Hi Jon,> Note also that the

kgtnewmedia · ‎03-19-2014

Hello,

any suggestions why the following ACL will not apply?

access-list 100 permit udp any host 192.168.155.18 eq domain
access-list 100 permit tcp any host 192.168.155.18 eq domain
access-list 100 permit tcp any host 192.168.155.18 established
access-list 100 deny   udp any host 192.168.155.18
access-list 100 deny   tcp any host 192.168.155.18
access-list 100 permit ip any any

interface GigabitEthernet0/2.16
 description Subnetz 192.168.155.16/28
 encapsulation dot1Q 16
 ip address 192.168.155.17 255.255.255.240
 ip access-group 100 in

The server 192.168.155.18 should only answer on requests on port 53 (tcp and udp). IOS image is c7200-jk9s-mz.124-25c.bin. Applied this access-list I can still connect through any other port like ssh and so on.

Thanks,

Thomas

Jon Marshall · ‎03-19-2014

Thomas

You have applied it in the wrong direction ie. inbound means traffic coming into that interface.

So any traffic arriving inbound on that interface has a source IP of 192.168.155.x but your acl has these as destination IPs.

So try changing the direction of the acl.

Jon

kgtnewmedia · ‎03-20-2014

Hi Jon,

thanks, but I'm a little bit confused. If I change the direction to "ip access-group 100 out", I can't reach any port of the server. (from the internet to the server) Can you tell me how the ACL should looks like if the server should only be accessible from the internet on port 53 (tcp/udp)? Outbound (from the server to the internet) the server itself should have no limitation, all kind of traffic should be allowed.

Thanks,

Thomas

Richard Burts · ‎03-20-2014

Thomas

I agree with Jon that the problem in your original post is that the direction of the access group was wrong. If you apply ip access-group 100 out then the server should receive only tcp and udp port 53. Are you saying that you have applied the access list in this way and that the server does not receive port 53?

Note that this access list will affect traffic from the Internet and also traffic from any other subnet in your network. Is that what you intend?

HTH

Rick

HTH

Rick

kgtnewmedia · ‎03-20-2014

Rick,

thx. I've applied the ACL with "ip access-group 100 out " and the effect was, that I could *not* do any DNS queries and SSH port was open from the internet. But my purpose is that the server only answer to DNS queries from the internet and no SSH or SMTP port is accessible from outside.

Background: this server is a caching nameserver and the RFC1918 is only changed for the post here in the forum. Normally this machine has a public IP address.

But in principle this config should do the following:

- Server only answer to requests at port 53 tcp/udp

- All other ports of this server are not accessible from the internet

Would this be correct?

access-list 100 permit udp any host 192.168.155.18 eq domain
access-list 100 permit tcp any host 192.168.155.18 eq domain
access-list 100 permit tcp any host 192.168.155.18 established
access-list 100 deny   udp any host 192.168.155.18
access-list 100 deny   tcp any host 192.168.155.18
access-list 100 permit ip any any

interface GigabitEthernet0/2.16
 description Subnetz 192.168.155.16/28
 encapsulation dot1Q 16
 ip address 192.168.155.17 255.255.255.240
 ip access-group 100 out

KR,

Thomas

Jon Marshall · ‎03-20-2014

Thomas

The acl you have posted should work but are you saying it doesn't ?

Note also that the acl will allow the server to make TCP connections and have the return traffic allowed back but it will not allow the server to make UDP connections because the return traffic will be blocked by the acl.

This is because there is no "established" equivalent for UDP.

If you need to be able to allow TCP and UDP connections from the server then as i say you will need to look into reflexive acls.

Jon

Richard Burts · ‎03-20-2014

Thomas

I am quite puzzled about the results that you tell us. I do not see how SSH to that server would work unless there are some things about the environment that we do not know. Is there any address translation being done? Is there any access onto this subnet other than the router that you are telling us about?

Would you post the output of show access-list 100 and of show ip interface GigabitEthernet0/2.16

HTH

Rick

HTH

Rick

kgtnewmedia · ‎03-20-2014

Hi Rick,

no there is no NAT or other things turned on on this device.

Router#sh ip access-list 100

Extended IP access list 100

10 permit udp any host 192.168.155.18 eq domain (379 matches)

20 permit tcp any host 192.168.155.18 eq domain (5 matches)

30 permit tcp any host 192.168.155.18 established (1 match)

40 deny udp any host 192.168.155.18 (788 matches)

50 deny tcp any host 192.168.155.18 (79 matches)

60 permit ip any any (562 matches)

Router#sh ip int gi0/2.16

GigabitEthernet0/2.16 is up, line protocol is up

Internet address is 192.168.155.17/28

Broadcast address is 255.255.255.255

Address determined by non-volatile memory

MTU is 1500 bytes

Helper address is not set

Directed broadcast forwarding is disabled

Outgoing access list is not set

Inbound access list is not set

Proxy ARP is disabled

Local Proxy ARP is disabled

Security level is default

Split horizon is enabled

ICMP redirects are never sent

ICMP unreachables are always sent

ICMP mask replies are never sent

IP fast switching is enabled

IP fast switching on the same interface is enabled

IP Flow switching is enabled

IP CEF switching is enabled

IP Flow switching turbo vector

IP Flow CEF switching turbo vector

IP multicast fast switching is enabled

IP multicast distributed fast switching is disabled

IP route-cache flags are Fast, Flow cache, CEF, Full Flow

Router Discovery is disabled

IP output packet accounting is disabled

IP access violation accounting is disabled

TCP/IP header compression is disabled

RTP/IP header compression is disabled

Policy routing is disabled

Network address translation is disabled

BGP Policy Mapping is disabled

WCCP Redirect outbound is disabled

WCCP Redirect inbound is disabled

WCCP Redirect exclude is disabled

Reminder: 192.168.155.18 is fictive IP address because it was changed only for this post here.

Thanks,

Thomas

Richard Burts · ‎03-20-2014

Thomas

Thank you for the additional information. It is quite helpful. Look especially at these lines

Outgoing access list is not set

Inbound access list is not set

The interface to the subnet does not have any outbound (or inbound) access list applied. I am confused about what you do have configured but this is clearly the explanation for why things like SSH are working.

HTH

Rick

HTH

Rick

kgtnewmedia · ‎03-20-2014

Hi Jon,

> Note also that the acl will allow the server to make TCP connections and have the return traffic

>allowed back but it will not allow the server to make UDP connections because the return traffic

>will be blocked by the acl. This is because there is no "established" equivalent for UDP.

I think this is the problem why I can't get a reply to my DNS query towards the server. It seems that I should search of reflexive ACLs.

Thanks,

Thomas

Jon Marshall · ‎03-20-2014

Thomas

As Rick says you should be able to connect to port 53 on that server from the internet with the acl applied outbound assuming you are doing NAT on that server on either the same or another device as the IP is not routable on the internet.

However if you want both TCP and UDP access for the server to the internet to be unrestricted then you need to use reflexive acls if your device supports them.

If you only need TCP then you can use the "established" keyword as you have done.

Jon

Extended access list question