 2 shouldn't be able to access any device in VLAN 1 (excluding traffing to a specific IP-adres (200.200.200.61)) but VLAN 1 should be able to access all devices in VLAN 1 & 2.

VLAN 1 200.200.200.x/24

VLAN 2 200.200.201.x/24

ACL:

access-list 140 permit ip 200.200.201.0 0.0.0.255 200.200.200.61 255.255.255.255

access-list 140 deny ip 200.200.201.0 0.0.0.255 200.200.200.0 0.0.0.255

access-list 140 permit ip 200.200.201.0 0.0.0.255 any

access-list 150 permit ip 200.200.200.0 0.0.0.255 200.200.201.0 0.0.0.255

access-list 150 permit ip 200.200.200.0 0.0.0.255 any

interface Vlan1

ip address 200.200.200.1 255.255.255.0

ip access-group 140 in

interface Vlan2

ip address 200.200.201.1 255.255.255.0

ip access-group 150 in

With this access lists there is no traffic possible.

Can some one tell me how these access list should look likes?

Arend

John Blakley · ‎11-14-2012

Arend,

I think your acl needs a little tweaking:

ACL:

access-list 140 permit ip 200.200.201.0 0.0.0.255 200.200.200.61 255.255.255.255

access-list 140 deny ip 200.200.201.0 0.0.0.255 200.200.200.0 0.0.0.255

access-list 140 permit ip 200.200.201.0 0.0.0.255 any

access-list 150 permit ip 200.200.200.0 0.0.0.255 200.200.201.0 0.0.0.255

access-list 150 permit ip 200.200.200.0 0.0.0.255 any

Change to:

access-list 150 permit ip 200.200.200.0 0.0.0.255 host 200.200.200.61

access-list 150 deny ip 200.200.201.0 0.0.0.255 200.200.200.0 0.0.0.255

access-list 150 permi ip any any

interface Vlan1

ip address 200.200.200.1 255.255.255.0

interface Vlan2

ip address 200.200.201.1 255.255.255.0

ip access-group 150 in

HTH,

John

HTH, John *** Please rate all useful posts ***

View solution in original post

Abzal · ‎11-14-2012

Hi,

First of all looking to your config you need fix something

access-list 140 permit ip 200.200.201.0 0.0.0.255 200.200.200.61 255.255.255.255

access-list 140 deny ip 200.200.201.0 0.0.0.255 200.200.200.0 0.0.0.255

access-list 140 permit ip 200.200.201.0 0.0.0.255 any

access-list 150 permit ip 200.200.200.0 0.0.0.255 200.200.201.0 0.0.0.255

access-list 150 permit ip 200.200.200.0 0.0.0.255 any

interface Vlan1

ip address 200.200.200.1 255.255.255.0

interface Vlan2

ip address 200.200.201.1 255.255.255.0

ip access-group 140 in

And you don't need apply any ACL for VLAN 1 for such purpose. Because by default it will allow all traffic and you have onlt two VLAN unless specific restrictions.

But in this case traffic that goes VLAN 1 --> VLAN 2 but answer VLAN 2 --> VLAN 1 is blocked. It won't work. You can check with ping it. Request will go but answer won't pass ACL on VLAN 2.

Hope it will help.

Best regards,
Abzal

ArendvanDijk · ‎11-14-2012

Hi,

Thank you for your fast reply. I've adjusted the settings, but unfortunately it does not work.

First I get no IP-adress. By configuring the IP-address manually I haven't access to the Cisco (telnet and ping are blocked).

Any suggestions?

Thanks a lot!

Arend

Abzal · ‎11-14-2012

Can you show your network topology to better undestand. Ping for devices on the same VLAN 1 should be ok. But ping from VLAN 2 --> VLAN 1 and VLAN 1 --> VLAN 2 are blocked by ACL. But within VLAN 2 ping should be ok as well.

Pos your config.

Hope it will help.

Best regards,
Abzal

ArendvanDijk · ‎11-14-2012

The network topology is very simple. The Cisco router had 4 LAN-ports. FA0 and FA1 are VLAN 1, the other two VLAN 2.

### See config ###

version 15.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

service sequence-numbers

!

hostname XXX-rt01

!

boot-start-marker

boot-end-marker

!

logging buffered 51200

!

enable secret XXX

!

no aaa new-model

memory-size iomem 10

clock timezone CET 1 0

clock summer-time SUM recurring last Sun Mar 2:00 last Sun Oct 3:00

crypto pki token default removal timeout 0

!

no ip bootp server

ip name-server 192.168.210.1

ip cef

!

username XXX password XXX

!

ip dhcp excluded-address 200.200.200.1 200.200.200.10

ip dhcp excluded-address 200.200.200.61

ip dhcp excluded-address 200.200.201.1 200.200.201.10

!

ip dhcp pool XXX-network

network 200.200.200.0 255.255.255.0

dns-server 200.200.200.1

default-router 200.200.200.1

lease 5

!

ip dhcp pool suppliers-network

network 200.200.201.0 255.255.255.0

dns-server 200.200.201.1

default-router 200.200.201.1

lease 5

!

interface FastEthernet0

description LAN-port XXX-network

no ip address

!

interface FastEthernet1

description LAN-port XXX-network

no ip address

!

interface FastEthernet2

description LAN-port suppliers

switchport access vlan 3

no ip address

!

interface FastEthernet3

description LAN-port suppliers

switchport access vlan 3

no ip address

!

interface FastEthernet4

description Internetpoort

ip address 192.168.210.100 255.255.255.0

ip nat outside

ip virtual-reassembly

speed 100

full-duplex

!

interface Vlan1

description XXX-network

ip address 200.200.200.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

interface Vlan3

description suppliers-network

ip address 200.200.201.1 255.255.255.0

ip access-group 140 in

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

no autostate

!

ip forward-protocol nd

no ip http server

ip http access-class 23

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip dns server

!

ip route 0.0.0.0 0.0.0.0 192.168.210.1

!

ip nat inside source list 101 interface FastEthernet4 overload

!

access-list 23 remark Telnet

access-list 23 permit 200.200.200.0 0.0.0.255

access-list 23 permit 200.200.201.0 0.0.0.255

access-list 101 remark NAT

access-list 101 permit ip 200.200.200.0 0.0.0.255 any

access-list 101 permit ip 200.200.201.0 0.0.0.255 any

access-list 140 permit ip 200.200.201.0 0.0.0.255 200.200.200.61 255.255.255.255

access-list 140 deny ip 200.200.201.0 0.0.0.255 200.200.200.0 0.0.0.255

access-list 140 permit ip 200.200.201.0 0.0.0.255 any

access-list 150 permit ip 200.200.200.0 0.0.0.255 200.200.201.0 0.0.0.255

access-list 150 permit ip 200.200.200.0 0.0.0.255 any

!

dialer-list 1 protocol ip permit

no cdp run

!

snmp-server community cit RO

!

line con 0

login local

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input telnet ssh

!

scheduler max-task-time 5000

end

Abzal · ‎11-14-2012

Config looks ok for me. When you configure IP manually subnet mask and gateway are correct?

Anyway DHCP should work. Telnet access as well.

Best regards,
Abzal

John Blakley · ‎11-14-2012

Arend,

I think your acl needs a little tweaking:

ACL:

access-list 140 permit ip 200.200.201.0 0.0.0.255 200.200.200.61 255.255.255.255

access-list 140 deny ip 200.200.201.0 0.0.0.255 200.200.200.0 0.0.0.255

access-list 140 permit ip 200.200.201.0 0.0.0.255 any

access-list 150 permit ip 200.200.200.0 0.0.0.255 200.200.201.0 0.0.0.255

access-list 150 permit ip 200.200.200.0 0.0.0.255 any

Change to:

access-list 150 permit ip 200.200.200.0 0.0.0.255 host 200.200.200.61

access-list 150 deny ip 200.200.201.0 0.0.0.255 200.200.200.0 0.0.0.255

access-list 150 permi ip any any

interface Vlan1

ip address 200.200.200.1 255.255.255.0

interface Vlan2

ip address 200.200.201.1 255.255.255.0

ip access-group 150 in

HTH,

John

HTH, John *** Please rate all useful posts ***

ArendvanDijk · ‎11-14-2012

Hi John,

Thanks a lot! It's working!

Final config:

access-list 150 permit ip 200.200.201.0 0.0.0.255 host 200.200.200.61

access-list 150 deny ip 200.200.201.0 0.0.0.255 200.200.200.0 0.0.0.255

access-list 150 permit ip any any

interface Vlan1

ip address 200.200.200.1 255.255.255.0

interface Vlan2

ip address 200.200.201.1 255.255.255.0

ip access-group 150 in

John Blakley · ‎11-14-2012

Glad to hear it!

HTH, John *** Please rate all useful posts ***