cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3065
Views
0
Helpful
19
Replies

Cisco Access List Help

Chris Whiteley
Level 1
Level 1

Hey All,

I am trying to setup access lists on my switch and I keep making mistakes and now I am even more confused now than ever. Here is what I have and what I am trying to protect.

Internal Network - 10.0.0.0/18 (10.0.0.0 - 10.0.63.255)

DHCP from Cisco 3550 DHCP pool addresses - 172.0.0.0/23

My Cisco asa will sit on the network at 10.0.13.2 (VLAN13)

I want to deny traffic from 172.0.0.0/23 to everything on the internal network except the 10.0.13.2 address

I want to also deny all traffic from the internal network out to the 172.x.x.x network.

Here is what I currently have

access-list 198 deny ip any 172.0.0.0 0.0.7.255

access-list 198 permit ip any any

access-list 199 deny ip any 10.0.12.0 0.0.0.255

access-list 199 deny ip 10.0.14.0 0.0.0.255 10.0.63.0 0.0.0.255

access-list 199 permit ip any any

Then on my vlans I have

Inside access VLAN 4

ip helper address 10.x.x.x

access-group 198 in

Outside Access VLAN 6

access-group 199 in

From the 10.x.x.x address space I cannot ping the 172.x.x.x address space, however I can ping from the 172.x.x.x into the 10.x.x.x address space.

Any help would be much apprecaited. Thanks!

Message was edited by: Chris Whiteley

1 Accepted Solution

Accepted Solutions

nkarthikeyan
Level 7
Level 7

Hi Chris,

You can set an ACL like the below to solve the issue.

I want to deny traffic from 172.0.0.0/23 to everything on the internal network except the 10.0.13.2 address

access-list 101 permit ip 172.0.0.0 255.255.254.0 host 10.0.13.2

access-list 101 deny ip 172.0.0.0 255.255.254.0 10.0.0.0 255.255.192.0

access-list 101 permit ip any any

Apply the above ACL on 172.0.0.0 VLAN

I want to also deny all traffic from the internal network out to the 172.x.x.x network.

access-list 102 permit ip  host 10.0.13.2 172.0.0.0 255.255.254.0

access-list 102 deny ip 10.0.0.0 255.255.192.0 172.0.0.0 255.255.254.0

access-list 102 permit ip any any

Apply the above ACL on 10.x.x.x VLAN's.....

Hope this helps.

By

Karthik

Please do rate if the given information helps.

View solution in original post

19 Replies 19

nkarthikeyan
Level 7
Level 7

Hi Chris,

You can set an ACL like the below to solve the issue.

I want to deny traffic from 172.0.0.0/23 to everything on the internal network except the 10.0.13.2 address

access-list 101 permit ip 172.0.0.0 255.255.254.0 host 10.0.13.2

access-list 101 deny ip 172.0.0.0 255.255.254.0 10.0.0.0 255.255.192.0

access-list 101 permit ip any any

Apply the above ACL on 172.0.0.0 VLAN

I want to also deny all traffic from the internal network out to the 172.x.x.x network.

access-list 102 permit ip  host 10.0.13.2 172.0.0.0 255.255.254.0

access-list 102 deny ip 10.0.0.0 255.255.192.0 172.0.0.0 255.255.254.0

access-list 102 permit ip any any

Apply the above ACL on 10.x.x.x VLAN's.....

Hope this helps.

By

Karthik

Please do rate if the given information helps.

Thanks for replying to my post.

I am still having the issue and maybe this is just because you can't block this, but I enter the information as you put it here, and I can still ping the router addresses on the 10.x.x.x address.

For Instance,

Int VLAN 2 has the ip address 10.0.2.1

from the 172.x.x.x network I can ping this address and all others on the switch. I can't ping the hosts, but I can ping the switch svi's.

How do I keep this from happening. Thanks,

Can anyone help me with this?

Can you list your new access list which you are using..??

Or try this access list:

Access List on your VLAN for 172 Network as Inbound:

access-list 101 permit ip 172.0.0.0 0.0.1.255 host 10.0.13.2

access-list 101 deny ip 172.0.0.0 0.0.1.255 10.0.0.0 0.0.63.255

access-list 101 permit ip any any

int vlan172 (example vlan for 172 network)

  - ip access-group 101 in

For Internal Network 10.x network as Inbound:

access-list 102 permit ip  host 10.0.13.2 172.0.0.0 0.0.1.255

access-list 102 deny ip 10.0.0.0 0.0.63.255 172.0.0.0 0.0.1.255

access-list 102 permit ip any any

int vlan4 (example vlan for Internal network)

  - ip access-group 102 in

In this case, you wont be able to ping any 10.x.x.x network with specific mask as shown above, and can ping only to 10.0.13.2 host.

What you have here is exactly what I have in my 2 ACL's. Mine are differently numbered (ie Acess List 198 and 199) but they are the exact same configuration. It just doesn't make any sense. Just in case I will put down what I have:

Extended IP access list 198

     10 permit ip 172.0.0.0 0.0.1.255 host 10.0.13.2

     20 deny ip 172.0.0.0 0.0.1.255 10.0.0.0 0.0.63.255

     30 permit ip any any

Extended IP access list 199

     10 permit ip host 10.0.13.2 172.0.0.0 0.0.1.255

     20 deny ip 10.0.0.0 0.0.63.255 172.0.0.0 0.0.1.255

     30 permit ip any any

Am I doing something wrong here?

Hi,

Can you post your running configuration portion where VLAN SVI configuration and IP Access-list configuration is mention.

Your internal network is in 10.x network and DHCP Server in 172.x network, what exactly you are using this DHCP Server for.

And you wanted to say that your dhcp clients in 172.x network are able to ping 10.x internal network VLAN's SVI interfaces, but not the hosts?? Am i right here..??

version 12.2

no service pad

service timestamps debug datetime localtime show-timezone

service timestamps log datetime localtime show-timezone

service password-encryption

!

hostname sw1

!

logging buffered 16384

no logging console

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

!

!

!

aaa session-id common

ip subnet-zero

ip routing

ip name-server 10.x.x.x

ip name-server 10.x.x.x

!

ip dhcp excluded address 172.0.0.1 172.0.0.10

!

ip dhcp pool GuestWLAN

Network 172.0.0.0 255.255.254.0

Default-router 172.0.0.1

dns-server 8.8.8.8 8.8.4.4

!

!

!

spanning-tree mode rapid-pvst

spanning-tree portfast bpduguard default

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

!

!

!

!

!

interface FastEthernet0/1

description test VLAM

switchport mode access

switchport access VLAN 480

spanning-tree portfast

!

!

!

interface Vlan1

no ip address

shutdown

!

interface Vlan2

description Management

ip address 10.0.2.1 255.255.255.0

ip helper-address 10.x.x.x

ip access-group 199 in

!

interface Vlan3

description Servers

ip address 10.0.3.1 255.255.255.0

ip helper-address 10.x.x.x

ip access-group 199 in

!

interface Vlan4

description Wired Access

ip address 10.0.4.1 255.255.254.0

ip helper-address 10.x.x.x

ip access-group 199 in

!

interface Vlan6

description Wireless Access

ip address 10.0.6.1 255.255.254.0

ip helper-address 10.x.x.x

ip access-group 199 in

!

interface Vlan13

description Inside

ip address 10.0.13.1 255.255.254.0

ip access-group 199 in

!

interface Vlan480

description Outside Wireless

ip address 172.0.0.1 255.255.254.0

ip access-group 198 in

!

ip access-list 198 permit ip 172.0.0.0 0.0.1.255 host 10.0.13.2

ip access-list 198 deny ip 172.0.0.0 0.0.1.255 10.0.0.0 0.0.63.255

ip access-list 198 permit ip any any

!

ip access-list 199 permit host 10.0.13.2 172.0.0.0 0.0.1.255

ip access-list 199 deny ip 10.0.0.0 0.0.63.255 172.0.0.0 0.0.1.255

ip access-list 199 permit ip any any

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.0.13.2 (Pointing to Cisco ASA 5505)

!

no ip http server

ip http secure-server

!

!

!

control-plane

!

end

And to answer your question I do not want the 172.x.x.x to communicate with the internal network 10.x.x.x. I only want them to be able to get through the firewall (10.0.13.2). I also do not want my internal network (10.x.x.x) communicating with the 172.x.x.x network.

Hi Chris,

In some devices especially 3550 and its IOS has many bugs especially w.r.t ACL. You can try one more thing.... You can apply the ACL in interface (Uplink Connected Interface). If that solves the pbm it would be really good......

I guess you can have the same ACL simultaneously on VLAn as well as interface.....

By

Karthik

Please do rate if the given information helps....

How would I do this via the command line?

Is your ping from DHCP Client to VLAN Interface is successful or you are trying ping from switch.

Which is your source IP address to ping VLAN 2 interface..??

If ping is successful, can you trace route and paste the route being followed..??

Because from SVI VLAN 480, it is not possible to ping 10.x network, its getting routed from some other source..!

I am pinging from the client ip address to the switch. So the IP address of the DHCP client is 172.0.0.12 trying to ping 10.0.2.1 and I get replies back from it.

The trace route shows:

tracert 10.0.2.1:

Tracing route to 10.0.2.1 over a maximum of 30 hops

  1    <1 ms       1 ms    10.0.2.1

What does this mean?

Your SVI shouldn't ping from any of internal VLAN's.

As any packet coming from 172.x network will go from VLAN480 where access-list will drop the packet before routing.

You can do onething, by 'show ip access-list 198' command, we can check, which statement ping is matching, or its not maching, by seeing no of times statement has been matched.

Based on that evluation, we can conclude something.

Hi Chris,

Its same like VLAN... You can use access-group command on the interface.....

ip access-group in

By

Karthik

Please do rating if the given information helps.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco