Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
426
Views
0
Helpful
4
Replies

Grrr...forgot how to do ACL's...Please Assist...

Go to solution
ciscocharger
Level 1
Level 1

‎11-26-2013 11:35 AM - edited ‎03-07-2019 04:48 PM

Hi,

I have a switch 2960S with a device attached to port gi2/0/26.

Using an ACL I'd like to:

a) Limit the device to only talk to one web server.

b) Allow ssh traffic to the device from one subnet.

So far I have:

Extended IP access list 110

    10 permit tcp host 10.0.8.xxx host 10.0.0.yyy eq www

    20 deny ip any any

interface GigabitEthernet2/0/26

...

ip access-group 110 in

...

This allows the device to contact the web server at 10.0.0.yyy but denies anything else. What entry do I need to allow ssh?

I've tried:

Extended IP access list 110

    10 permit tcp host 10.0.8.200 host 10.0.0.10 eq www

    12 permit tcp any any eq 22

    20 deny ip any any

with no joy....

Any help is greatly appreciated.

M

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎11-26-2013 11:41 AM

Michael

permit tcp host 10.0.8.200 eq 22 192.168.5.0 0.0.0.255  <-- where 192.168.5.0/24 is the subnet you want to allow ssh from.

Jon

View solution in original post

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to ciscocharger

‎11-26-2013 12:03 PM

Michael

It's to do with the source (src) and destination (dst) ports and the direction of the acl. When a host connects to an app on a server such as www the src port is random and the dst port is well known ie port 80 for www. When the traffic returns from the web server the ports are now reversed ie.the src port is 80 and the dst port is random. So you have to take into account where your acl sees the traffic.

For the web server traffic it sees the traffic initiated from your 10.0.8.200 host but it doesn't see the return traffic because that is outbound to your host -

src IP 10.0.8.200 src port random

dst IP 10.0.0.10 dst port 80 (www)

The second connection however is from an ssh connection initiated from a remote subnet so your acl only sees the return traffic from the host. So it looks like this to your acl -

src IP 10.0.8.200 src port 22

dst IP x.x.x.x  dst port random

Does this make sense ?

Jon

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎11-26-2013 11:41 AM

Michael

permit tcp host 10.0.8.200 eq 22 192.168.5.0 0.0.0.255  <-- where 192.168.5.0/24 is the subnet you want to allow ssh from.

Jon

0 Helpful

Go to solution
ciscocharger
Level 1
Level 1

‎11-26-2013 11:53 AM

Awesome...thanks Jon

This seems counterintuitive to me though...it looks like the source address is 10.0.8.200 port 22 but when I think about it, the source should be subnet 192.168.5.0 port 22.

Could you offer an explanation?

Thanks again

M


0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to ciscocharger

‎11-26-2013 12:03 PM

Michael

It's to do with the source (src) and destination (dst) ports and the direction of the acl. When a host connects to an app on a server such as www the src port is random and the dst port is well known ie port 80 for www. When the traffic returns from the web server the ports are now reversed ie.the src port is 80 and the dst port is random. So you have to take into account where your acl sees the traffic.

For the web server traffic it sees the traffic initiated from your 10.0.8.200 host but it doesn't see the return traffic because that is outbound to your host -

src IP 10.0.8.200 src port random

dst IP 10.0.0.10 dst port 80 (www)

The second connection however is from an ssh connection initiated from a remote subnet so your acl only sees the return traffic from the host. So it looks like this to your acl -

src IP 10.0.8.200 src port 22

dst IP x.x.x.x  dst port random

Does this make sense ?

Jon

0 Helpful

Go to solution
ciscocharger
Level 1
Level 1
In response to Jon Marshall

‎11-26-2013 12:06 PM

Perfect sense!

Thanks again man!

M

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card