11-26-2013 11:35 AM - edited 03-07-2019 04:48 PM
Hi,
I have a switch 2960S with a device attached to port gi2/0/26.
Using an ACL I'd like to:
a) Limit the device to only talk to one web server.
b) Allow ssh traffic to the device from one subnet.
So far I have:
Extended IP access list 110
10 permit tcp host 10.0.8.xxx host 10.0.0.yyy eq www
20 deny ip any any
interface GigabitEthernet2/0/26
...
ip access-group 110 in
...
This allows the device to contact the web server at 10.0.0.yyy but denies anything else. What entry do I need to allow ssh?
I've tried:
Extended IP access list 110
10 permit tcp host 10.0.8.200 host 10.0.0.10 eq www
12 permit tcp any any eq 22
20 deny ip any any
with no joy....
Any help is greatly appreciated.
M
Solved! Go to Solution.
11-26-2013 11:41 AM
Michael
permit tcp host 10.0.8.200 eq 22 192.168.5.0 0.0.0.255 <-- where 192.168.5.0/24 is the subnet you want to allow ssh from.
Jon
11-26-2013 12:03 PM
Michael
It's to do with the source (src) and destination (dst) ports and the direction of the acl. When a host connects to an app on a server such as www the src port is random and the dst port is well known ie port 80 for www. When the traffic returns from the web server the ports are now reversed ie.the src port is 80 and the dst port is random. So you have to take into account where your acl sees the traffic.
For the web server traffic it sees the traffic initiated from your 10.0.8.200 host but it doesn't see the return traffic because that is outbound to your host -
src IP 10.0.8.200 src port random
dst IP 10.0.0.10 dst port 80 (www)
The second connection however is from an ssh connection initiated from a remote subnet so your acl only sees the return traffic from the host. So it looks like this to your acl -
src IP 10.0.8.200 src port 22
dst IP x.x.x.x dst port random
Does this make sense ?
Jon
11-26-2013 11:41 AM
Michael
permit tcp host 10.0.8.200 eq 22 192.168.5.0 0.0.0.255 <-- where 192.168.5.0/24 is the subnet you want to allow ssh from.
Jon
11-26-2013 11:53 AM
Awesome...thanks Jon
This seems counterintuitive to me though...it looks like the source address is 10.0.8.200 port 22 but when I think about it, the source should be subnet 192.168.5.0 port 22.
Could you offer an explanation?
Thanks again
M
11-26-2013 12:03 PM
Michael
It's to do with the source (src) and destination (dst) ports and the direction of the acl. When a host connects to an app on a server such as www the src port is random and the dst port is well known ie port 80 for www. When the traffic returns from the web server the ports are now reversed ie.the src port is 80 and the dst port is random. So you have to take into account where your acl sees the traffic.
For the web server traffic it sees the traffic initiated from your 10.0.8.200 host but it doesn't see the return traffic because that is outbound to your host -
src IP 10.0.8.200 src port random
dst IP 10.0.0.10 dst port 80 (www)
The second connection however is from an ssh connection initiated from a remote subnet so your acl only sees the return traffic from the host. So it looks like this to your acl -
src IP 10.0.8.200 src port 22
dst IP x.x.x.x dst port random
Does this make sense ?
Jon
11-26-2013 12:06 PM
Perfect sense!
Thanks again man!
M
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide