07-26-2019 08:36 AM - edited 07-26-2019 08:40 AM
Greetings
I have created an Extended ACL with the intent of permitting web traffic, SMB from a file server, and RDP from two specific hosts (or at least this is the intent). ICMP is ideally disallowed. The ACL is as follows:
Extended IP access list AMARANTH_IN 5 permit tcp any any eq www 10 permit tcp any any eq 443 11 permit udp any any eq domain 12 permit tcp any any eq domain 13 permit udp any eq domain any 14 permit tcp any eq domain any 15 permit tcp host 10.0.20.17 any eq 445 20 permit tcp host 10.0.20.17 any eq 137 25 permit tcp host 10.0.20.17 any eq 139 30 permit udp host 10.0.20.17 any eq netbios-ns 35 permit udp host 10.0.20.17 any eq netbios-dgm 40 permit tcp host 10.0.30.5 any eq 3389 45 permit tcp host 10.0.30.6 any eq 3389 50 deny ip any any (1525 matches)
As you can see, the only rule that seems to be getting any traffic is the last rule that denies traffic. Perhaps my understanding of ACLs is wrong, as I thought the lower numbers of Extended ACLs were processed first. If that's actually the case, then why is a host in the VLAN this Access List is associated with unable to successfully perform nslookups or navigate to web pages? I'm confident that the routing on the switch and firewall is correct as it mirrors several other subnets that all have the same routing. The kicker is that if I remove the ACL from the VLAN, everything flows freely.
07-26-2019 08:44 AM
Can you show where you've applied this ACL?
07-26-2019 08:46 AM
Not sure we would like to se full configuration and also what interface this ACL applied ?
07-26-2019 08:55 AM - edited 07-26-2019 08:57 AM
As requested, here is the full running configuration.
Building configuration... Current configuration : 46445 bytes ! ! Last configuration change at 11:26:24 EST Fri Jul 26 2019 by dctech ! version 16.6 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption no platform punt-keepalive disable-kernel-core ! hostname pits0102p ! ! vrf definition Mgmt-vrf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! enable secret 5 $1$RNFs$G0M6RlumU4xZtE58NMf5q/ enable password 7 15280D050E1F2D70023F3A333B123130107B707D63 ! no aaa new-model clock timezone EST -5 0 clock summer-time EST recurring switch 1 provision ws-c3850-48t ! ! ! ! ip routing ! ip name-server 10.0.20.19 10.0.20.20 ip domain name not.for.you.to.know.com ip dhcp excluded-address 10.0.30.1 10.0.30.20 ip dhcp excluded-address 10.0.30.255 ip dhcp excluded-address 10.0.40.1 ip dhcp excluded-address 10.0.40.255 ip dhcp excluded-address 10.0.40.1 10.0.40.127 ip dhcp excluded-address 10.0.31.150 10.0.31.200 ip dhcp excluded-address 10.0.50.1 ip dhcp excluded-address 10.0.50.255 ! ip dhcp pool DHCP_MAGENTA network 10.0.30.0 255.255.254.0 update dns both override default-router 10.0.30.1 domain-name not.for.you.to.know.com dns-server 10.0.20.19 10.0.20.20 netbios-name-server 10.0.20.19 10.0.20.20 option 66 ip 10.0.20.33 option 67 ascii pxelinux.0 option 161 ip 10.0.20.28 option 162 ascii \$ option 184 ascii thinos.provisioner option 185 ascii HappyFeet44!! ! ip dhcp pool DHCP_RUBY network 10.0.40.0 255.255.255.0 default-router 10.0.40.1 option 66 ip 10.0.20.34 option 67 ascii aspboot.bin option 161 ip 10.0.20.28 option 162 ascii \$ option 184 ascii thinos.provisioner option 185 ascii HappyFeet44!! ! ! ip dhcp update dns both ! ! ! ! ! ! vtp domain BBNC_ICN_VTP vtp mode transparent ! crypto pki trustpoint TP-self-signed-459737811 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-459737811 revocation-check none rsakeypair TP-self-signed-459737811 ! ! crypto pki certificate chain TP-self-signed-459737811 certificate self-signed 01 3082032E 30820216 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 34353937 33373831 31301E17 0D313930 36313031 38333535 395A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3435 39373337 38313130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030 82010A02 82010100 B3281653 47A72D41 7AD083BE 18DA1792 218124AD 97451211 E1E48375 7F4EE169 8AE60AA4 E66EC3DA EB864E9A 6D0E1B08 AD097F45 D4518301 C426A632 C2BFE616 D20C22DE DD45E701 18D5DA44 23E27548 DAA40E6F D37BE309 4FADCE62 F53FAD6C F2C15EEE 5DD1F038 5D554A2A 9F4EE1F7 34900193 A5AAFD4B A41D0A8A E4284906 E83C4B16 6814AB15 BE46F50A C736437D 378F19CB 04A9A31B E1945087 319A7045 2CF9F17E 34AA9106 1E82312F C7CFDC46 27F0CD4E 273B5883 EFC45665 98ADC4B0 551FC644 6D655F61 73823681 3E16E1AB 87652B88 E27D90B6 2ED84EEE 21CE66E3 591D50B5 0761F89F 157CC6AE 99DE984C B003E7C3 65C52A31 379B1D5B 49C53DCD 02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D 23041830 168014D7 2D9AF115 C4E157F2 5E0C953B 053F2A8D FF63EC30 1D060355 1D0E0416 0414D72D 9AF115C4 E157F25E 0C953B05 3F2A8DFF 63EC300D 06092A86 4886F70D 01010505 00038201 01003A00 90A83FC7 CC228350 B9C9A395 F7999A8E 6EB78E53 B9F30C3F 5C95A65F 321D19E0 28BE2D4A E461A1AE FF333D93 0DC23022 8F5B15BF C95DEB58 F91487C0 7D5E6C41 EEBA7C49 9CA2878C 3054F3E1 B65AA3D1 37DB95AD B702BC84 D1044D5F 75DABE3E 32B7D3D3 CA198171 9A524ADD 921ED51A E4E6643B CA5C9354 35F1EBDB AE634159 9B591358 F8D14B38 A226D18E 5EBF45AB 77E6212D FA1EB65E DCA643C1 3D99A500 20B5485B 568E4907 95DA58B4 0F9554B3 42AAAFD1 EBB84A44 3EDA2D5E 67B39905 3726F382 79BE607B 86710798 8B6C47FC C2B31B7E AB136682 2E3DD4B5 489A4CFD C86C898F 543EFF33 315AAF8B BCA47196 41D6EAD1 154482A7 9C27E1D1 E892 quit ! ! ! diagnostic bootup level minimal spanning-tree mode rapid-pvst spanning-tree extend system-id ! username nimda privilege 15 password 7 1223071A3E1F2526031C713E6A2671061E230E577F username someguy privilege 15 password 7 13220525122450302C0302 ! redundancy mode sso ! ! transceiver type all monitoring ! vlan 10 name JUNIPER ! vlan 20 name AZURE ! vlan 30 name MAGENTA ! vlan 40 name RUBY ! vlan 50 name OBSIDIAN ! vlan 100 name AMARANTH ! ! class-map match-any system-cpp-police-topology-control description Topology control class-map match-any system-cpp-police-sw-forward description Sw forwarding, L2 LVX data, LOGGING class-map match-any system-cpp-default description DHCP Snooping, EWLC control, EWCL data class-map match-any system-cpp-police-sys-data description Learning cache ovfl, Crypto Control, Exception, EGR Exception, NFL SAMPLED DATA, RPF Failed class-map match-any system-cpp-police-punt-webauth description Punt Webauth class-map match-any system-cpp-police-l2lvx-control description L2 LVX control packets class-map match-any system-cpp-police-forus description Forus Address resolution and Forus traffic class-map match-any system-cpp-police-multicast-end-station description MCAST END STATION class-map match-any system-cpp-police-multicast description Transit Traffic and MCAST Data class-map match-any system-cpp-police-l2-control description L2 control class-map match-any system-cpp-police-dot1x-auth description DOT1X Auth class-map match-any system-cpp-police-data description ICMP redirect, ICMP_GEN and BROADCAST class-map match-any system-cpp-police-stackwise-virt-control description Stackwise Virtual class-map match-any non-client-nrt-class class-map match-any system-cpp-police-routing-control description Routing control class-map match-any system-cpp-police-protocol-snooping description Protocol snooping class-map match-any system-cpp-police-system-critical description System Critical and Gold ! policy-map system-cpp-policy ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface Port-channel1 description LAG_FOR_PITS0202P switchport trunk native vlan 10 switchport trunk allowed vlan 10,20,30 switchport mode trunk ! interface Port-channel2 description LAG_FOR_PITS0203P switchport trunk native vlan 10 switchport trunk allowed vlan 10,20,30,40 switchport mode trunk ! interface Port-channel3 description LAG_FOR_PITS0214 switchport access vlan 20 switchport mode access spanning-tree portfast ! interface Port-channel4 description LAG_FOR_PITS0215 switchport access vlan 20 switchport mode access spanning-tree portfast ! interface GigabitEthernet0/0 vrf forwarding Mgmt-vrf no ip address shutdown speed 1000 negotiation auto ! interface GigabitEthernet1/0/1 no switchport no ip address shutdown ! interface GigabitEthernet1/0/2 description JUNIPER_PITS0116P switchport access vlan 10 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/3 description AZURE_PITS0202P_LAGx0 switchport trunk native vlan 10 switchport trunk allowed vlan 10,20,30 switchport mode trunk channel-group 1 mode auto ! interface GigabitEthernet1/0/4 description AZURE_PITS0202P_LAGx1 switchport trunk native vlan 10 switchport trunk allowed vlan 10,20,30 switchport mode trunk channel-group 1 mode auto ! interface GigabitEthernet1/0/5 description AZURE_PITS0203P_LAGx0 switchport trunk native vlan 10 switchport trunk allowed vlan 10,20,30,40 switchport mode trunk channel-group 2 mode auto ! interface GigabitEthernet1/0/6 description AZURE_PITS0203P_LAGx1 switchport trunk native vlan 10 switchport trunk allowed vlan 10,20,30,40 switchport mode trunk channel-group 2 mode auto ! interface GigabitEthernet1/0/7 description AZURE_PITS0214P_LAGX0 switchport access vlan 20 switchport mode access channel-group 3 mode auto spanning-tree portfast ! interface GigabitEthernet1/0/8 description AZURE_PITS0214P_LAGX1 switchport access vlan 20 switchport mode access channel-group 3 mode auto spanning-tree portfast ! interface GigabitEthernet1/0/9 description AZURE_PITS0215P_LAGX0 switchport access vlan 20 switchport mode access channel-group 4 mode auto spanning-tree portfast ! interface GigabitEthernet1/0/10 description AZURE_PITS0215P_LAGX1 switchport access vlan 20 switchport mode access channel-group 4 mode auto spanning-tree portfast ! interface GigabitEthernet1/0/11 ! interface GigabitEthernet1/0/12 description AZURE_FAKE_TRUNK switchport trunk allowed vlan 10,20,30,40 switchport mode trunk ! interface GigabitEthernet1/0/13 description MAGENTA_ACCESS switchport access vlan 30 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/14 description MAGENTA_ACCESS switchport access vlan 30 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/15 description MAGENTA_ACCESS switchport access vlan 30 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/16 description MAGENTA_ACCESS switchport access vlan 30 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/17 description MAGENTA_ACCESS switchport access vlan 30 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/18 description MAGENTA_ACCESS switchport access vlan 30 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/19 description MAGENTA_ACCESS switchport access vlan 30 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/20 description MAGENTA_ACCESS switchport access vlan 30 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/21 description MAGENTA_ACCESS switchport access vlan 30 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/22 description MAGENTA_ACCESS switchport access vlan 30 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/23 description MAGENTA_ACCESS switchport access vlan 30 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/24 description MAGENTA_ACCESS switchport access vlan 30 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/25 description MAGENTA_ACCESS switchport access vlan 30 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/26 description MAGENTA_ACCESS switchport access vlan 30 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/27 description MAGENTA_ACCESS switchport access vlan 30 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/28 description MAGENTA_ACCESS switchport access vlan 30 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/29 description MAGENTA_ACCESS switchport access vlan 30 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/30 description MAGENTA_ACCESS switchport access vlan 30 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/31 description MAGENTA_ACCESS switchport access vlan 30 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/32 description MAGENTA_ACCESS switchport access vlan 30 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/33 description MAGENTA_ACCESS switchport access vlan 30 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/34 description MAGENTA_ACCESS switchport access vlan 30 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/35 description MAGENTA_ACCESS switchport access vlan 30 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/36 description MAGENTA_DUMB_SWITCH switchport access vlan 30 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/37 description RUBY_ACCESS switchport access vlan 40 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/38 description RUBY_ACCESS switchport access vlan 40 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/39 ! interface GigabitEthernet1/0/40 ! interface GigabitEthernet1/0/41 ! interface GigabitEthernet1/0/42 ! interface GigabitEthernet1/0/43 ! interface GigabitEthernet1/0/44 no switchport no ip address ! interface GigabitEthernet1/0/45 ! interface GigabitEthernet1/0/46 ! interface GigabitEthernet1/0/47 switchport access vlan 100 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/48 description MARIGOLD_PITS0101P no switchport ip address 10.0.254.3 255.255.255.248 ! interface GigabitEthernet1/1/1 ! interface GigabitEthernet1/1/2 ! interface GigabitEthernet1/1/3 ! interface GigabitEthernet1/1/4 ! interface TenGigabitEthernet1/1/1 ! interface TenGigabitEthernet1/1/2 ! interface TenGigabitEthernet1/1/3 ! interface TenGigabitEthernet1/1/4 ! interface Vlan1 no ip address shutdown ! interface Vlan10 description Network Management ip address 10.0.10.1 255.255.255.192 ip access-group JUNIPER-IN in ip access-group JUNIPER-OUT out ! interface Vlan20 description Network Services ip address 10.0.20.1 255.255.255.0 ! interface Vlan30 description Workstations ip address 10.0.30.1 255.255.254.0 ip helper-address 10.0.40.255 ip access-group MAGENTA-IN in ! interface Vlan40 description SimLab ip address 10.0.40.1 255.255.255.0 ip directed-broadcast 2000 ! interface Vlan50 description Fun ip address 172.16.110.1 255.255.255.0 ! interface Vlan100 description Amaranth ip address 10.0.100.1 255.255.255.248 ip access-group AMARANTH_IN in ip access-group AMARANTH_OUT out ! ip forward-protocol nd ip http server ip http authentication local ip http secure-server ip route 0.0.0.0 0.0.0.0 10.0.254.2 ip route 10.0.30.0 255.255.254.0 10.0.30.2 ip route 10.0.100.0 255.255.255.248 10.0.100.2 ip ssh version 2 ! ip access-list extended AMARANTH_IN permit tcp any any eq www permit tcp any any eq 443 permit udp any any eq domain permit tcp any any eq domain permit udp any eq domain any permit tcp any eq domain any permit tcp host 10.0.20.17 any eq 445 permit tcp host 10.0.20.17 any eq 137 permit tcp host 10.0.20.17 any eq 139 permit udp host 10.0.20.17 any eq netbios-ns permit udp host 10.0.20.17 any eq netbios-dgm permit tcp host 10.0.30.5 any eq 3389 permit tcp host 10.0.30.6 any eq 3389 deny ip any any ip access-list extended AMARANTH_OUT permit tcp any any eq www permit tcp any any eq 443 permit udp any any eq domain permit tcp any any eq domain permit tcp any host 10.0.20.17 eq 445 permit tcp any host 10.0.20.17 eq 137 permit tcp any host 10.0.20.17 eq 139 permit udp any host 10.0.20.17 eq netbios-ns permit udp any host 10.0.20.17 eq netbios-dgm permit tcp any host 10.0.30.5 eq 3389 permit tcp any host 10.0.30.6 eq 3389 deny ip any any ip access-list extended AZURE-IN remark BEGIN Internal Ingress permit tcp 10.0.20.0 0.0.0.255 10.0.20.0 0.0.0.255 eq 22 permit tcp 10.0.20.0 0.0.0.255 10.0.20.0 0.0.0.255 eq telnet permit tcp 10.0.20.0 0.0.0.255 10.0.20.0 0.0.0.255 eq 1200 permit tcp 10.0.20.0 0.0.0.255 10.0.20.0 0.0.0.255 eq 1203 permit tcp 10.0.20.0 0.0.0.255 10.0.20.0 0.0.0.255 eq 12398 permit icmp 10.0.20.0 0.0.0.255 10.0.20.0 0.0.0.255 echo-reply remark END Explicit deny for tracking permit icmp any 10.0.20.0 0.0.0.255 echo-reply permit icmp 10.0.20.0 0.0.0.255 10.0.20.0 0.0.0.255 echo permit icmp any 10.0.20.0 0.0.0.255 echo remark END Internal Ingress remark BEGIN Ingress from Juniper permit tcp 10.0.10.0 0.0.0.255 any eq 22 permit tcp 10.0.10.0 0.0.0.255 any eq telnet permit tcp 10.0.10.0 0.0.0.255 any eq 1200 permit icmp 10.0.10.0 0.0.0.255 any echo-reply permit icmp 10.0.10.0 0.0.0.255 any echo permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.19 eq domain permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.20 eq domain permit udp 10.0.10.0 0.0.0.255 host 10.0.20.19 eq domain permit udp 10.0.10.0 0.0.0.255 host 10.0.20.20 eq domain permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.19 eq 88 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.20 eq 88 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.21 eq 88 permit udp 10.0.10.0 0.0.0.255 host 10.0.20.19 eq 88 permit udp 10.0.10.0 0.0.0.255 host 10.0.20.20 eq 88 permit udp 10.0.10.0 0.0.0.255 host 10.0.20.21 eq 88 permit udp 10.0.10.0 0.0.0.255 host 10.0.20.19 eq ntp permit udp 10.0.10.0 0.0.0.255 host 10.0.20.20 eq ntp permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.19 eq msrpc permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.20 eq msrpc permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.12 eq msrpc permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.13 eq msrpc permit udp 10.0.10.0 0.0.0.255 host 10.0.20.19 eq netbios-ns permit udp 10.0.10.0 0.0.0.255 host 10.0.20.20 eq netbios-ns permit udp 10.0.10.0 0.0.0.255 host 10.0.20.19 eq netbios-dgm permit udp 10.0.10.0 0.0.0.255 host 10.0.20.20 eq netbios-dgm permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.19 eq 139 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.20 eq 139 permit udp 10.0.10.0 0.0.0.255 host 10.0.20.35 eq snmp permit udp 10.0.10.0 0.0.0.255 host 10.0.20.35 eq snmptrap permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.19 eq 389 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.20 eq 389 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.21 eq 389 permit udp 10.0.10.0 0.0.0.255 host 10.0.20.19 eq 464 permit udp 10.0.10.0 0.0.0.255 host 10.0.20.20 eq 464 permit udp 10.0.10.0 0.0.0.255 host 10.0.20.21 eq 464 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.19 eq 464 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.20 eq 464 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.21 eq 464 permit udp 10.0.10.0 0.0.0.255 host 10.0.20.19 eq isakmp permit udp 10.0.10.0 0.0.0.255 host 10.0.20.20 eq isakmp permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.36 eq lpd permit tcp 10.0.10.0 0.0.0.255 any eq 593 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.19 eq 636 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.20 eq 636 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.21 eq 636 permit udp 10.0.10.0 0.0.0.255 host 10.0.20.19 eq 636 permit udp 10.0.10.0 0.0.0.255 host 10.0.20.20 eq 636 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.19 eq 9389 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.20 eq 9389 permit tcp 10.0.10.0 0.0.0.255 any eq 1433 permit tcp 10.0.10.0 0.0.0.255 any eq 1434 permit udp 10.0.10.0 0.0.0.255 host 10.0.20.37 eq 1645 permit udp 10.0.10.0 0.0.0.255 host 10.0.20.37 eq 1646 permit tcp 10.0.10.0 0.0.0.255 any eq 1801 permit udp 10.0.10.0 0.0.0.255 any eq 1801 permit udp 10.0.10.0 0.0.0.255 host 10.0.20.37 eq 1812 permit udp 10.0.10.0 0.0.0.255 host 10.0.20.37 eq 1813 permit udp 10.0.10.0 0.0.0.255 any eq 1900 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.19 eq 2101 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.20 eq 2101 permit tcp 10.0.10.0 0.0.0.255 any eq 2103 permit tcp 10.0.10.0 0.0.0.255 any eq 2105 permit tcp 10.0.10.0 0.0.0.255 any eq 2107 permit tcp 10.0.10.0 0.0.0.255 any eq 2393 permit tcp 10.0.10.0 0.0.0.255 any eq 2394 permit tcp 10.0.10.0 0.0.0.255 any eq 2725 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.19 eq 3268 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.20 eq 3268 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.19 eq 3269 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.20 eq 3269 permit tcp 10.0.10.0 0.0.0.255 any eq 3343 permit tcp 10.0.10.0 0.0.0.255 any eq 3389 permit udp 10.0.10.0 0.0.0.255 any eq 3527 permit tcp 10.0.10.0 0.0.0.255 any eq 5000 permit tcp 10.0.10.0 0.0.0.255 any eq 5722 permit tcp 10.0.10.0 0.0.0.255 any eq 5985 permit tcp 10.0.10.0 0.0.0.255 any eq 5986 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.21 eq 7389 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.24 eq 12398 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.30 eq 69 permit tcp 10.0.10.0 0.0.0.255 any range 1024 65535 remark END Ingress from Juniper remark BEGIN Ingress from Magenta permit tcp 10.0.30.0 0.0.1.255 any eq 22 permit tcp 10.0.30.0 0.0.1.255 any eq telnet permit tcp 10.0.30.0 0.0.1.255 any eq 1200 permit icmp 10.0.30.0 0.0.1.255 any echo-reply permit icmp 10.0.30.0 0.0.1.255 any echo permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.19 eq domain permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.20 eq domain permit udp 10.0.30.0 0.0.1.255 host 10.0.20.19 eq domain permit udp 10.0.30.0 0.0.1.255 host 10.0.20.20 eq domain permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.19 eq 88 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.20 eq 88 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.21 eq 88 permit udp 10.0.30.0 0.0.1.255 host 10.0.20.19 eq 88 permit udp 10.0.30.0 0.0.1.255 host 10.0.20.20 eq 88 permit udp 10.0.30.0 0.0.1.255 host 10.0.20.21 eq 88 permit udp 10.0.30.0 0.0.1.255 host 10.0.20.19 eq ntp permit udp 10.0.30.0 0.0.1.255 host 10.0.20.20 eq ntp permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.19 eq msrpc permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.20 eq msrpc permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.12 eq msrpc permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.13 eq msrpc permit udp 10.0.30.0 0.0.1.255 host 10.0.20.19 eq netbios-ns permit udp 10.0.30.0 0.0.1.255 host 10.0.20.20 eq netbios-ns permit udp 10.0.30.0 0.0.1.255 host 10.0.20.19 eq netbios-dgm permit udp 10.0.30.0 0.0.1.255 host 10.0.20.20 eq netbios-dgm permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.19 eq 139 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.20 eq 139 permit udp 10.0.30.0 0.0.1.255 host 10.0.20.35 eq snmp permit udp 10.0.30.0 0.0.1.255 host 10.0.20.35 eq snmptrap permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.19 eq 389 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.20 eq 389 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.21 eq 389 permit udp 10.0.30.0 0.0.1.255 host 10.0.20.19 eq 464 permit udp 10.0.30.0 0.0.1.255 host 10.0.20.20 eq 464 permit udp 10.0.30.0 0.0.1.255 host 10.0.20.21 eq 464 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.19 eq 464 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.20 eq 464 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.21 eq 464 permit udp 10.0.30.0 0.0.1.255 host 10.0.20.19 eq isakmp permit udp 10.0.30.0 0.0.1.255 host 10.0.20.20 eq isakmp permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.36 eq lpd permit tcp 10.0.30.0 0.0.1.255 any eq 593 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.19 eq 636 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.20 eq 636 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.21 eq 636 permit udp 10.0.30.0 0.0.1.255 host 10.0.20.19 eq 636 permit udp 10.0.30.0 0.0.1.255 host 10.0.20.20 eq 636 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.19 eq 9389 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.20 eq 9389 permit tcp 10.0.30.0 0.0.1.255 any eq 1433 permit tcp 10.0.30.0 0.0.1.255 any eq 1434 permit udp 10.0.30.0 0.0.1.255 host 10.0.20.37 eq 1645 permit udp 10.0.30.0 0.0.1.255 host 10.0.20.37 eq 1646 permit tcp 10.0.30.0 0.0.1.255 any eq 1801 permit udp 10.0.30.0 0.0.1.255 any eq 1801 permit udp 10.0.30.0 0.0.1.255 host 10.0.20.37 eq 1812 permit udp 10.0.30.0 0.0.1.255 host 10.0.20.37 eq 1813 permit udp 10.0.30.0 0.0.1.255 any eq 1900 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.19 eq 2101 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.20 eq 2101 permit tcp 10.0.30.0 0.0.1.255 any eq 2103 permit tcp 10.0.30.0 0.0.1.255 any eq 2105 permit tcp 10.0.30.0 0.0.1.255 any eq 2107 permit tcp 10.0.30.0 0.0.1.255 any eq 2393 permit tcp 10.0.30.0 0.0.1.255 any eq 2394 permit tcp 10.0.30.0 0.0.1.255 any eq 2725 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.19 eq 3268 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.20 eq 3268 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.19 eq 3269 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.20 eq 3269 permit tcp 10.0.30.0 0.0.1.255 any eq 3343 permit tcp 10.0.30.0 0.0.1.255 any eq 3389 permit udp 10.0.30.0 0.0.1.255 any eq 3527 permit tcp 10.0.30.0 0.0.1.255 any eq 5000 permit tcp 10.0.30.0 0.0.1.255 any eq 5722 permit tcp 10.0.30.0 0.0.1.255 any eq 5985 permit tcp 10.0.30.0 0.0.1.255 any eq 5986 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.21 eq 7389 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.24 eq 12398 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.30 eq 69 permit tcp 10.0.30.0 0.0.1.255 any range 1024 65535 remark END Ingress from Magenta remark BEGIN Explicit deny for tracking deny ip any any ip access-list extended AZURE-OUT remark BEGIN Internal Egress permit tcp 10.0.20.0 0.0.0.255 10.0.20.0 0.0.0.255 eq 22 permit tcp 10.0.20.0 0.0.0.255 10.0.20.0 0.0.0.255 eq telnet permit tcp 10.0.20.0 0.0.0.255 10.0.20.0 0.0.0.255 eq 1200 permit tcp 10.0.20.0 0.0.0.255 10.0.20.0 0.0.0.255 eq 1203 permit tcp 10.0.20.0 0.0.0.255 10.0.20.0 0.0.0.255 eq 12398 permit icmp 10.0.20.0 0.0.0.255 10.0.20.0 0.0.0.255 echo-reply permit icmp 10.0.20.0 0.0.0.255 10.0.20.0 0.0.0.255 echo remark END Internal Egress remark BEGIN Egress to Juniper permit tcp any 10.0.10.0 0.0.0.255 eq 22 permit tcp any 10.0.10.0 0.0.0.255 eq telnet permit tcp any 10.0.10.0 0.0.0.255 eq 1200 permit icmp any 10.0.10.0 0.0.0.255 echo-reply permit icmp any 10.0.10.0 0.0.0.255 echo permit tcp host 10.0.20.19 10.0.10.0 0.0.0.255 eq domain permit tcp host 10.0.20.20 10.0.10.0 0.0.0.255 eq domain permit udp host 10.0.20.19 10.0.10.0 0.0.0.255 eq domain permit udp host 10.0.20.20 10.0.10.0 0.0.0.255 eq domain permit tcp host 10.0.20.19 10.0.10.0 0.0.0.255 eq 88 permit tcp host 10.0.20.20 10.0.10.0 0.0.0.255 eq 88 permit tcp host 10.0.20.21 10.0.10.0 0.0.0.255 eq 88 permit udp host 10.0.20.19 10.0.10.0 0.0.0.255 eq 88 permit udp host 10.0.20.20 10.0.10.0 0.0.0.255 eq 88 permit udp host 10.0.20.21 10.0.10.0 0.0.0.255 eq 88 permit udp host 10.0.20.19 10.0.10.0 0.0.0.255 eq ntp permit udp host 10.0.20.20 10.0.10.0 0.0.0.255 eq ntp permit tcp host 10.0.20.19 10.0.10.0 0.0.0.255 eq msrpc permit tcp host 10.0.20.20 10.0.10.0 0.0.0.255 eq msrpc permit tcp host 10.0.20.12 10.0.10.0 0.0.0.255 eq msrpc permit tcp host 10.0.20.13 10.0.10.0 0.0.0.255 eq msrpc permit udp host 10.0.20.19 10.0.10.0 0.0.0.255 eq netbios-ns permit udp host 10.0.20.20 10.0.10.0 0.0.0.255 eq netbios-ns permit udp host 10.0.20.19 10.0.10.0 0.0.0.255 eq netbios-dgm permit udp host 10.0.20.20 10.0.10.0 0.0.0.255 eq netbios-dgm permit tcp host 10.0.20.19 10.0.10.0 0.0.0.255 eq 139 permit tcp host 10.0.20.20 10.0.10.0 0.0.0.255 eq 139 permit udp host 10.0.20.35 10.0.10.0 0.0.0.255 eq snmp permit udp host 10.0.20.35 10.0.10.0 0.0.0.255 eq snmptrap permit tcp host 10.0.20.19 10.0.10.0 0.0.0.255 eq 389 permit tcp host 10.0.20.20 10.0.10.0 0.0.0.255 eq 389 permit tcp host 10.0.20.21 10.0.10.0 0.0.0.255 eq 389 permit udp host 10.0.20.19 10.0.10.0 0.0.0.255 eq 464 permit udp host 10.0.20.20 10.0.10.0 0.0.0.255 eq 464 permit udp host 10.0.20.21 10.0.10.0 0.0.0.255 eq 464 permit tcp host 10.0.20.19 10.0.10.0 0.0.0.255 eq 464 permit tcp host 10.0.20.20 10.0.10.0 0.0.0.255 eq 464 permit tcp host 10.0.20.21 10.0.10.0 0.0.0.255 eq 464 permit udp host 10.0.20.19 10.0.10.0 0.0.0.255 eq isakmp permit udp host 10.0.20.20 10.0.10.0 0.0.0.255 eq isakmp permit tcp host 10.0.20.36 10.0.10.0 0.0.0.255 eq lpd permit tcp any 10.0.10.0 0.0.0.255 eq 593 permit tcp host 10.0.20.19 10.0.10.0 0.0.0.255 eq 636 permit tcp host 10.0.20.20 10.0.10.0 0.0.0.255 eq 636 permit tcp host 10.0.20.21 10.0.10.0 0.0.0.255 eq 636 permit udp host 10.0.20.19 10.0.10.0 0.0.0.255 eq 636 permit udp host 10.0.20.20 10.0.10.0 0.0.0.255 eq 636 permit tcp host 10.0.20.19 10.0.10.0 0.0.0.255 eq 9389 permit tcp host 10.0.20.20 10.0.10.0 0.0.0.255 eq 9389 permit tcp any 10.0.10.0 0.0.0.255 eq 1433 permit tcp any 10.0.10.0 0.0.0.255 eq 1434 permit udp host 10.0.20.37 10.0.10.0 0.0.0.255 eq 1645 permit udp host 10.0.20.37 10.0.10.0 0.0.0.255 eq 1646 permit tcp any 10.0.10.0 0.0.0.255 eq 1801 permit udp any 10.0.10.0 0.0.0.255 eq 1801 permit udp host 10.0.20.37 10.0.10.0 0.0.0.255 eq 1812 permit udp host 10.0.20.37 10.0.10.0 0.0.0.255 eq 1813 permit udp any 10.0.10.0 0.0.0.255 eq 1900 permit tcp host 10.0.20.19 10.0.10.0 0.0.0.255 eq 2101 permit tcp host 10.0.20.20 10.0.10.0 0.0.0.255 eq 2101 permit tcp any 10.0.10.0 0.0.0.255 eq 2103 permit tcp any 10.0.10.0 0.0.0.255 eq 2105 permit tcp any 10.0.10.0 0.0.0.255 eq 2107 permit tcp any 10.0.10.0 0.0.0.255 eq 2393 permit tcp any 10.0.10.0 0.0.0.255 eq 2394 permit tcp any 10.0.10.0 0.0.0.255 eq 2725 permit tcp host 10.0.20.19 10.0.10.0 0.0.0.255 eq 3268 permit tcp host 10.0.20.20 10.0.10.0 0.0.0.255 eq 3268 permit tcp host 10.0.20.19 10.0.10.0 0.0.0.255 eq 3269 permit tcp host 10.0.20.20 10.0.10.0 0.0.0.255 eq 3269 permit tcp any 10.0.10.0 0.0.0.255 eq 3343 permit tcp any 10.0.10.0 0.0.0.255 eq 3389 permit udp any 10.0.10.0 0.0.0.255 eq 3527 permit tcp any 10.0.10.0 0.0.0.255 eq 5000 permit tcp any 10.0.10.0 0.0.0.255 eq 5722 permit tcp any 10.0.10.0 0.0.0.255 eq 5985 permit tcp any 10.0.10.0 0.0.0.255 eq 5986 permit tcp host 10.0.20.21 10.0.10.0 0.0.0.255 eq 7389 permit tcp host 10.0.20.24 10.0.10.0 0.0.0.255 eq 12398 permit tcp host 10.0.20.30 10.0.10.0 0.0.0.255 eq 69 permit tcp any 10.0.10.0 0.0.0.255 range 1024 65535 remark END Egress to Juniper remark BEGIN Egress to Magenta permit tcp any 10.0.30.0 0.0.1.255 eq 22 permit tcp any 10.0.30.0 0.0.1.255 eq telnet permit tcp any 10.0.30.0 0.0.1.255 eq 1200 permit icmp any 10.0.30.0 0.0.1.255 echo-reply permit icmp any 10.0.30.0 0.0.1.255 echo permit tcp host 10.0.20.19 10.0.30.0 0.0.1.255 eq domain permit tcp host 10.0.20.20 10.0.30.0 0.0.1.255 eq domain permit udp host 10.0.20.19 10.0.30.0 0.0.1.255 eq domain permit udp host 10.0.20.20 10.0.30.0 0.0.1.255 eq domain permit tcp host 10.0.20.19 10.0.30.0 0.0.1.255 eq 88 permit tcp host 10.0.20.20 10.0.30.0 0.0.1.255 eq 88 permit tcp host 10.0.20.21 10.0.30.0 0.0.1.255 eq 88 permit udp host 10.0.20.19 10.0.30.0 0.0.1.255 eq 88 permit udp host 10.0.20.20 10.0.30.0 0.0.1.255 eq 88 permit udp host 10.0.20.21 10.0.30.0 0.0.1.255 eq 88 permit udp host 10.0.20.19 10.0.30.0 0.0.1.255 eq ntp permit udp host 10.0.20.20 10.0.30.0 0.0.1.255 eq ntp permit tcp host 10.0.20.19 10.0.30.0 0.0.1.255 eq msrpc permit tcp host 10.0.20.20 10.0.30.0 0.0.1.255 eq msrpc permit tcp host 10.0.20.12 10.0.30.0 0.0.1.255 eq msrpc permit tcp host 10.0.20.13 10.0.30.0 0.0.1.255 eq msrpc permit udp host 10.0.20.19 10.0.30.0 0.0.1.255 eq netbios-ns permit udp host 10.0.20.20 10.0.30.0 0.0.1.255 eq netbios-ns permit udp host 10.0.20.19 10.0.30.0 0.0.1.255 eq netbios-dgm permit udp host 10.0.20.20 10.0.30.0 0.0.1.255 eq netbios-dgm permit tcp host 10.0.20.19 10.0.30.0 0.0.1.255 eq 139 permit tcp host 10.0.20.20 10.0.30.0 0.0.1.255 eq 139 permit udp host 10.0.20.35 10.0.30.0 0.0.1.255 eq snmp permit udp host 10.0.20.35 10.0.30.0 0.0.1.255 eq snmptrap permit tcp host 10.0.20.19 10.0.30.0 0.0.1.255 eq 389 permit tcp host 10.0.20.20 10.0.30.0 0.0.1.255 eq 389 permit tcp host 10.0.20.21 10.0.30.0 0.0.1.255 eq 389 permit udp host 10.0.20.19 10.0.30.0 0.0.1.255 eq 464 permit udp host 10.0.20.20 10.0.30.0 0.0.1.255 eq 464 permit udp host 10.0.20.21 10.0.30.0 0.0.1.255 eq 464 permit tcp host 10.0.20.19 10.0.30.0 0.0.1.255 eq 464 permit tcp host 10.0.20.20 10.0.30.0 0.0.1.255 eq 464 permit tcp host 10.0.20.21 10.0.30.0 0.0.1.255 eq 464 permit udp host 10.0.20.19 10.0.30.0 0.0.1.255 eq isakmp permit udp host 10.0.20.20 10.0.30.0 0.0.1.255 eq isakmp permit tcp host 10.0.20.36 10.0.30.0 0.0.1.255 eq lpd permit tcp any 10.0.30.0 0.0.1.255 eq 593 permit tcp host 10.0.20.19 10.0.30.0 0.0.1.255 eq 636 permit tcp host 10.0.20.20 10.0.30.0 0.0.1.255 eq 636 permit tcp host 10.0.20.21 10.0.30.0 0.0.1.255 eq 636 permit udp host 10.0.20.19 10.0.30.0 0.0.1.255 eq 636 permit udp host 10.0.20.20 10.0.30.0 0.0.1.255 eq 636 permit tcp host 10.0.20.19 10.0.30.0 0.0.1.255 eq 9389 permit tcp host 10.0.20.20 10.0.30.0 0.0.1.255 eq 9389 permit tcp any 10.0.30.0 0.0.1.255 eq 1433 permit tcp any 10.0.30.0 0.0.1.255 eq 1434 permit udp host 10.0.20.37 10.0.30.0 0.0.1.255 eq 1645 permit udp host 10.0.20.37 10.0.30.0 0.0.1.255 eq 1646 permit tcp any 10.0.30.0 0.0.1.255 eq 1801 permit udp any 10.0.30.0 0.0.1.255 eq 1801 permit udp host 10.0.20.37 10.0.30.0 0.0.1.255 eq 1812 permit udp host 10.0.20.37 10.0.30.0 0.0.1.255 eq 1813 permit udp any 10.0.30.0 0.0.1.255 eq 1900 permit tcp host 10.0.20.19 10.0.30.0 0.0.1.255 eq 2101 permit tcp host 10.0.20.20 10.0.30.0 0.0.1.255 eq 2101 permit tcp any 10.0.30.0 0.0.1.255 eq 2103 permit tcp any 10.0.30.0 0.0.1.255 eq 2105 permit tcp any 10.0.30.0 0.0.1.255 eq 2107 permit tcp any 10.0.30.0 0.0.1.255 eq 2393 permit tcp any 10.0.30.0 0.0.1.255 eq 2394 permit tcp any 10.0.30.0 0.0.1.255 eq 2725 permit tcp host 10.0.20.19 10.0.30.0 0.0.1.255 eq 3268 permit tcp host 10.0.20.20 10.0.30.0 0.0.1.255 eq 3268 permit tcp host 10.0.20.19 10.0.30.0 0.0.1.255 eq 3269 permit tcp host 10.0.20.20 10.0.30.0 0.0.1.255 eq 3269 permit tcp any 10.0.30.0 0.0.1.255 eq 3343 permit tcp any 10.0.30.0 0.0.1.255 eq 3389 permit udp any 10.0.30.0 0.0.1.255 eq 3527 permit tcp any 10.0.30.0 0.0.1.255 eq 5000 permit tcp any 10.0.30.0 0.0.1.255 eq 5722 permit tcp any 10.0.30.0 0.0.1.255 eq 5985 permit tcp any 10.0.30.0 0.0.1.255 eq 5986 permit tcp host 10.0.20.21 10.0.30.0 0.0.1.255 eq 7389 permit tcp host 10.0.20.24 10.0.30.0 0.0.1.255 eq 12398 permit tcp host 10.0.20.30 10.0.30.0 0.0.1.255 eq 69 permit tcp any 10.0.30.0 0.0.1.255 range 1024 65535 remark END Egress to Magenta remark BEGIN Explicit deny for tracking deny ip any any remark END Explicit deny for tracking ip access-list extended JUNIPER-IN remark BEGIN Internal Ingress permit tcp 10.0.10.0 0.0.0.255 10.0.10.0 0.0.0.255 eq 22 permit tcp 10.0.10.0 0.0.0.255 10.0.10.0 0.0.0.255 eq telnet permit tcp 10.0.10.0 0.0.0.255 10.0.10.0 0.0.0.255 eq 1200 permit icmp 10.0.10.0 0.0.0.255 10.0.10.0 0.0.0.255 echo-reply permit icmp 10.0.10.0 0.0.0.255 10.0.10.0 0.0.0.255 echo remark END Internal Ingress remark BEGIN Ingress from Azure permit tcp 10.0.20.0 0.0.0.255 any eq 22 permit tcp 10.0.20.0 0.0.0.255 any eq telnet permit tcp 10.0.20.0 0.0.0.255 any eq 1200 permit icmp 10.0.20.0 0.0.0.255 any echo-reply permit icmp 10.0.20.0 0.0.0.255 any echo permit tcp host 10.0.20.19 any eq domain permit tcp host 10.0.20.20 any eq domain permit udp host 10.0.20.19 any eq domain permit udp host 10.0.20.20 any eq domain permit tcp host 10.0.20.19 any eq 88 permit tcp host 10.0.20.20 any eq 88 permit tcp host 10.0.20.21 any eq 88 permit udp host 10.0.20.19 any eq 88 permit udp host 10.0.20.20 any eq 88 permit udp host 10.0.20.21 any eq 88 permit udp host 10.0.20.19 any eq ntp permit udp host 10.0.20.20 any eq ntp permit tcp host 10.0.20.19 any eq msrpc permit tcp host 10.0.20.20 any eq msrpc permit tcp host 10.0.20.12 any eq msrpc permit tcp host 10.0.20.13 any eq msrpc permit udp host 10.0.20.19 any eq netbios-ns permit udp host 10.0.20.20 any eq netbios-ns permit udp host 10.0.20.19 any eq netbios-dgm permit udp host 10.0.20.20 any eq netbios-dgm permit tcp host 10.0.20.19 any eq 139 permit tcp host 10.0.20.20 any eq 139 permit udp host 10.0.20.35 any eq snmp permit udp host 10.0.20.35 any eq snmptrap permit tcp host 10.0.20.19 any eq 389 permit tcp host 10.0.20.20 any eq 389 permit tcp host 10.0.20.21 any eq 389 permit udp host 10.0.20.19 any eq 464 permit udp host 10.0.20.20 any eq 464 permit udp host 10.0.20.21 any eq 464 permit tcp host 10.0.20.19 any eq 464 permit tcp host 10.0.20.20 any eq 464 permit tcp host 10.0.20.21 any eq 464 permit udp host 10.0.20.19 any eq isakmp permit udp host 10.0.20.20 any eq isakmp permit tcp host 10.0.20.36 any eq lpd permit tcp 10.0.20.0 0.0.0.255 any eq 593 permit tcp host 10.0.20.19 any eq 636 permit tcp host 10.0.20.20 any eq 636 permit tcp host 10.0.20.21 any eq 636 permit udp host 10.0.20.19 any eq 636 permit udp host 10.0.20.20 any eq 636 permit tcp host 10.0.20.19 any eq 9389 permit tcp host 10.0.20.20 any eq 9389 permit tcp 10.0.20.0 0.0.0.255 any eq 1433 permit tcp 10.0.20.0 0.0.0.255 any eq 1434 permit udp host 10.0.20.37 any eq 1645 permit udp host 10.0.20.37 any eq 1646 permit tcp 10.0.20.0 0.0.0.255 any eq 1801 permit udp 10.0.20.0 0.0.0.255 any eq 1801 permit udp host 10.0.20.37 any eq 1812 permit udp host 10.0.20.37 any eq 1813 permit udp 10.0.20.0 0.0.0.255 any eq 1900 permit tcp host 10.0.20.19 any eq 2101 permit tcp host 10.0.20.20 any eq 2101 permit tcp 10.0.20.0 0.0.0.255 any eq 2103 permit tcp 10.0.20.0 0.0.0.255 any eq 2105 permit tcp 10.0.20.0 0.0.0.255 any eq 2107 permit tcp 10.0.20.0 0.0.0.255 any eq 2393 permit tcp 10.0.20.0 0.0.0.255 any eq 2394 permit tcp 10.0.20.0 0.0.0.255 any eq 2725 permit tcp host 10.0.20.19 any eq 3268 permit tcp host 10.0.20.20 any eq 3268 permit tcp host 10.0.20.19 any eq 3269 permit tcp host 10.0.20.20 any eq 3269 permit tcp 10.0.20.0 0.0.0.255 any eq 3343 permit tcp 10.0.20.0 0.0.0.255 any eq 3389 permit udp 10.0.20.0 0.0.0.255 any eq 3527 permit tcp 10.0.20.0 0.0.0.255 any eq 5000 permit tcp 10.0.20.0 0.0.0.255 any eq 5722 permit tcp 10.0.20.0 0.0.0.255 any eq 5985 permit tcp 10.0.20.0 0.0.0.255 any eq 5986 permit tcp host 10.0.20.21 any eq 7389 permit tcp host 10.0.20.24 any eq 12398 permit tcp host 10.0.20.30 any eq 69 permit tcp 10.0.20.0 0.0.0.255 any range 1024 65535 remark END Ingress from Azure remark BEGIN Explicit deny for tracking deny ip any any remark END Explicit deny for tracking ip access-list extended JUNIPER-OUT remark BEGIN Internal Egress permit tcp 10.0.10.0 0.0.0.255 10.0.10.0 0.0.0.255 eq 22 permit tcp 10.0.10.0 0.0.0.255 10.0.10.0 0.0.0.255 eq telnet permit tcp 10.0.10.0 0.0.0.255 10.0.10.0 0.0.0.255 eq 1200 permit icmp 10.0.10.0 0.0.0.255 10.0.10.0 0.0.0.255 echo-reply permit icmp 10.0.10.0 0.0.0.255 10.0.10.0 0.0.0.255 echo remark END Internal Egress remark BEGIN Egress to Azure permit tcp any 10.0.20.0 0.0.0.255 eq 22 permit tcp any 10.0.20.0 0.0.0.255 eq telnet permit tcp any 10.0.20.0 0.0.0.255 eq 1200 permit icmp any 10.0.20.0 0.0.0.255 echo-reply permit icmp any 10.0.20.0 0.0.0.255 echo permit tcp any host 10.0.20.19 eq domain permit tcp any host 10.0.20.20 eq domain permit udp any host 10.0.20.19 eq domain permit udp any host 10.0.20.20 eq domain permit tcp any host 10.0.20.19 eq 88 permit tcp any host 10.0.20.20 eq 88 permit tcp any host 10.0.20.21 eq 88 permit udp any host 10.0.20.19 eq 88 permit udp any host 10.0.20.20 eq 88 permit udp any host 10.0.20.21 eq 88 permit udp any host 10.0.20.19 eq ntp permit udp any host 10.0.20.20 eq ntp permit tcp any host 10.0.20.19 eq msrpc permit tcp any host 10.0.20.20 eq msrpc permit tcp any host 10.0.20.12 eq msrpc permit tcp any host 10.0.20.13 eq msrpc permit udp any host 10.0.20.19 eq netbios-ns permit udp any host 10.0.20.20 eq netbios-ns permit udp any host 10.0.20.19 eq netbios-dgm permit udp any host 10.0.20.20 eq netbios-dgm permit tcp any host 10.0.20.19 eq 139 permit tcp any host 10.0.20.20 eq 139 permit udp any host 10.0.20.35 eq snmp permit udp any host 10.0.20.35 eq snmptrap permit tcp any host 10.0.20.19 eq 389 permit tcp any host 10.0.20.20 eq 389 permit tcp any host 10.0.20.21 eq 389 permit udp any host 10.0.20.19 eq 464 permit udp any host 10.0.20.20 eq 464 permit udp any host 10.0.20.21 eq 464 permit tcp any host 10.0.20.19 eq 464 permit tcp any host 10.0.20.20 eq 464 permit tcp any host 10.0.20.21 eq 464 permit udp any host 10.0.20.19 eq isakmp permit udp any host 10.0.20.20 eq isakmp permit tcp any host 10.0.20.36 eq lpd permit tcp any 10.0.20.0 0.0.0.255 eq 593 permit tcp any host 10.0.20.19 eq 636 permit tcp any host 10.0.20.20 eq 636 permit tcp any host 10.0.20.21 eq 636 permit udp any host 10.0.20.19 eq 636 permit udp any host 10.0.20.20 eq 636 permit tcp any host 10.0.20.19 eq 9389 permit tcp any host 10.0.20.20 eq 9389 permit tcp any 10.0.20.0 0.0.0.255 eq 1433 permit tcp any 10.0.20.0 0.0.0.255 eq 1434 permit udp any host 10.0.20.37 eq 1645 permit udp any host 10.0.20.37 eq 1646 permit tcp any 10.0.20.0 0.0.0.255 eq 1801 permit udp any 10.0.20.0 0.0.0.255 eq 1801 permit udp any host 10.0.20.37 eq 1812 permit udp any host 10.0.20.37 eq 1813 permit udp any 10.0.20.0 0.0.0.255 eq 1900 permit tcp any host 10.0.20.19 eq 2101 permit tcp any host 10.0.20.20 eq 2101 permit tcp any 10.0.20.0 0.0.0.255 eq 2103 permit tcp any 10.0.20.0 0.0.0.255 eq 2105 permit tcp any 10.0.20.0 0.0.0.255 eq 2107 permit tcp any 10.0.20.0 0.0.0.255 eq 2393 permit tcp any 10.0.20.0 0.0.0.255 eq 2394 permit tcp any 10.0.20.0 0.0.0.255 eq 2725 permit tcp any host 10.0.20.19 eq 3268 permit tcp any host 10.0.20.20 eq 3268 permit tcp any host 10.0.20.19 eq 3269 permit tcp any host 10.0.20.20 eq 3269 permit tcp any 10.0.20.0 0.0.0.255 eq 3343 permit tcp any 10.0.20.0 0.0.0.255 eq 3389 permit udp any 10.0.20.0 0.0.0.255 eq 3527 permit tcp any 10.0.20.0 0.0.0.255 eq 5000 permit tcp any 10.0.20.0 0.0.0.255 eq 5722 permit tcp any 10.0.20.0 0.0.0.255 eq 5985 permit tcp any 10.0.20.0 0.0.0.255 eq 5986 permit tcp any host 10.0.20.21 eq 7389 permit tcp any host 10.0.20.24 eq 12398 permit tcp any host 10.0.20.30 eq 69 permit tcp any 10.0.20.0 0.0.0.255 range 1024 65535 remark END Egress to Azure remark BEGIN Explicit deny for tracking deny ip any any remark END Explicit deny for tracking ip access-list extended MAGENTA-IN remark BEGIN Internal Ingress permit tcp 10.0.30.0 0.0.1.255 10.0.30.0 0.0.1.255 eq 22 permit tcp 10.0.30.0 0.0.1.255 10.0.30.0 0.0.1.255 eq telnet permit tcp 10.0.30.0 0.0.1.255 10.0.30.0 0.0.1.255 eq 1200 permit tcp 10.0.30.0 0.0.1.255 10.0.30.0 0.0.1.255 eq 1203 permit icmp 10.0.30.0 0.0.1.255 10.0.30.0 0.0.1.255 echo-reply permit icmp 10.0.30.0 0.0.1.255 any echo-reply permit icmp 10.0.30.0 0.0.1.255 10.0.30.0 0.0.1.255 echo permit icmp 10.0.30.0 0.0.1.255 any echo remark END Internal Ingress remark BEGIN Ingress from Azure permit tcp 10.0.20.0 0.0.0.255 any eq 22 permit tcp 10.0.20.0 0.0.0.255 any eq telnet permit tcp 10.0.20.0 0.0.0.255 any eq 1200 permit icmp 10.0.20.0 0.0.0.255 any echo-reply permit icmp 10.0.20.0 0.0.0.255 any echo permit tcp host 10.0.20.19 any eq domain permit tcp host 10.0.20.20 any eq domain permit udp host 10.0.20.19 any eq domain permit udp host 10.0.20.20 any eq domain permit tcp host 10.0.20.19 any eq 88 permit tcp host 10.0.20.20 any eq 88 permit tcp host 10.0.20.21 any eq 88 permit udp host 10.0.20.19 any eq 88 permit udp host 10.0.20.20 any eq 88 permit udp host 10.0.20.21 any eq 88 permit udp host 10.0.20.19 any eq ntp permit udp host 10.0.20.20 any eq ntp permit tcp host 10.0.20.19 any eq msrpc permit tcp host 10.0.20.20 any eq msrpc permit tcp host 10.0.20.12 any eq msrpc permit tcp host 10.0.20.13 any eq msrpc permit udp host 10.0.20.19 any eq netbios-ns permit udp host 10.0.20.20 any eq netbios-ns permit udp host 10.0.20.19 any eq netbios-dgm permit udp host 10.0.20.20 any eq netbios-dgm permit tcp host 10.0.20.19 any eq 139 permit tcp host 10.0.20.20 any eq 139 permit udp host 10.0.20.35 any eq snmp permit udp host 10.0.20.35 any eq snmptrap permit tcp host 10.0.20.19 any eq 389 permit tcp host 10.0.20.20 any eq 389 permit tcp host 10.0.20.21 any eq 389 permit udp host 10.0.20.19 any eq 464 permit udp host 10.0.20.20 any eq 464 permit udp host 10.0.20.21 any eq 464 permit tcp host 10.0.20.19 any eq 464 permit tcp host 10.0.20.20 any eq 464 permit tcp host 10.0.20.21 any eq 464 permit udp host 10.0.20.19 any eq isakmp permit udp host 10.0.20.20 any eq isakmp permit tcp host 10.0.20.36 any eq lpd permit tcp 10.0.20.0 0.0.0.255 any eq 593 permit tcp host 10.0.20.19 any eq 636 permit tcp host 10.0.20.20 any eq 636 permit tcp host 10.0.20.21 any eq 636 permit udp host 10.0.20.19 any eq 636 permit udp host 10.0.20.20 any eq 636 permit tcp host 10.0.20.19 any eq 9389 permit tcp host 10.0.20.20 any eq 9389 permit tcp 10.0.20.0 0.0.0.255 any eq 1433 permit tcp 10.0.20.0 0.0.0.255 any eq 1434 permit udp host 10.0.20.37 any eq 1645 permit udp host 10.0.20.37 any eq 1646 permit tcp 10.0.20.0 0.0.0.255 any eq 1801 permit udp 10.0.20.0 0.0.0.255 any eq 1801 permit udp host 10.0.20.37 any eq 1812 permit udp host 10.0.20.37 any eq 1813 permit udp 10.0.20.0 0.0.0.255 any eq 1900 permit tcp host 10.0.20.19 any eq 2101 permit tcp host 10.0.20.20 any eq 2101 permit tcp 10.0.20.0 0.0.0.255 any eq 2103 permit tcp 10.0.20.0 0.0.0.255 any eq 2105 permit tcp 10.0.20.0 0.0.0.255 any eq 2107 permit tcp 10.0.20.0 0.0.0.255 any eq 2393 permit tcp 10.0.20.0 0.0.0.255 any eq 2394 permit tcp 10.0.20.0 0.0.0.255 any eq 2725 permit tcp host 10.0.20.19 any eq 3268 permit tcp host 10.0.20.20 any eq 3268 permit tcp host 10.0.20.19 any eq 3269 permit tcp host 10.0.20.20 any eq 3269 permit tcp 10.0.20.0 0.0.0.255 any eq 3343 permit tcp 10.0.20.0 0.0.0.255 any eq 3389 permit udp 10.0.20.0 0.0.0.255 any eq 3527 permit tcp 10.0.20.0 0.0.0.255 any eq 5000 permit tcp 10.0.20.0 0.0.0.255 any eq 5722 permit tcp 10.0.20.0 0.0.0.255 any eq 5985 permit tcp 10.0.20.0 0.0.0.255 any eq 5986 permit tcp host 10.0.20.21 any eq 7389 permit tcp host 10.0.20.24 any eq 12398 permit tcp host 10.0.20.30 any eq 69 permit tcp 10.0.20.0 0.0.0.255 any range 1024 65535 permit tcp any any eq www permit tcp any any eq 443 permit udp any any eq domain permit tcp any any eq domain permit tcp any eq domain any permit udp any eq domain any permit ip any any deny ip any any ip access-list extended MAGENTA-OUT remark BEGIN Internal Egress permit tcp 10.0.30.0 0.0.1.255 10.0.30.0 0.0.1.255 eq 22 permit tcp 10.0.30.0 0.0.1.255 10.0.30.0 0.0.1.255 eq telnet permit tcp 10.0.30.0 0.0.1.255 10.0.30.0 0.0.1.255 eq 1200 permit tcp 10.0.30.0 0.0.1.255 10.0.30.0 0.0.1.255 eq 1203 permit icmp 10.0.30.0 0.0.1.255 10.0.30.0 0.0.1.255 echo-reply permit icmp 10.0.30.0 0.0.1.255 10.0.30.0 0.0.1.255 echo permit tcp any any eq domain permit tcp any eq domain any permit udp any any eq domain permit udp any eq domain any remark END Internal Egress deny ip any any ip access-list extended RUBY-IN ip access-list extended RUBY-OUT ! access-list 2000 permit udp 10.0.30.0 0.0.1.255 any ! ! ! control-plane service-policy input system-cpp-policy ! ! line con 0 login local stopbits 1 line aux 0 stopbits 1 line vty 0 4 login local transport input ssh line vty 5 15 login local transport input ssh ! ! mac address-table notification mac-move ! ! ! ! ! end
There are quite a few large unused ACLs here, but the only ones I'm currently interested in are the AMARANTH_X ones.
07-26-2019 09:16 AM
Hello,
can your hosts in Vlan 100 actually ping their own default gateway ? Your Vlan 100 has room for only 5 hosts (10.0.100.2 - 10.0.100.6).
What is the purpose of the static route:
ip route 10.0.100.0 255.255.255.248 10.0.100.2
07-26-2019 05:34 PM
07-26-2019 10:00 AM
your direction is wrong. Looking specifically at the amarinth-in acl, which is applied inbound on the SVI for vlan 100. What that means is that any traffic on vlan 100 coming to the SVI. So your source hosts would have to be 10.0.100.x to see hits on the acl as you are expecting. What you are seeing now is the acl doing exactly what you told it to do.
this will sound corny, but to clarify how the direction works, imagine you are standing right at the vlan 100 SVI, facing the LAN for vlan 100. an acl applied inbound would be sourced on vlan 100. an acl applied outbound would be destined for valn 100.
07-26-2019 05:38 PM
07-29-2019 05:29 AM
yep, your conceptualization is backward. It's all from the perspective of the SVI. Inbound acl on the SVI means traffic sourced from vlan 100 destined for the network, and outbound acl on the SVI means traffic from the network destined for vlan 100. It can be a little counter intuitive at first but once you get it it's easy.
07-29-2019 05:37 AM
Hello dctadmin,
think of an SVI layer3 interface as an host connected to the corresponding L2 broadcast domain and providing L3 routing services to other hosts in the Vlan:
the inbound direction is traffic sent to the default gateway by hosts in Vlan and destined to other subnets
the outbound direction is traffic coming from other networks and with a destination in the Vlan subnet.
At the beginning of multilayer switching on Catalyst 6500 or 5500 the routing card was added running a separate IOS image and the L2 supervisor was running CatOS.
The choice of direction meaning was made in those times when the MSFC was actually a separate device connected via internal trunk ports to the L2 switch.
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide