03-19-2014 12:54 PM - edited 03-07-2019 06:47 PM
Hello,
any suggestions why the following ACL will not apply?
access-list 100 permit udp any host 192.168.155.18 eq domain access-list 100 permit tcp any host 192.168.155.18 eq domain access-list 100 permit tcp any host 192.168.155.18 established access-list 100 deny udp any host 192.168.155.18 access-list 100 deny tcp any host 192.168.155.18 access-list 100 permit ip any any
interface GigabitEthernet0/2.16 description Subnetz 192.168.155.16/28 encapsulation dot1Q 16 ip address 192.168.155.17 255.255.255.240 ip access-group 100 in
The server 192.168.155.18 should only answer on requests on port 53 (tcp and udp). IOS image is c7200-jk9s-mz.124-25c.bin. Applied this access-list I can still connect through any other port like ssh and so on.
Thanks,
Thomas
03-19-2014 01:07 PM
Thomas
You have applied it in the wrong direction ie. inbound means traffic coming into that interface.
So any traffic arriving inbound on that interface has a source IP of 192.168.155.x but your acl has these as destination IPs.
So try changing the direction of the acl.
Jon
03-20-2014 12:05 AM
Hi Jon,
thanks, but I'm a little bit confused. If I change the direction to "ip access-group 100 out", I can't reach any port of the server. (from the internet to the server) Can you tell me how the ACL should looks like if the server should only be accessible from the internet on port 53 (tcp/udp)? Outbound (from the server to the internet) the server itself should have no limitation, all kind of traffic should be allowed.
Thanks,
Thomas
03-20-2014 06:29 AM
Thomas
I agree with Jon that the problem in your original post is that the direction of the access group was wrong. If you apply ip access-group 100 out then the server should receive only tcp and udp port 53. Are you saying that you have applied the access list in this way and that the server does not receive port 53?
Note that this access list will affect traffic from the Internet and also traffic from any other subnet in your network. Is that what you intend?
HTH
Rick
03-20-2014 12:21 PM
Rick,
thx. I've applied the ACL with "ip access-group 100 out " and the effect was, that I could *not* do any DNS queries and SSH port was open from the internet. But my purpose is that the server only answer to DNS queries from the internet and no SSH or SMTP port is accessible from outside.
Background: this server is a caching nameserver and the RFC1918 is only changed for the post here in the forum. Normally this machine has a public IP address.
But in principle this config should do the following:
- Server only answer to requests at port 53 tcp/udp
- All other ports of this server are not accessible from the internet
Would this be correct?
access-list 100 permit udp any host 192.168.155.18 eq domain access-list 100 permit tcp any host 192.168.155.18 eq domain access-list 100 permit tcp any host 192.168.155.18 established access-list 100 deny udp any host 192.168.155.18 access-list 100 deny tcp any host 192.168.155.18 access-list 100 permit ip any any
interface GigabitEthernet0/2.16 description Subnetz 192.168.155.16/28 encapsulation dot1Q 16 ip address 192.168.155.17 255.255.255.240 ip access-group 100 out
KR,
Thomas
03-20-2014 02:07 PM
Thomas
The acl you have posted should work but are you saying it doesn't ?
Note also that the acl will allow the server to make TCP connections and have the return traffic allowed back but it will not allow the server to make UDP connections because the return traffic will be blocked by the acl.
This is because there is no "established" equivalent for UDP.
If you need to be able to allow TCP and UDP connections from the server then as i say you will need to look into reflexive acls.
Jon
03-20-2014 02:07 PM
Thomas
I am quite puzzled about the results that you tell us. I do not see how SSH to that server would work unless there are some things about the environment that we do not know. Is there any address translation being done? Is there any access onto this subnet other than the router that you are telling us about?
Would you post the output of show access-list 100 and of show ip interface GigabitEthernet0/2.16
HTH
Rick
03-20-2014 04:30 PM
Hi Rick,
no there is no NAT or other things turned on on this device.
Router#sh ip access-list 100
Extended IP access list 100
10 permit udp any host 192.168.155.18 eq domain (379 matches)
20 permit tcp any host 192.168.155.18 eq domain (5 matches)
30 permit tcp any host 192.168.155.18 established (1 match)
40 deny udp any host 192.168.155.18 (788 matches)
50 deny tcp any host 192.168.155.18 (79 matches)
60 permit ip any any (562 matches)
Router#sh ip int gi0/2.16
GigabitEthernet0/2.16 is up, line protocol is up
Internet address is 192.168.155.17/28
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is disabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are never sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is enabled
IP Flow switching is enabled
IP CEF switching is enabled
IP Flow switching turbo vector
IP Flow CEF switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, Flow cache, CEF, Full Flow
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
Reminder: 192.168.155.18 is fictive IP address because it was changed only for this post here.
Thanks,
Thomas
03-20-2014 05:42 PM
Thomas
Thank you for the additional information. It is quite helpful. Look especially at these lines
Outgoing access list is not set
Inbound access list is not set
The interface to the subnet does not have any outbound (or inbound) access list applied. I am confused about what you do have configured but this is clearly the explanation for why things like SSH are working.
HTH
Rick
03-20-2014 04:36 PM
Hi Jon,
> Note also that the acl will allow the server to make TCP connections and have the return traffic
>allowed back but it will not allow the server to make UDP connections because the return traffic
>will be blocked by the acl. This is because there is no "established" equivalent for UDP.
I think this is the problem why I can't get a reply to my DNS query towards the server. It seems that I should search of reflexive ACLs.
Thanks,
Thomas
03-20-2014 06:58 AM
Thomas
As Rick says you should be able to connect to port 53 on that server from the internet with the acl applied outbound assuming you are doing NAT on that server on either the same or another device as the IP is not routable on the internet.
However if you want both TCP and UDP access for the server to the internet to be unrestricted then you need to use reflexive acls if your device supports them.
If you only need TCP then you can use the "established" keyword as you have done.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide