Solved: Re: extended ACL not maching statements

Adam_S · ‎09-20-2017

Hi Everyone,

Looking for some help in regards to an extended ACL. I am trying to block access to all internal subnets from my 80.80.80.0 network, but permit access to from my internal subnets to modem (80.80.80.2). I've configured an applied an ACL but the statement is never matched and access to the modem is denied. Any help/suggestions appreciated.

ip access-list extended EDGE_SECURITY
permit ip 172.16.0.0 0.0.0.255 80.80.80.2 0.0.0.0
deny ip 80.80.80.0 0.0.0.255 any
permit ip any any

Amel#show ip access-lists
Extended IP access list EDGE_SECURITY
    10 permit ip 172.16.0.0 0.0.0.255 host 80.80.80.2
    20 deny ip 80.80.80.0 0.0.0.255 any (1221 matches)
    30 permit ip any any (17934 matches)

Amel#show run
Building configuration...

Current configuration : 8270 bytes
!
version 12.4
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname Amel
!
boot-start-marker
boot system flash:c2800nm-advipservicesk9-mz.124-15.T9.bin
boot-end-marker
!
logging buffered 4096 informational
enable secret 5 $1$ZFe8$g4l2RoRNxgxEw.lD.QLYY0
!
no aaa new-model
clock timezone AEST 10
clock summer-time AEDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dot11 syslog
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.100
ip dhcp excluded-address 10.212.0.1 10.212.0.100
ip dhcp excluded-address 10.12.0.1 10.12.0.100
ip dhcp excluded-address 10.112.0.1 10.112.0.100
ip dhcp excluded-address 10.213.0.1 10.213.0.100
ip dhcp excluded-address 172.16.0.1 172.16.0.100
ip dhcp excluded-address 192.168.20.1 192.168.20.100
!
ip dhcp pool VLAN10_MANAGEMENT
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.1
   lease 24
!
ip dhcp pool VLAN212_W_DATA
   network 10.212.0.0 255.255.255.0
   default-router 10.212.0.1
   dns-server 8.8.8.8
   lease 24
!
ip dhcp pool VLAN213_Wireless_Voice
   network 10.213.0.0 255.255.255.0
   default-router 10.213.0.1
   dns-server 8.8.8.8
   lease 24
!
ip dhcp pool VLAN12_DATA
   network 10.12.0.0 255.255.255.0
   default-router 10.12.0.1
   dns-server 8.8.8.8
   lease 24
!
ip dhcp pool VLAN16_WIRELESS_N
   network 172.16.0.0 255.255.255.0
   default-router 172.16.0.1
   dns-server 8.8.8.8
   lease 24
!
ip dhcp pool VLAN112_Voice
   network 10.112.0.0 255.255.255.0
   default-router 10.112.0.1
   dns-server 8.8.8.8
   lease 24
!
!
no ip domain lookup
ip name-server 8.8.8.8
ip multicast-routing
!
multilink bundle-name authenticated
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
vtp domain home
vtp mode transparent
archive
log config
hidekeys
!
!
!
!
vlan 10
name Managemet
!
vlan 12
name DataVlan
!
vlan 16
name WIRELESS_N
!
vlan 17
name Home_Automation
!
vlan 20
name Guest
!
vlan 112
name VoiceVlan
!
vlan 212
name Wireless
!
vlan 213
name WirelessPhones
!
!
!
!
!
interface Loopback0
ip address 10.255.255.255 255.255.255.255
ip broadcast-address 0.0.0.0
h323-gateway voip interface
h323-gateway voip bind srcaddr 10.255.255.255
!
interface FastEthernet0/0
description Internet
ip address 80.80.80.1 255.255.255.0
ip broadcast-address 0.0.0.0
ip access-group EDGE_SECURITY in
ip nat outside
ip virtual-reassembly
duplex full
speed 100
!
interface FastEthernet0/1
no ip address
ip broadcast-address 0.0.0.0
ip virtual-reassembly
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1/0
switchport trunk native vlan 10
switchport mode trunk
duplex full
speed 100
spanning-tree portfast
!
interface FastEthernet0/1/1
switchport trunk native vlan 10
switchport mode trunk
duplex full
speed 100
spanning-tree portfast
!
interface FastEthernet0/1/2
description AP1
switchport trunk native vlan 10
switchport mode trunk
duplex full
speed 100
spanning-tree portfast
!
interface FastEthernet0/1/3
switchport access vlan 16
duplex full
speed 100
!
interface FastEthernet0/1/4
description Alarm
switchport access vlan 17
duplex full
speed 100
!
interface FastEthernet0/1/5
!
interface FastEthernet0/1/6
!
interface FastEthernet0/1/7
switchport mode trunk
duplex full
speed 100
spanning-tree portfast
!
interface FastEthernet0/1/8
switchport trunk native vlan 10
switchport mode trunk
duplex full
speed 100
!
interface Serial0/3/0
no ip address
ip broadcast-address 0.0.0.0
encapsulation frame-relay
clock rate 2000000
!
interface Vlan1
no ip address
ip broadcast-address 0.0.0.0
shutdown
!
interface Vlan10
description Management
ip address 192.168.0.1 255.255.255.0
ip broadcast-address 0.0.0.0
!
interface Vlan12
description Data
ip address 10.12.0.1 255.255.255.0
ip broadcast-address 0.0.0.0
ip nat inside
ip virtual-reassembly
!
interface Vlan16
description Wirless_N
ip address 172.16.0.1 255.255.255.0
ip broadcast-address 0.0.0.0
ip helper-address 10.12.0.2
ip directed-broadcast
ip nat inside
ip virtual-reassembly
!
interface Vlan17
description Home_Automation
ip address 172.17.0.1 255.255.255.0
ip broadcast-address 0.0.0.0
ip nat inside
ip virtual-reassembly
!
interface Vlan112
description Voice
ip address 10.112.0.1 255.255.255.0
ip broadcast-address 0.0.0.0
!
interface Vlan212
description Wireless_G
ip address 10.212.0.1 255.255.255.0
ip broadcast-address 0.0.0.0
ip helper-address 10.12.0.2
ip nat inside
ip virtual-reassembly
!
interface Vlan213
description Wireless_Voice
ip address 10.213.0.1 255.255.255.0
ip broadcast-address 0.0.0.0
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 80.80.80.2
!
!
no ip http server
no ip http secure-server
ip nat inside source list NAT-ACL interface FastEthernet0/0 overload
ip nat inside source static tcp 10.12.0.2 8000 80.80.80.1 8000 extendable
ip nat inside source static udp 10.12.0.2 8000 80.80.80.1 8000 extendable
ip nat inside source static tcp 172.17.0.2 10000 80.80.80.1 10000 extendable
ip nat inside source static udp 172.17.0.2 10000 80.80.80.1 10000 extendable
ip nat inside source static tcp 172.17.0.2 10001 80.80.80.1 10001 extendable
ip nat inside source static udp 172.17.0.2 10001 80.80.80.1 10001 extendable
!
ip access-list extended EDGE_SECURITY
permit ip 172.16.0.0 0.0.0.255 host 80.80.80.2
deny   ip 80.80.80.0 0.0.0.255 any
permit ip any any
ip access-list extended NAT-ACL
permit ip 10.12.0.0 0.0.0.255 any
permit ip 10.112.0.0 0.0.0.255 any
permit ip 10.212.0.0 0.0.0.255 any
permit ip 10.213.0.0 0.0.0.255 any
permit ip 172.17.0.0 0.0.0.255 any
permit ip 172.16.0.0 0.0.0.255 any
!
!
!
!
!
!
tftp-server flash:/c7921/APPS-1.0.4.SBN alias APPS-1.0.4.SBN
tftp-server flash:/c7921/CP7921G-1.0.4.LOADS alias CP7921G-1.0.4.LOADS
tftp-server flash:/c7921/GUI-1.0.4.SBN alias GUI-1.0.4.SBN
tftp-server flash:/c7921/SYS-1.0.4.SBN alias SYS-1.0.4.SBN
tftp-server flash:/c7921/TNUX-1.0.4.SBN alias TNUX-1.0.4.SBN
tftp-server flash:/c7921/TNUXR-1.0.4.SBN alias TNUXR-1.0.4.SBN
tftp-server flash:/c7921/WLAN-1.0.4.SBN alias WLAN-1.0.4.SBN
tftp-server flash:/c7911new/c7911/apps11.8-3-2-27.sbn alias apps11.8-3-2-27.sbn
tftp-server flash:/c7911new/c7911/cnu11.8-3-2-27.sbn alias cnu11.8-3-2-27.sbn
tftp-server flash:/c7911new/c7911/cvm11sccp.8-3-2-27.sbn alias cvm11sccp.8-3-2-27.sbn
tftp-server flash:/c7911new/c7911/dsp11.8-3-2-27.sbn alias dsp11.8-3-2-27.sbn
tftp-server flash:/c7911new/c7911/jar11sccp.8-3-2-27.sbn alias jar11sccp.8-3-2-27.sbn
tftp-server flash:/c7911new/c7911/SCCP11.8-3-3S.loads alias SCCP11.8-3-3S.loads
tftp-server flash:/c7911new/c7911/term06.default.loads alias term06.default.loads
tftp-server flash:/c7911new/c7911/term11.default.loads alias term11.default.loads
!
control-plane
!
!
!
voice-port 0/2/0
!
voice-port 0/2/1
!
ccm-manager redundant-host 10.12.0.21
ccm-manager mgcp
no ccm-manager fax protocol cisco
ccm-manager music-on-hold bind Loopback0
ccm-manager config server 10.12.0.21
ccm-manager config
!
mgcp
mgcp call-agent 10.12.0.25 2427 service-type mgcp version 0.1
mgcp rtp unreachable timeout 1000 action notify
mgcp modem passthrough voip mode nse
mgcp package-capability rtp-package
mgcp package-capability sst-package
mgcp package-capability pre-package
no mgcp package-capability res-package
no mgcp timer receive-rtcp
mgcp sdp simple
mgcp rtp payload-type g726r16 static
mgcp bind control source-interface Loopback0
mgcp bind media source-interface Loopback0
mgcp behavior g729-variants static-pt
!
mgcp profile default
!
!
!
dial-peer voice 999020 pots
service mgcpapp
port 0/2/0
!
dial-peer voice 999021 pots
service mgcpapp
port 0/2/1
!
dial-peer voice 999030 pots
service mgcpapp
!
dial-peer voice 1 voip
destination-pattern 10924
session target ipv4:10.255.255.255
!
!
!
!
call-manager-fallback
max-conferences 8 gain -6
transfer-system full-consult
ip source-address 10.255.255.255 port 2000
max-ephones 5
max-dn 5
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
password 7 10620C0A111606
login
line vty 5
exec-timeout 0 0
password 7 00071A150754
login
!
scheduler allocate 20000 1000
ntp clock-period 17180094
ntp update-calendar
ntp server 216.239.38.15

Philip D'Ath · ‎09-20-2017

You are matching traffic coming into the routing device - not going out. To match that way you would need to do:

ip access-list extended EDGE_SECURITY
permit ip 80.80.80.2 0.0.0.0 172.16.0.0 0.0.0.255
deny ip 80.80.80.0 0.0.0.255 any
permit ip any any

View solution in original post

Philip D'Ath · ‎09-20-2017

You are matching traffic coming into the routing device - not going out. To match that way you would need to do:

ip access-list extended EDGE_SECURITY
permit ip 80.80.80.2 0.0.0.0 172.16.0.0 0.0.0.255
deny ip 80.80.80.0 0.0.0.255 any
permit ip any any

Adam_S · ‎09-20-2017

Hi,

Thanks for the suggestion. I applied the ACL (tried both ip access group
EDGE_SECURITY in and out), but still no love.

Extended IP access list EDGE_SECURITY
10 permit ip host 80.80.80.2 172.16.0.0 0.0.0.255
20 deny ip 80.80.80.0 0.0.0.255 any (6 matches)
30 permit ip any any (18 matches)

if any further info is required please let me know.

Meheretab Mengistu · ‎09-20-2017

Hi,

One thing to check:

interface Vlan16
description Wirless_N
ip address 172.16.0.1 255.255.255.0
ip broadcast-address 0.0.0.0
ip helper-address 10.12.0.2
ip directed-broadcast
ip nat inside
ip virtual-reassembly
!
Are you trying it from a device connected to wireless device which gets its IP address from 172.16.0.0/24 block?

HTH,
Meheretab

HTH,
Meheretab

Adam_S · ‎09-20-2017

Hi,

Yes i am connected to that subnet:

Wireless LAN adapter Wi-Fi:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) Centrino(R) Wireless-N 135
Physical Address. . . . . . . . . : 0C-D2-92-45-1D-9D
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 172.16.0.104(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Thursday, 21 September 2017 1:21:00
PM
Lease Expires . . . . . . . . . . : Sunday, 15 October 2017 1:21:02 PM
Default Gateway . . . . . . . . . : 172.16.0.1
DHCP Server . . . . . . . . . . . : 172.16.0.1
DNS Servers . . . . . . . . . . . : 8.8.8.8
NetBIOS over Tcpip. . . . . . . . : Enabled

Meheretab Mengistu · ‎09-20-2017

A good link for NAT Order of Operation:

https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/6209-5.html

Since you have enabled NAT (PAT), whenever traffic comes from the Modem it will be checked with the INPUT ACL before NAT translation. As a result, you will not see traffic match on the first line of the ACL.

One way to solve it is to apply Outbound ACL on the interface connected to the 172.16.0.0/24 network.

HTH,
Meheretab