cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

391
Views
0
Helpful
9
Replies
Beginner

Help with ACL Issue

Greetings

I have created an Extended ACL with the intent of permitting web traffic, SMB from a file server, and RDP from two specific hosts (or at least this is the intent). ICMP is ideally disallowed. The ACL is as follows:

 

Extended IP access list AMARANTH_IN
     5 permit tcp any any eq www
     10 permit tcp any any eq 443
     11 permit udp any any eq domain
     12 permit tcp any any eq domain
     13 permit udp any eq domain any
     14 permit tcp any eq domain any
     15 permit tcp host 10.0.20.17 any eq 445
     20 permit tcp host 10.0.20.17 any eq 137
     25 permit tcp host 10.0.20.17 any eq 139
     30 permit udp host 10.0.20.17 any eq netbios-ns
     35 permit udp host 10.0.20.17 any eq netbios-dgm
     40 permit tcp host 10.0.30.5 any eq 3389
     45 permit tcp host 10.0.30.6 any eq 3389
     50 deny ip any any (1525 matches)

As you can see, the only rule that seems to be getting any traffic is the last rule that denies traffic. Perhaps my understanding of ACLs is wrong, as I thought the lower numbers of Extended ACLs were processed first. If that's actually the case, then why is a host in the VLAN this Access List is associated with unable to successfully perform nslookups or navigate to web pages? I'm confident that the routing on the switch and firewall is correct as it mirrors several other subnets that all have the same routing. The kicker is that if I remove the ACL from the VLAN, everything flows freely.

Everyone's tags (2)
9 REPLIES 9
Beginner

Re: Help with ACL Issue

Can you show where you've applied this ACL?

***Please Mark and Rate helpful posts***
VIP Advisor

Re: Help with ACL Issue

Not sure we would like to se full configuration and also what interface this ACL applied ?

 

BB
*** Rate All Helpful Responses ***
Beginner

Re: Help with ACL Issue

As requested, here is the full running configuration.

 

Building configuration...

Current configuration : 46445 bytes
!
! Last configuration change at 11:26:24 EST Fri Jul 26 2019 by dctech
!
version 16.6
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no platform punt-keepalive disable-kernel-core
!
hostname pits0102p
!
!
vrf definition Mgmt-vrf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
enable secret 5 $1$RNFs$G0M6RlumU4xZtE58NMf5q/
enable password 7 15280D050E1F2D70023F3A333B123130107B707D63
!
no aaa new-model
clock timezone EST -5 0
clock summer-time EST recurring
switch 1 provision ws-c3850-48t
!
!
!
!
ip routing
!
ip name-server 10.0.20.19 10.0.20.20
ip domain name not.for.you.to.know.com
ip dhcp excluded-address 10.0.30.1 10.0.30.20
ip dhcp excluded-address 10.0.30.255
ip dhcp excluded-address 10.0.40.1
ip dhcp excluded-address 10.0.40.255
ip dhcp excluded-address 10.0.40.1 10.0.40.127
ip dhcp excluded-address 10.0.31.150 10.0.31.200
ip dhcp excluded-address 10.0.50.1
ip dhcp excluded-address 10.0.50.255
!
ip dhcp pool DHCP_MAGENTA
 network 10.0.30.0 255.255.254.0
 update dns both override
 default-router 10.0.30.1
 domain-name not.for.you.to.know.com
 dns-server 10.0.20.19 10.0.20.20
 netbios-name-server 10.0.20.19 10.0.20.20
 option 66 ip 10.0.20.33
 option 67 ascii pxelinux.0
 option 161 ip 10.0.20.28
 option 162 ascii \$
 option 184 ascii thinos.provisioner
 option 185 ascii HappyFeet44!!
!
ip dhcp pool DHCP_RUBY
 network 10.0.40.0 255.255.255.0
 default-router 10.0.40.1
 option 66 ip 10.0.20.34
 option 67 ascii aspboot.bin
 option 161 ip 10.0.20.28
 option 162 ascii \$
 option 184 ascii thinos.provisioner
 option 185 ascii HappyFeet44!!
!
!
ip dhcp update dns both
!
!
!
!
!
!
vtp domain BBNC_ICN_VTP
vtp mode transparent
!
crypto pki trustpoint TP-self-signed-459737811
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-459737811
 revocation-check none
 rsakeypair TP-self-signed-459737811
!
!
crypto pki certificate chain TP-self-signed-459737811
 certificate self-signed 01
  3082032E 30820216 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 34353937 33373831 31301E17 0D313930 36313031 38333535
  395A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3435 39373337
  38313130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030 82010A02
  82010100 B3281653 47A72D41 7AD083BE 18DA1792 218124AD 97451211 E1E48375
  7F4EE169 8AE60AA4 E66EC3DA EB864E9A 6D0E1B08 AD097F45 D4518301 C426A632
  C2BFE616 D20C22DE DD45E701 18D5DA44 23E27548 DAA40E6F D37BE309 4FADCE62
  F53FAD6C F2C15EEE 5DD1F038 5D554A2A 9F4EE1F7 34900193 A5AAFD4B A41D0A8A
  E4284906 E83C4B16 6814AB15 BE46F50A C736437D 378F19CB 04A9A31B E1945087
  319A7045 2CF9F17E 34AA9106 1E82312F C7CFDC46 27F0CD4E 273B5883 EFC45665
  98ADC4B0 551FC644 6D655F61 73823681 3E16E1AB 87652B88 E27D90B6 2ED84EEE
  21CE66E3 591D50B5 0761F89F 157CC6AE 99DE984C B003E7C3 65C52A31 379B1D5B
  49C53DCD 02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F
  0603551D 23041830 168014D7 2D9AF115 C4E157F2 5E0C953B 053F2A8D FF63EC30
  1D060355 1D0E0416 0414D72D 9AF115C4 E157F25E 0C953B05 3F2A8DFF 63EC300D
  06092A86 4886F70D 01010505 00038201 01003A00 90A83FC7 CC228350 B9C9A395
  F7999A8E 6EB78E53 B9F30C3F 5C95A65F 321D19E0 28BE2D4A E461A1AE FF333D93
  0DC23022 8F5B15BF C95DEB58 F91487C0 7D5E6C41 EEBA7C49 9CA2878C 3054F3E1
  B65AA3D1 37DB95AD B702BC84 D1044D5F 75DABE3E 32B7D3D3 CA198171 9A524ADD
  921ED51A E4E6643B CA5C9354 35F1EBDB AE634159 9B591358 F8D14B38 A226D18E
  5EBF45AB 77E6212D FA1EB65E DCA643C1 3D99A500 20B5485B 568E4907 95DA58B4
  0F9554B3 42AAAFD1 EBB84A44 3EDA2D5E 67B39905 3726F382 79BE607B 86710798
  8B6C47FC C2B31B7E AB136682 2E3DD4B5 489A4CFD C86C898F 543EFF33 315AAF8B
  BCA47196 41D6EAD1 154482A7 9C27E1D1 E892
        quit
!
!
!
diagnostic bootup level minimal
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
username nimda privilege 15 password 7 1223071A3E1F2526031C713E6A2671061E230E577F
username someguy privilege 15 password 7 13220525122450302C0302
!
redundancy
 mode sso
!
!
transceiver type all
 monitoring
!
vlan 10
 name JUNIPER
!
vlan 20
 name AZURE
!
vlan 30
 name MAGENTA
!
vlan 40
 name RUBY
!
vlan 50
 name OBSIDIAN
!
vlan 100
 name AMARANTH
!
!
class-map match-any system-cpp-police-topology-control
  description Topology control
class-map match-any system-cpp-police-sw-forward
  description Sw forwarding, L2 LVX data, LOGGING
class-map match-any system-cpp-default
  description DHCP Snooping, EWLC control, EWCL data
class-map match-any system-cpp-police-sys-data
  description Learning cache ovfl, Crypto Control, Exception, EGR Exception, NFL SAMPLED DATA, RPF Failed
class-map match-any system-cpp-police-punt-webauth
  description Punt Webauth
class-map match-any system-cpp-police-l2lvx-control
  description L2 LVX control packets
class-map match-any system-cpp-police-forus
  description Forus Address resolution and Forus traffic
class-map match-any system-cpp-police-multicast-end-station
  description MCAST END STATION
class-map match-any system-cpp-police-multicast
  description Transit Traffic and MCAST Data
class-map match-any system-cpp-police-l2-control
  description L2 control
class-map match-any system-cpp-police-dot1x-auth
  description DOT1X Auth
class-map match-any system-cpp-police-data
  description ICMP redirect, ICMP_GEN and BROADCAST
class-map match-any system-cpp-police-stackwise-virt-control
  description Stackwise Virtual
class-map match-any non-client-nrt-class
class-map match-any system-cpp-police-routing-control
  description Routing control
class-map match-any system-cpp-police-protocol-snooping
  description Protocol snooping
class-map match-any system-cpp-police-system-critical
  description System Critical and Gold
!
policy-map system-cpp-policy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Port-channel1
 description LAG_FOR_PITS0202P
 switchport trunk native vlan 10
 switchport trunk allowed vlan 10,20,30
 switchport mode trunk
!
interface Port-channel2
 description LAG_FOR_PITS0203P
 switchport trunk native vlan 10
 switchport trunk allowed vlan 10,20,30,40
 switchport mode trunk
!
interface Port-channel3
 description LAG_FOR_PITS0214
 switchport access vlan 20
 switchport mode access
 spanning-tree portfast
!
interface Port-channel4
 description LAG_FOR_PITS0215
 switchport access vlan 20
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet0/0
 vrf forwarding Mgmt-vrf
 no ip address
 shutdown
 speed 1000
 negotiation auto
!
interface GigabitEthernet1/0/1
 no switchport
 no ip address
 shutdown
!
interface GigabitEthernet1/0/2
 description JUNIPER_PITS0116P
 switchport access vlan 10
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/3
 description AZURE_PITS0202P_LAGx0
 switchport trunk native vlan 10
 switchport trunk allowed vlan 10,20,30
 switchport mode trunk
 channel-group 1 mode auto
!
interface GigabitEthernet1/0/4
 description AZURE_PITS0202P_LAGx1
 switchport trunk native vlan 10
 switchport trunk allowed vlan 10,20,30
 switchport mode trunk
 channel-group 1 mode auto
!
interface GigabitEthernet1/0/5
 description AZURE_PITS0203P_LAGx0
 switchport trunk native vlan 10
 switchport trunk allowed vlan 10,20,30,40
 switchport mode trunk
 channel-group 2 mode auto
!
interface GigabitEthernet1/0/6
 description AZURE_PITS0203P_LAGx1
 switchport trunk native vlan 10
 switchport trunk allowed vlan 10,20,30,40
 switchport mode trunk
 channel-group 2 mode auto
!
interface GigabitEthernet1/0/7
 description AZURE_PITS0214P_LAGX0
 switchport access vlan 20
 switchport mode access
 channel-group 3 mode auto
 spanning-tree portfast
!
interface GigabitEthernet1/0/8
 description AZURE_PITS0214P_LAGX1
 switchport access vlan 20
 switchport mode access
 channel-group 3 mode auto
 spanning-tree portfast
!
interface GigabitEthernet1/0/9
 description AZURE_PITS0215P_LAGX0
 switchport access vlan 20
 switchport mode access
 channel-group 4 mode auto
 spanning-tree portfast
!
interface GigabitEthernet1/0/10
 description AZURE_PITS0215P_LAGX1
 switchport access vlan 20
 switchport mode access
 channel-group 4 mode auto
 spanning-tree portfast
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
 description AZURE_FAKE_TRUNK
 switchport trunk allowed vlan 10,20,30,40
 switchport mode trunk
!
interface GigabitEthernet1/0/13
 description MAGENTA_ACCESS
 switchport access vlan 30
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/14
 description MAGENTA_ACCESS
 switchport access vlan 30
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/15
 description MAGENTA_ACCESS
 switchport access vlan 30
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/16
 description MAGENTA_ACCESS
 switchport access vlan 30
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/17
 description MAGENTA_ACCESS
 switchport access vlan 30
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/18
 description MAGENTA_ACCESS
 switchport access vlan 30
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/19
 description MAGENTA_ACCESS
 switchport access vlan 30
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/20
 description MAGENTA_ACCESS
 switchport access vlan 30
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/21
 description MAGENTA_ACCESS
 switchport access vlan 30
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/22
 description MAGENTA_ACCESS
 switchport access vlan 30
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/23
 description MAGENTA_ACCESS
 switchport access vlan 30
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/24
 description MAGENTA_ACCESS
 switchport access vlan 30
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/25
 description MAGENTA_ACCESS
 switchport access vlan 30
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/26
 description MAGENTA_ACCESS
 switchport access vlan 30
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/27
 description MAGENTA_ACCESS
 switchport access vlan 30
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/28
 description MAGENTA_ACCESS
 switchport access vlan 30
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/29
 description MAGENTA_ACCESS
 switchport access vlan 30
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/30
 description MAGENTA_ACCESS
 switchport access vlan 30
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/31
 description MAGENTA_ACCESS
 switchport access vlan 30
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/32
 description MAGENTA_ACCESS
 switchport access vlan 30
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/33
 description MAGENTA_ACCESS
 switchport access vlan 30
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/34
 description MAGENTA_ACCESS
 switchport access vlan 30
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/35
 description MAGENTA_ACCESS
 switchport access vlan 30
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/36
 description MAGENTA_DUMB_SWITCH
 switchport access vlan 30
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/37
 description RUBY_ACCESS
 switchport access vlan 40
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/38
 description RUBY_ACCESS
 switchport access vlan 40
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/39
!
interface GigabitEthernet1/0/40
!
interface GigabitEthernet1/0/41
!
interface GigabitEthernet1/0/42
!
interface GigabitEthernet1/0/43
!
interface GigabitEthernet1/0/44
 no switchport
 no ip address
!
interface GigabitEthernet1/0/45
!
interface GigabitEthernet1/0/46
!
interface GigabitEthernet1/0/47
 switchport access vlan 100
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/48
 description MARIGOLD_PITS0101P
 no switchport
 ip address 10.0.254.3 255.255.255.248
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface TenGigabitEthernet1/1/3
!
interface TenGigabitEthernet1/1/4
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan10
 description Network Management
 ip address 10.0.10.1 255.255.255.192
 ip access-group JUNIPER-IN in
 ip access-group JUNIPER-OUT out
!
interface Vlan20
 description Network Services
 ip address 10.0.20.1 255.255.255.0
!
interface Vlan30
 description Workstations
 ip address 10.0.30.1 255.255.254.0
 ip helper-address 10.0.40.255
 ip access-group MAGENTA-IN in
!
interface Vlan40
 description SimLab
 ip address 10.0.40.1 255.255.255.0
 ip directed-broadcast 2000
!
interface Vlan50
 description Fun
 ip address 172.16.110.1 255.255.255.0
!
interface Vlan100
 description Amaranth
 ip address 10.0.100.1 255.255.255.248
 ip access-group AMARANTH_IN in
 ip access-group AMARANTH_OUT out
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.0.254.2
ip route 10.0.30.0 255.255.254.0 10.0.30.2
ip route 10.0.100.0 255.255.255.248 10.0.100.2
ip ssh version 2
!
ip access-list extended AMARANTH_IN
 permit tcp any any eq www
 permit tcp any any eq 443
 permit udp any any eq domain
 permit tcp any any eq domain
 permit udp any eq domain any
 permit tcp any eq domain any
 permit tcp host 10.0.20.17 any eq 445
 permit tcp host 10.0.20.17 any eq 137
 permit tcp host 10.0.20.17 any eq 139
 permit udp host 10.0.20.17 any eq netbios-ns
 permit udp host 10.0.20.17 any eq netbios-dgm
 permit tcp host 10.0.30.5 any eq 3389
 permit tcp host 10.0.30.6 any eq 3389
 deny   ip any any
ip access-list extended AMARANTH_OUT
 permit tcp any any eq www
 permit tcp any any eq 443
 permit udp any any eq domain
 permit tcp any any eq domain
 permit tcp any host 10.0.20.17 eq 445
 permit tcp any host 10.0.20.17 eq 137
 permit tcp any host 10.0.20.17 eq 139
 permit udp any host 10.0.20.17 eq netbios-ns
 permit udp any host 10.0.20.17 eq netbios-dgm
 permit tcp any host 10.0.30.5 eq 3389
 permit tcp any host 10.0.30.6 eq 3389
 deny   ip any any
ip access-list extended AZURE-IN
 remark BEGIN Internal Ingress
 permit tcp 10.0.20.0 0.0.0.255 10.0.20.0 0.0.0.255 eq 22
 permit tcp 10.0.20.0 0.0.0.255 10.0.20.0 0.0.0.255 eq telnet
 permit tcp 10.0.20.0 0.0.0.255 10.0.20.0 0.0.0.255 eq 1200
 permit tcp 10.0.20.0 0.0.0.255 10.0.20.0 0.0.0.255 eq 1203
 permit tcp 10.0.20.0 0.0.0.255 10.0.20.0 0.0.0.255 eq 12398
 permit icmp 10.0.20.0 0.0.0.255 10.0.20.0 0.0.0.255 echo-reply
 remark END Explicit deny for tracking
 permit icmp any 10.0.20.0 0.0.0.255 echo-reply
 permit icmp 10.0.20.0 0.0.0.255 10.0.20.0 0.0.0.255 echo
 permit icmp any 10.0.20.0 0.0.0.255 echo
 remark END Internal Ingress
 remark BEGIN Ingress from Juniper
 permit tcp 10.0.10.0 0.0.0.255 any eq 22
 permit tcp 10.0.10.0 0.0.0.255 any eq telnet
 permit tcp 10.0.10.0 0.0.0.255 any eq 1200
 permit icmp 10.0.10.0 0.0.0.255 any echo-reply
 permit icmp 10.0.10.0 0.0.0.255 any echo
 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.19 eq domain
 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.20 eq domain
 permit udp 10.0.10.0 0.0.0.255 host 10.0.20.19 eq domain
 permit udp 10.0.10.0 0.0.0.255 host 10.0.20.20 eq domain
 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.19 eq 88
 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.20 eq 88
 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.21 eq 88
 permit udp 10.0.10.0 0.0.0.255 host 10.0.20.19 eq 88
 permit udp 10.0.10.0 0.0.0.255 host 10.0.20.20 eq 88
 permit udp 10.0.10.0 0.0.0.255 host 10.0.20.21 eq 88
 permit udp 10.0.10.0 0.0.0.255 host 10.0.20.19 eq ntp
 permit udp 10.0.10.0 0.0.0.255 host 10.0.20.20 eq ntp
 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.19 eq msrpc
 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.20 eq msrpc
 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.12 eq msrpc
 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.13 eq msrpc
 permit udp 10.0.10.0 0.0.0.255 host 10.0.20.19 eq netbios-ns
 permit udp 10.0.10.0 0.0.0.255 host 10.0.20.20 eq netbios-ns
 permit udp 10.0.10.0 0.0.0.255 host 10.0.20.19 eq netbios-dgm
 permit udp 10.0.10.0 0.0.0.255 host 10.0.20.20 eq netbios-dgm
 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.19 eq 139
 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.20 eq 139
 permit udp 10.0.10.0 0.0.0.255 host 10.0.20.35 eq snmp
 permit udp 10.0.10.0 0.0.0.255 host 10.0.20.35 eq snmptrap
 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.19 eq 389
 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.20 eq 389
 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.21 eq 389
 permit udp 10.0.10.0 0.0.0.255 host 10.0.20.19 eq 464
 permit udp 10.0.10.0 0.0.0.255 host 10.0.20.20 eq 464
 permit udp 10.0.10.0 0.0.0.255 host 10.0.20.21 eq 464
 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.19 eq 464
 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.20 eq 464
 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.21 eq 464
 permit udp 10.0.10.0 0.0.0.255 host 10.0.20.19 eq isakmp
 permit udp 10.0.10.0 0.0.0.255 host 10.0.20.20 eq isakmp
 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.36 eq lpd
 permit tcp 10.0.10.0 0.0.0.255 any eq 593
 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.19 eq 636
 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.20 eq 636
 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.21 eq 636
 permit udp 10.0.10.0 0.0.0.255 host 10.0.20.19 eq 636
 permit udp 10.0.10.0 0.0.0.255 host 10.0.20.20 eq 636
 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.19 eq 9389
 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.20 eq 9389
 permit tcp 10.0.10.0 0.0.0.255 any eq 1433
 permit tcp 10.0.10.0 0.0.0.255 any eq 1434
 permit udp 10.0.10.0 0.0.0.255 host 10.0.20.37 eq 1645
 permit udp 10.0.10.0 0.0.0.255 host 10.0.20.37 eq 1646
 permit tcp 10.0.10.0 0.0.0.255 any eq 1801
 permit udp 10.0.10.0 0.0.0.255 any eq 1801
 permit udp 10.0.10.0 0.0.0.255 host 10.0.20.37 eq 1812
 permit udp 10.0.10.0 0.0.0.255 host 10.0.20.37 eq 1813
 permit udp 10.0.10.0 0.0.0.255 any eq 1900
 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.19 eq 2101
 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.20 eq 2101
 permit tcp 10.0.10.0 0.0.0.255 any eq 2103
 permit tcp 10.0.10.0 0.0.0.255 any eq 2105
 permit tcp 10.0.10.0 0.0.0.255 any eq 2107
 permit tcp 10.0.10.0 0.0.0.255 any eq 2393
 permit tcp 10.0.10.0 0.0.0.255 any eq 2394
 permit tcp 10.0.10.0 0.0.0.255 any eq 2725
 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.19 eq 3268
 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.20 eq 3268
 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.19 eq 3269
 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.20 eq 3269
 permit tcp 10.0.10.0 0.0.0.255 any eq 3343
 permit tcp 10.0.10.0 0.0.0.255 any eq 3389
 permit udp 10.0.10.0 0.0.0.255 any eq 3527
 permit tcp 10.0.10.0 0.0.0.255 any eq 5000
 permit tcp 10.0.10.0 0.0.0.255 any eq 5722
 permit tcp 10.0.10.0 0.0.0.255 any eq 5985
 permit tcp 10.0.10.0 0.0.0.255 any eq 5986
 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.21 eq 7389
 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.24 eq 12398
 permit tcp 10.0.10.0 0.0.0.255 host 10.0.20.30 eq 69
 permit tcp 10.0.10.0 0.0.0.255 any range 1024 65535
 remark END Ingress from Juniper
 remark BEGIN Ingress from Magenta
 permit tcp 10.0.30.0 0.0.1.255 any eq 22
 permit tcp 10.0.30.0 0.0.1.255 any eq telnet
 permit tcp 10.0.30.0 0.0.1.255 any eq 1200
 permit icmp 10.0.30.0 0.0.1.255 any echo-reply
 permit icmp 10.0.30.0 0.0.1.255 any echo
 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.19 eq domain
 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.20 eq domain
 permit udp 10.0.30.0 0.0.1.255 host 10.0.20.19 eq domain
 permit udp 10.0.30.0 0.0.1.255 host 10.0.20.20 eq domain
 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.19 eq 88
 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.20 eq 88
 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.21 eq 88
 permit udp 10.0.30.0 0.0.1.255 host 10.0.20.19 eq 88
 permit udp 10.0.30.0 0.0.1.255 host 10.0.20.20 eq 88
 permit udp 10.0.30.0 0.0.1.255 host 10.0.20.21 eq 88
 permit udp 10.0.30.0 0.0.1.255 host 10.0.20.19 eq ntp
 permit udp 10.0.30.0 0.0.1.255 host 10.0.20.20 eq ntp
 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.19 eq msrpc
 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.20 eq msrpc
 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.12 eq msrpc
 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.13 eq msrpc
 permit udp 10.0.30.0 0.0.1.255 host 10.0.20.19 eq netbios-ns
 permit udp 10.0.30.0 0.0.1.255 host 10.0.20.20 eq netbios-ns
 permit udp 10.0.30.0 0.0.1.255 host 10.0.20.19 eq netbios-dgm
 permit udp 10.0.30.0 0.0.1.255 host 10.0.20.20 eq netbios-dgm
 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.19 eq 139
 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.20 eq 139
 permit udp 10.0.30.0 0.0.1.255 host 10.0.20.35 eq snmp
 permit udp 10.0.30.0 0.0.1.255 host 10.0.20.35 eq snmptrap
 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.19 eq 389
 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.20 eq 389
 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.21 eq 389
 permit udp 10.0.30.0 0.0.1.255 host 10.0.20.19 eq 464
 permit udp 10.0.30.0 0.0.1.255 host 10.0.20.20 eq 464
 permit udp 10.0.30.0 0.0.1.255 host 10.0.20.21 eq 464
 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.19 eq 464
 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.20 eq 464
 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.21 eq 464
 permit udp 10.0.30.0 0.0.1.255 host 10.0.20.19 eq isakmp
 permit udp 10.0.30.0 0.0.1.255 host 10.0.20.20 eq isakmp
 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.36 eq lpd
 permit tcp 10.0.30.0 0.0.1.255 any eq 593
 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.19 eq 636
 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.20 eq 636
 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.21 eq 636
 permit udp 10.0.30.0 0.0.1.255 host 10.0.20.19 eq 636
 permit udp 10.0.30.0 0.0.1.255 host 10.0.20.20 eq 636
 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.19 eq 9389
 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.20 eq 9389
 permit tcp 10.0.30.0 0.0.1.255 any eq 1433
 permit tcp 10.0.30.0 0.0.1.255 any eq 1434
 permit udp 10.0.30.0 0.0.1.255 host 10.0.20.37 eq 1645
 permit udp 10.0.30.0 0.0.1.255 host 10.0.20.37 eq 1646
 permit tcp 10.0.30.0 0.0.1.255 any eq 1801
 permit udp 10.0.30.0 0.0.1.255 any eq 1801
 permit udp 10.0.30.0 0.0.1.255 host 10.0.20.37 eq 1812
 permit udp 10.0.30.0 0.0.1.255 host 10.0.20.37 eq 1813
 permit udp 10.0.30.0 0.0.1.255 any eq 1900
 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.19 eq 2101
 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.20 eq 2101
 permit tcp 10.0.30.0 0.0.1.255 any eq 2103
 permit tcp 10.0.30.0 0.0.1.255 any eq 2105
 permit tcp 10.0.30.0 0.0.1.255 any eq 2107
 permit tcp 10.0.30.0 0.0.1.255 any eq 2393
 permit tcp 10.0.30.0 0.0.1.255 any eq 2394
 permit tcp 10.0.30.0 0.0.1.255 any eq 2725
 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.19 eq 3268
 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.20 eq 3268
 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.19 eq 3269
 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.20 eq 3269
 permit tcp 10.0.30.0 0.0.1.255 any eq 3343
 permit tcp 10.0.30.0 0.0.1.255 any eq 3389
 permit udp 10.0.30.0 0.0.1.255 any eq 3527
 permit tcp 10.0.30.0 0.0.1.255 any eq 5000
 permit tcp 10.0.30.0 0.0.1.255 any eq 5722
 permit tcp 10.0.30.0 0.0.1.255 any eq 5985
 permit tcp 10.0.30.0 0.0.1.255 any eq 5986
 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.21 eq 7389
 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.24 eq 12398
 permit tcp 10.0.30.0 0.0.1.255 host 10.0.20.30 eq 69
 permit tcp 10.0.30.0 0.0.1.255 any range 1024 65535
 remark END Ingress from Magenta
 remark BEGIN Explicit deny for tracking
 deny   ip any any
ip access-list extended AZURE-OUT
 remark BEGIN Internal Egress
 permit tcp 10.0.20.0 0.0.0.255 10.0.20.0 0.0.0.255 eq 22
 permit tcp 10.0.20.0 0.0.0.255 10.0.20.0 0.0.0.255 eq telnet
 permit tcp 10.0.20.0 0.0.0.255 10.0.20.0 0.0.0.255 eq 1200
 permit tcp 10.0.20.0 0.0.0.255 10.0.20.0 0.0.0.255 eq 1203
 permit tcp 10.0.20.0 0.0.0.255 10.0.20.0 0.0.0.255 eq 12398
 permit icmp 10.0.20.0 0.0.0.255 10.0.20.0 0.0.0.255 echo-reply
 permit icmp 10.0.20.0 0.0.0.255 10.0.20.0 0.0.0.255 echo
 remark END Internal Egress
 remark BEGIN Egress to Juniper
 permit tcp any 10.0.10.0 0.0.0.255 eq 22
 permit tcp any 10.0.10.0 0.0.0.255 eq telnet
 permit tcp any 10.0.10.0 0.0.0.255 eq 1200
 permit icmp any 10.0.10.0 0.0.0.255 echo-reply
 permit icmp any 10.0.10.0 0.0.0.255 echo
 permit tcp host 10.0.20.19 10.0.10.0 0.0.0.255 eq domain
 permit tcp host 10.0.20.20 10.0.10.0 0.0.0.255 eq domain
 permit udp host 10.0.20.19 10.0.10.0 0.0.0.255 eq domain
 permit udp host 10.0.20.20 10.0.10.0 0.0.0.255 eq domain
 permit tcp host 10.0.20.19 10.0.10.0 0.0.0.255 eq 88
 permit tcp host 10.0.20.20 10.0.10.0 0.0.0.255 eq 88
 permit tcp host 10.0.20.21 10.0.10.0 0.0.0.255 eq 88
 permit udp host 10.0.20.19 10.0.10.0 0.0.0.255 eq 88
 permit udp host 10.0.20.20 10.0.10.0 0.0.0.255 eq 88
 permit udp host 10.0.20.21 10.0.10.0 0.0.0.255 eq 88
 permit udp host 10.0.20.19 10.0.10.0 0.0.0.255 eq ntp
 permit udp host 10.0.20.20 10.0.10.0 0.0.0.255 eq ntp
 permit tcp host 10.0.20.19 10.0.10.0 0.0.0.255 eq msrpc
 permit tcp host 10.0.20.20 10.0.10.0 0.0.0.255 eq msrpc
 permit tcp host 10.0.20.12 10.0.10.0 0.0.0.255 eq msrpc
 permit tcp host 10.0.20.13 10.0.10.0 0.0.0.255 eq msrpc
 permit udp host 10.0.20.19 10.0.10.0 0.0.0.255 eq netbios-ns
 permit udp host 10.0.20.20 10.0.10.0 0.0.0.255 eq netbios-ns
 permit udp host 10.0.20.19 10.0.10.0 0.0.0.255 eq netbios-dgm
 permit udp host 10.0.20.20 10.0.10.0 0.0.0.255 eq netbios-dgm
 permit tcp host 10.0.20.19 10.0.10.0 0.0.0.255 eq 139
 permit tcp host 10.0.20.20 10.0.10.0 0.0.0.255 eq 139
 permit udp host 10.0.20.35 10.0.10.0 0.0.0.255 eq snmp
 permit udp host 10.0.20.35 10.0.10.0 0.0.0.255 eq snmptrap
 permit tcp host 10.0.20.19 10.0.10.0 0.0.0.255 eq 389
 permit tcp host 10.0.20.20 10.0.10.0 0.0.0.255 eq 389
 permit tcp host 10.0.20.21 10.0.10.0 0.0.0.255 eq 389
 permit udp host 10.0.20.19 10.0.10.0 0.0.0.255 eq 464
 permit udp host 10.0.20.20 10.0.10.0 0.0.0.255 eq 464
 permit udp host 10.0.20.21 10.0.10.0 0.0.0.255 eq 464
 permit tcp host 10.0.20.19 10.0.10.0 0.0.0.255 eq 464
 permit tcp host 10.0.20.20 10.0.10.0 0.0.0.255 eq 464
 permit tcp host 10.0.20.21 10.0.10.0 0.0.0.255 eq 464
 permit udp host 10.0.20.19 10.0.10.0 0.0.0.255 eq isakmp
 permit udp host 10.0.20.20 10.0.10.0 0.0.0.255 eq isakmp
 permit tcp host 10.0.20.36 10.0.10.0 0.0.0.255 eq lpd
 permit tcp any 10.0.10.0 0.0.0.255 eq 593
 permit tcp host 10.0.20.19 10.0.10.0 0.0.0.255 eq 636
 permit tcp host 10.0.20.20 10.0.10.0 0.0.0.255 eq 636
 permit tcp host 10.0.20.21 10.0.10.0 0.0.0.255 eq 636
 permit udp host 10.0.20.19 10.0.10.0 0.0.0.255 eq 636
 permit udp host 10.0.20.20 10.0.10.0 0.0.0.255 eq 636
 permit tcp host 10.0.20.19 10.0.10.0 0.0.0.255 eq 9389
 permit tcp host 10.0.20.20 10.0.10.0 0.0.0.255 eq 9389
 permit tcp any 10.0.10.0 0.0.0.255 eq 1433
 permit tcp any 10.0.10.0 0.0.0.255 eq 1434
 permit udp host 10.0.20.37 10.0.10.0 0.0.0.255 eq 1645
 permit udp host 10.0.20.37 10.0.10.0 0.0.0.255 eq 1646
 permit tcp any 10.0.10.0 0.0.0.255 eq 1801
 permit udp any 10.0.10.0 0.0.0.255 eq 1801
 permit udp host 10.0.20.37 10.0.10.0 0.0.0.255 eq 1812
 permit udp host 10.0.20.37 10.0.10.0 0.0.0.255 eq 1813
 permit udp any 10.0.10.0 0.0.0.255 eq 1900
 permit tcp host 10.0.20.19 10.0.10.0 0.0.0.255 eq 2101
 permit tcp host 10.0.20.20 10.0.10.0 0.0.0.255 eq 2101
 permit tcp any 10.0.10.0 0.0.0.255 eq 2103
 permit tcp any 10.0.10.0 0.0.0.255 eq 2105
 permit tcp any 10.0.10.0 0.0.0.255 eq 2107
 permit tcp any 10.0.10.0 0.0.0.255 eq 2393
 permit tcp any 10.0.10.0 0.0.0.255 eq 2394
 permit tcp any 10.0.10.0 0.0.0.255 eq 2725
 permit tcp host 10.0.20.19 10.0.10.0 0.0.0.255 eq 3268
 permit tcp host 10.0.20.20 10.0.10.0 0.0.0.255 eq 3268
 permit tcp host 10.0.20.19 10.0.10.0 0.0.0.255 eq 3269
 permit tcp host 10.0.20.20 10.0.10.0 0.0.0.255 eq 3269
 permit tcp any 10.0.10.0 0.0.0.255 eq 3343
 permit tcp any 10.0.10.0 0.0.0.255 eq 3389
 permit udp any 10.0.10.0 0.0.0.255 eq 3527
 permit tcp any 10.0.10.0 0.0.0.255 eq 5000
 permit tcp any 10.0.10.0 0.0.0.255 eq 5722
 permit tcp any 10.0.10.0 0.0.0.255 eq 5985
 permit tcp any 10.0.10.0 0.0.0.255 eq 5986
 permit tcp host 10.0.20.21 10.0.10.0 0.0.0.255 eq 7389
 permit tcp host 10.0.20.24 10.0.10.0 0.0.0.255 eq 12398
 permit tcp host 10.0.20.30 10.0.10.0 0.0.0.255 eq 69
 permit tcp any 10.0.10.0 0.0.0.255 range 1024 65535
 remark END Egress to Juniper
 remark BEGIN Egress to Magenta
 permit tcp any 10.0.30.0 0.0.1.255 eq 22
 permit tcp any 10.0.30.0 0.0.1.255 eq telnet
 permit tcp any 10.0.30.0 0.0.1.255 eq 1200
 permit icmp any 10.0.30.0 0.0.1.255 echo-reply
 permit icmp any 10.0.30.0 0.0.1.255 echo
 permit tcp host 10.0.20.19 10.0.30.0 0.0.1.255 eq domain
 permit tcp host 10.0.20.20 10.0.30.0 0.0.1.255 eq domain
 permit udp host 10.0.20.19 10.0.30.0 0.0.1.255 eq domain
 permit udp host 10.0.20.20 10.0.30.0 0.0.1.255 eq domain
 permit tcp host 10.0.20.19 10.0.30.0 0.0.1.255 eq 88
 permit tcp host 10.0.20.20 10.0.30.0 0.0.1.255 eq 88
 permit tcp host 10.0.20.21 10.0.30.0 0.0.1.255 eq 88
 permit udp host 10.0.20.19 10.0.30.0 0.0.1.255 eq 88
 permit udp host 10.0.20.20 10.0.30.0 0.0.1.255 eq 88
 permit udp host 10.0.20.21 10.0.30.0 0.0.1.255 eq 88
 permit udp host 10.0.20.19 10.0.30.0 0.0.1.255 eq ntp
 permit udp host 10.0.20.20 10.0.30.0 0.0.1.255 eq ntp
 permit tcp host 10.0.20.19 10.0.30.0 0.0.1.255 eq msrpc
 permit tcp host 10.0.20.20 10.0.30.0 0.0.1.255 eq msrpc
 permit tcp host 10.0.20.12 10.0.30.0 0.0.1.255 eq msrpc
 permit tcp host 10.0.20.13 10.0.30.0 0.0.1.255 eq msrpc
 permit udp host 10.0.20.19 10.0.30.0 0.0.1.255 eq netbios-ns
 permit udp host 10.0.20.20 10.0.30.0 0.0.1.255 eq netbios-ns
 permit udp host 10.0.20.19 10.0.30.0 0.0.1.255 eq netbios-dgm
 permit udp host 10.0.20.20 10.0.30.0 0.0.1.255 eq netbios-dgm
 permit tcp host 10.0.20.19 10.0.30.0 0.0.1.255 eq 139
 permit tcp host 10.0.20.20 10.0.30.0 0.0.1.255 eq 139
 permit udp host 10.0.20.35 10.0.30.0 0.0.1.255 eq snmp
 permit udp host 10.0.20.35 10.0.30.0 0.0.1.255 eq snmptrap
 permit tcp host 10.0.20.19 10.0.30.0 0.0.1.255 eq 389
 permit tcp host 10.0.20.20 10.0.30.0 0.0.1.255 eq 389
 permit tcp host 10.0.20.21 10.0.30.0 0.0.1.255 eq 389
 permit udp host 10.0.20.19 10.0.30.0 0.0.1.255 eq 464
 permit udp host 10.0.20.20 10.0.30.0 0.0.1.255 eq 464
 permit udp host 10.0.20.21 10.0.30.0 0.0.1.255 eq 464
 permit tcp host 10.0.20.19 10.0.30.0 0.0.1.255 eq 464
 permit tcp host 10.0.20.20 10.0.30.0 0.0.1.255 eq 464
 permit tcp host 10.0.20.21 10.0.30.0 0.0.1.255 eq 464
 permit udp host 10.0.20.19 10.0.30.0 0.0.1.255 eq isakmp
 permit udp host 10.0.20.20 10.0.30.0 0.0.1.255 eq isakmp
 permit tcp host 10.0.20.36 10.0.30.0 0.0.1.255 eq lpd
 permit tcp any 10.0.30.0 0.0.1.255 eq 593
 permit tcp host 10.0.20.19 10.0.30.0 0.0.1.255 eq 636
 permit tcp host 10.0.20.20 10.0.30.0 0.0.1.255 eq 636
 permit tcp host 10.0.20.21 10.0.30.0 0.0.1.255 eq 636
 permit udp host 10.0.20.19 10.0.30.0 0.0.1.255 eq 636
 permit udp host 10.0.20.20 10.0.30.0 0.0.1.255 eq 636
 permit tcp host 10.0.20.19 10.0.30.0 0.0.1.255 eq 9389
 permit tcp host 10.0.20.20 10.0.30.0 0.0.1.255 eq 9389
 permit tcp any 10.0.30.0 0.0.1.255 eq 1433
 permit tcp any 10.0.30.0 0.0.1.255 eq 1434
 permit udp host 10.0.20.37 10.0.30.0 0.0.1.255 eq 1645
 permit udp host 10.0.20.37 10.0.30.0 0.0.1.255 eq 1646
 permit tcp any 10.0.30.0 0.0.1.255 eq 1801
 permit udp any 10.0.30.0 0.0.1.255 eq 1801
 permit udp host 10.0.20.37 10.0.30.0 0.0.1.255 eq 1812
 permit udp host 10.0.20.37 10.0.30.0 0.0.1.255 eq 1813
 permit udp any 10.0.30.0 0.0.1.255 eq 1900
 permit tcp host 10.0.20.19 10.0.30.0 0.0.1.255 eq 2101
 permit tcp host 10.0.20.20 10.0.30.0 0.0.1.255 eq 2101
 permit tcp any 10.0.30.0 0.0.1.255 eq 2103
 permit tcp any 10.0.30.0 0.0.1.255 eq 2105
 permit tcp any 10.0.30.0 0.0.1.255 eq 2107
 permit tcp any 10.0.30.0 0.0.1.255 eq 2393
 permit tcp any 10.0.30.0 0.0.1.255 eq 2394
 permit tcp any 10.0.30.0 0.0.1.255 eq 2725
 permit tcp host 10.0.20.19 10.0.30.0 0.0.1.255 eq 3268
 permit tcp host 10.0.20.20 10.0.30.0 0.0.1.255 eq 3268
 permit tcp host 10.0.20.19 10.0.30.0 0.0.1.255 eq 3269
 permit tcp host 10.0.20.20 10.0.30.0 0.0.1.255 eq 3269
 permit tcp any 10.0.30.0 0.0.1.255 eq 3343
 permit tcp any 10.0.30.0 0.0.1.255 eq 3389
 permit udp any 10.0.30.0 0.0.1.255 eq 3527
 permit tcp any 10.0.30.0 0.0.1.255 eq 5000
 permit tcp any 10.0.30.0 0.0.1.255 eq 5722
 permit tcp any 10.0.30.0 0.0.1.255 eq 5985
 permit tcp any 10.0.30.0 0.0.1.255 eq 5986
 permit tcp host 10.0.20.21 10.0.30.0 0.0.1.255 eq 7389
 permit tcp host 10.0.20.24 10.0.30.0 0.0.1.255 eq 12398
 permit tcp host 10.0.20.30 10.0.30.0 0.0.1.255 eq 69
 permit tcp any 10.0.30.0 0.0.1.255 range 1024 65535
 remark END Egress to Magenta
 remark BEGIN Explicit deny for tracking
 deny   ip any any
 remark END Explicit deny for tracking
ip access-list extended JUNIPER-IN
 remark BEGIN Internal Ingress
 permit tcp 10.0.10.0 0.0.0.255 10.0.10.0 0.0.0.255 eq 22
 permit tcp 10.0.10.0 0.0.0.255 10.0.10.0 0.0.0.255 eq telnet
 permit tcp 10.0.10.0 0.0.0.255 10.0.10.0 0.0.0.255 eq 1200
 permit icmp 10.0.10.0 0.0.0.255 10.0.10.0 0.0.0.255 echo-reply
 permit icmp 10.0.10.0 0.0.0.255 10.0.10.0 0.0.0.255 echo
 remark END Internal Ingress
 remark BEGIN Ingress from Azure
 permit tcp 10.0.20.0 0.0.0.255 any eq 22
 permit tcp 10.0.20.0 0.0.0.255 any eq telnet
 permit tcp 10.0.20.0 0.0.0.255 any eq 1200
 permit icmp 10.0.20.0 0.0.0.255 any echo-reply
 permit icmp 10.0.20.0 0.0.0.255 any echo
 permit tcp host 10.0.20.19 any eq domain
 permit tcp host 10.0.20.20 any eq domain
 permit udp host 10.0.20.19 any eq domain
 permit udp host 10.0.20.20 any eq domain
 permit tcp host 10.0.20.19 any eq 88
 permit tcp host 10.0.20.20 any eq 88
 permit tcp host 10.0.20.21 any eq 88
 permit udp host 10.0.20.19 any eq 88
 permit udp host 10.0.20.20 any eq 88
 permit udp host 10.0.20.21 any eq 88
 permit udp host 10.0.20.19 any eq ntp
 permit udp host 10.0.20.20 any eq ntp
 permit tcp host 10.0.20.19 any eq msrpc
 permit tcp host 10.0.20.20 any eq msrpc
 permit tcp host 10.0.20.12 any eq msrpc
 permit tcp host 10.0.20.13 any eq msrpc
 permit udp host 10.0.20.19 any eq netbios-ns
 permit udp host 10.0.20.20 any eq netbios-ns
 permit udp host 10.0.20.19 any eq netbios-dgm
 permit udp host 10.0.20.20 any eq netbios-dgm
 permit tcp host 10.0.20.19 any eq 139
 permit tcp host 10.0.20.20 any eq 139
 permit udp host 10.0.20.35 any eq snmp
 permit udp host 10.0.20.35 any eq snmptrap
 permit tcp host 10.0.20.19 any eq 389
 permit tcp host 10.0.20.20 any eq 389
 permit tcp host 10.0.20.21 any eq 389
 permit udp host 10.0.20.19 any eq 464
 permit udp host 10.0.20.20 any eq 464
 permit udp host 10.0.20.21 any eq 464
 permit tcp host 10.0.20.19 any eq 464
 permit tcp host 10.0.20.20 any eq 464
 permit tcp host 10.0.20.21 any eq 464
 permit udp host 10.0.20.19 any eq isakmp
 permit udp host 10.0.20.20 any eq isakmp
 permit tcp host 10.0.20.36 any eq lpd
 permit tcp 10.0.20.0 0.0.0.255 any eq 593
 permit tcp host 10.0.20.19 any eq 636
 permit tcp host 10.0.20.20 any eq 636
 permit tcp host 10.0.20.21 any eq 636
 permit udp host 10.0.20.19 any eq 636
 permit udp host 10.0.20.20 any eq 636
 permit tcp host 10.0.20.19 any eq 9389
 permit tcp host 10.0.20.20 any eq 9389
 permit tcp 10.0.20.0 0.0.0.255 any eq 1433
 permit tcp 10.0.20.0 0.0.0.255 any eq 1434
 permit udp host 10.0.20.37 any eq 1645
 permit udp host 10.0.20.37 any eq 1646
 permit tcp 10.0.20.0 0.0.0.255 any eq 1801
 permit udp 10.0.20.0 0.0.0.255 any eq 1801
 permit udp host 10.0.20.37 any eq 1812
 permit udp host 10.0.20.37 any eq 1813
 permit udp 10.0.20.0 0.0.0.255 any eq 1900
 permit tcp host 10.0.20.19 any eq 2101
 permit tcp host 10.0.20.20 any eq 2101
 permit tcp 10.0.20.0 0.0.0.255 any eq 2103
 permit tcp 10.0.20.0 0.0.0.255 any eq 2105
 permit tcp 10.0.20.0 0.0.0.255 any eq 2107
 permit tcp 10.0.20.0 0.0.0.255 any eq 2393
 permit tcp 10.0.20.0 0.0.0.255 any eq 2394
 permit tcp 10.0.20.0 0.0.0.255 any eq 2725
 permit tcp host 10.0.20.19 any eq 3268
 permit tcp host 10.0.20.20 any eq 3268
 permit tcp host 10.0.20.19 any eq 3269
 permit tcp host 10.0.20.20 any eq 3269
 permit tcp 10.0.20.0 0.0.0.255 any eq 3343
 permit tcp 10.0.20.0 0.0.0.255 any eq 3389
 permit udp 10.0.20.0 0.0.0.255 any eq 3527
 permit tcp 10.0.20.0 0.0.0.255 any eq 5000
 permit tcp 10.0.20.0 0.0.0.255 any eq 5722
 permit tcp 10.0.20.0 0.0.0.255 any eq 5985
 permit tcp 10.0.20.0 0.0.0.255 any eq 5986
 permit tcp host 10.0.20.21 any eq 7389
 permit tcp host 10.0.20.24 any eq 12398
 permit tcp host 10.0.20.30 any eq 69
 permit tcp 10.0.20.0 0.0.0.255 any range 1024 65535
 remark END Ingress from Azure
 remark BEGIN Explicit deny for tracking
 deny   ip any any
 remark END Explicit deny for tracking
ip access-list extended JUNIPER-OUT
 remark BEGIN Internal Egress
 permit tcp 10.0.10.0 0.0.0.255 10.0.10.0 0.0.0.255 eq 22
 permit tcp 10.0.10.0 0.0.0.255 10.0.10.0 0.0.0.255 eq telnet
 permit tcp 10.0.10.0 0.0.0.255 10.0.10.0 0.0.0.255 eq 1200
 permit icmp 10.0.10.0 0.0.0.255 10.0.10.0 0.0.0.255 echo-reply
 permit icmp 10.0.10.0 0.0.0.255 10.0.10.0 0.0.0.255 echo
 remark END Internal Egress
 remark BEGIN Egress to Azure
 permit tcp any 10.0.20.0 0.0.0.255 eq 22
 permit tcp any 10.0.20.0 0.0.0.255 eq telnet
 permit tcp any 10.0.20.0 0.0.0.255 eq 1200
 permit icmp any 10.0.20.0 0.0.0.255 echo-reply
 permit icmp any 10.0.20.0 0.0.0.255 echo
 permit tcp any host 10.0.20.19 eq domain
 permit tcp any host 10.0.20.20 eq domain
 permit udp any host 10.0.20.19 eq domain
 permit udp any host 10.0.20.20 eq domain
 permit tcp any host 10.0.20.19 eq 88
 permit tcp any host 10.0.20.20 eq 88
 permit tcp any host 10.0.20.21 eq 88
 permit udp any host 10.0.20.19 eq 88
 permit udp any host 10.0.20.20 eq 88
 permit udp any host 10.0.20.21 eq 88
 permit udp any host 10.0.20.19 eq ntp
 permit udp any host 10.0.20.20 eq ntp
 permit tcp any host 10.0.20.19 eq msrpc
 permit tcp any host 10.0.20.20 eq msrpc
 permit tcp any host 10.0.20.12 eq msrpc
 permit tcp any host 10.0.20.13 eq msrpc
 permit udp any host 10.0.20.19 eq netbios-ns
 permit udp any host 10.0.20.20 eq netbios-ns
 permit udp any host 10.0.20.19 eq netbios-dgm
 permit udp any host 10.0.20.20 eq netbios-dgm
 permit tcp any host 10.0.20.19 eq 139
 permit tcp any host 10.0.20.20 eq 139
 permit udp any host 10.0.20.35 eq snmp
 permit udp any host 10.0.20.35 eq snmptrap
 permit tcp any host 10.0.20.19 eq 389
 permit tcp any host 10.0.20.20 eq 389
 permit tcp any host 10.0.20.21 eq 389
 permit udp any host 10.0.20.19 eq 464
 permit udp any host 10.0.20.20 eq 464
 permit udp any host 10.0.20.21 eq 464
 permit tcp any host 10.0.20.19 eq 464
 permit tcp any host 10.0.20.20 eq 464
 permit tcp any host 10.0.20.21 eq 464
 permit udp any host 10.0.20.19 eq isakmp
 permit udp any host 10.0.20.20 eq isakmp
 permit tcp any host 10.0.20.36 eq lpd
 permit tcp any 10.0.20.0 0.0.0.255 eq 593
 permit tcp any host 10.0.20.19 eq 636
 permit tcp any host 10.0.20.20 eq 636
 permit tcp any host 10.0.20.21 eq 636
 permit udp any host 10.0.20.19 eq 636
 permit udp any host 10.0.20.20 eq 636
 permit tcp any host 10.0.20.19 eq 9389
 permit tcp any host 10.0.20.20 eq 9389
 permit tcp any 10.0.20.0 0.0.0.255 eq 1433
 permit tcp any 10.0.20.0 0.0.0.255 eq 1434
 permit udp any host 10.0.20.37 eq 1645
 permit udp any host 10.0.20.37 eq 1646
 permit tcp any 10.0.20.0 0.0.0.255 eq 1801
 permit udp any 10.0.20.0 0.0.0.255 eq 1801
 permit udp any host 10.0.20.37 eq 1812
 permit udp any host 10.0.20.37 eq 1813
 permit udp any 10.0.20.0 0.0.0.255 eq 1900
 permit tcp any host 10.0.20.19 eq 2101
 permit tcp any host 10.0.20.20 eq 2101
 permit tcp any 10.0.20.0 0.0.0.255 eq 2103
 permit tcp any 10.0.20.0 0.0.0.255 eq 2105
 permit tcp any 10.0.20.0 0.0.0.255 eq 2107
 permit tcp any 10.0.20.0 0.0.0.255 eq 2393
 permit tcp any 10.0.20.0 0.0.0.255 eq 2394
 permit tcp any 10.0.20.0 0.0.0.255 eq 2725
 permit tcp any host 10.0.20.19 eq 3268
 permit tcp any host 10.0.20.20 eq 3268
 permit tcp any host 10.0.20.19 eq 3269
 permit tcp any host 10.0.20.20 eq 3269
 permit tcp any 10.0.20.0 0.0.0.255 eq 3343
 permit tcp any 10.0.20.0 0.0.0.255 eq 3389
 permit udp any 10.0.20.0 0.0.0.255 eq 3527
 permit tcp any 10.0.20.0 0.0.0.255 eq 5000
 permit tcp any 10.0.20.0 0.0.0.255 eq 5722
 permit tcp any 10.0.20.0 0.0.0.255 eq 5985
 permit tcp any 10.0.20.0 0.0.0.255 eq 5986
 permit tcp any host 10.0.20.21 eq 7389
 permit tcp any host 10.0.20.24 eq 12398
 permit tcp any host 10.0.20.30 eq 69
 permit tcp any 10.0.20.0 0.0.0.255 range 1024 65535
 remark END Egress to Azure
 remark BEGIN Explicit deny for tracking
 deny   ip any any
 remark END Explicit deny for tracking
ip access-list extended MAGENTA-IN
 remark BEGIN Internal Ingress
 permit tcp 10.0.30.0 0.0.1.255 10.0.30.0 0.0.1.255 eq 22
 permit tcp 10.0.30.0 0.0.1.255 10.0.30.0 0.0.1.255 eq telnet
 permit tcp 10.0.30.0 0.0.1.255 10.0.30.0 0.0.1.255 eq 1200
 permit tcp 10.0.30.0 0.0.1.255 10.0.30.0 0.0.1.255 eq 1203
 permit icmp 10.0.30.0 0.0.1.255 10.0.30.0 0.0.1.255 echo-reply
 permit icmp 10.0.30.0 0.0.1.255 any echo-reply
 permit icmp 10.0.30.0 0.0.1.255 10.0.30.0 0.0.1.255 echo
 permit icmp 10.0.30.0 0.0.1.255 any echo
 remark END Internal Ingress
 remark BEGIN Ingress from Azure
 permit tcp 10.0.20.0 0.0.0.255 any eq 22
 permit tcp 10.0.20.0 0.0.0.255 any eq telnet
 permit tcp 10.0.20.0 0.0.0.255 any eq 1200
 permit icmp 10.0.20.0 0.0.0.255 any echo-reply
 permit icmp 10.0.20.0 0.0.0.255 any echo
 permit tcp host 10.0.20.19 any eq domain
 permit tcp host 10.0.20.20 any eq domain
 permit udp host 10.0.20.19 any eq domain
 permit udp host 10.0.20.20 any eq domain
 permit tcp host 10.0.20.19 any eq 88
 permit tcp host 10.0.20.20 any eq 88
 permit tcp host 10.0.20.21 any eq 88
 permit udp host 10.0.20.19 any eq 88
 permit udp host 10.0.20.20 any eq 88
 permit udp host 10.0.20.21 any eq 88
 permit udp host 10.0.20.19 any eq ntp
 permit udp host 10.0.20.20 any eq ntp
 permit tcp host 10.0.20.19 any eq msrpc
 permit tcp host 10.0.20.20 any eq msrpc
 permit tcp host 10.0.20.12 any eq msrpc
 permit tcp host 10.0.20.13 any eq msrpc
 permit udp host 10.0.20.19 any eq netbios-ns
 permit udp host 10.0.20.20 any eq netbios-ns
 permit udp host 10.0.20.19 any eq netbios-dgm
 permit udp host 10.0.20.20 any eq netbios-dgm
 permit tcp host 10.0.20.19 any eq 139
 permit tcp host 10.0.20.20 any eq 139
 permit udp host 10.0.20.35 any eq snmp
 permit udp host 10.0.20.35 any eq snmptrap
 permit tcp host 10.0.20.19 any eq 389
 permit tcp host 10.0.20.20 any eq 389
 permit tcp host 10.0.20.21 any eq 389
 permit udp host 10.0.20.19 any eq 464
 permit udp host 10.0.20.20 any eq 464
 permit udp host 10.0.20.21 any eq 464
 permit tcp host 10.0.20.19 any eq 464
 permit tcp host 10.0.20.20 any eq 464
 permit tcp host 10.0.20.21 any eq 464
 permit udp host 10.0.20.19 any eq isakmp
 permit udp host 10.0.20.20 any eq isakmp
 permit tcp host 10.0.20.36 any eq lpd
 permit tcp 10.0.20.0 0.0.0.255 any eq 593
 permit tcp host 10.0.20.19 any eq 636
 permit tcp host 10.0.20.20 any eq 636
 permit tcp host 10.0.20.21 any eq 636
 permit udp host 10.0.20.19 any eq 636
 permit udp host 10.0.20.20 any eq 636
 permit tcp host 10.0.20.19 any eq 9389
 permit tcp host 10.0.20.20 any eq 9389
 permit tcp 10.0.20.0 0.0.0.255 any eq 1433
 permit tcp 10.0.20.0 0.0.0.255 any eq 1434
 permit udp host 10.0.20.37 any eq 1645
 permit udp host 10.0.20.37 any eq 1646
 permit tcp 10.0.20.0 0.0.0.255 any eq 1801
 permit udp 10.0.20.0 0.0.0.255 any eq 1801
 permit udp host 10.0.20.37 any eq 1812
 permit udp host 10.0.20.37 any eq 1813
 permit udp 10.0.20.0 0.0.0.255 any eq 1900
 permit tcp host 10.0.20.19 any eq 2101
 permit tcp host 10.0.20.20 any eq 2101
 permit tcp 10.0.20.0 0.0.0.255 any eq 2103
 permit tcp 10.0.20.0 0.0.0.255 any eq 2105
 permit tcp 10.0.20.0 0.0.0.255 any eq 2107
 permit tcp 10.0.20.0 0.0.0.255 any eq 2393
 permit tcp 10.0.20.0 0.0.0.255 any eq 2394
 permit tcp 10.0.20.0 0.0.0.255 any eq 2725
 permit tcp host 10.0.20.19 any eq 3268
 permit tcp host 10.0.20.20 any eq 3268
 permit tcp host 10.0.20.19 any eq 3269
 permit tcp host 10.0.20.20 any eq 3269
 permit tcp 10.0.20.0 0.0.0.255 any eq 3343
 permit tcp 10.0.20.0 0.0.0.255 any eq 3389
 permit udp 10.0.20.0 0.0.0.255 any eq 3527
 permit tcp 10.0.20.0 0.0.0.255 any eq 5000
 permit tcp 10.0.20.0 0.0.0.255 any eq 5722
 permit tcp 10.0.20.0 0.0.0.255 any eq 5985
 permit tcp 10.0.20.0 0.0.0.255 any eq 5986
 permit tcp host 10.0.20.21 any eq 7389
 permit tcp host 10.0.20.24 any eq 12398
 permit tcp host 10.0.20.30 any eq 69
 permit tcp 10.0.20.0 0.0.0.255 any range 1024 65535
 permit tcp any any eq www
 permit tcp any any eq 443
 permit udp any any eq domain
 permit tcp any any eq domain
 permit tcp any eq domain any
 permit udp any eq domain any
 permit ip any any
 deny   ip any any
ip access-list extended MAGENTA-OUT
 remark BEGIN Internal Egress
 permit tcp 10.0.30.0 0.0.1.255 10.0.30.0 0.0.1.255 eq 22
 permit tcp 10.0.30.0 0.0.1.255 10.0.30.0 0.0.1.255 eq telnet
 permit tcp 10.0.30.0 0.0.1.255 10.0.30.0 0.0.1.255 eq 1200
 permit tcp 10.0.30.0 0.0.1.255 10.0.30.0 0.0.1.255 eq 1203
 permit icmp 10.0.30.0 0.0.1.255 10.0.30.0 0.0.1.255 echo-reply
 permit icmp 10.0.30.0 0.0.1.255 10.0.30.0 0.0.1.255 echo
 permit tcp any any eq domain
 permit tcp any eq domain any
 permit udp any any eq domain
 permit udp any eq domain any
 remark END Internal Egress
 deny   ip any any
ip access-list extended RUBY-IN
ip access-list extended RUBY-OUT
!
access-list 2000 permit udp 10.0.30.0 0.0.1.255 any
!
!
!
control-plane
 service-policy input system-cpp-policy
!
!
line con 0
 login local
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 login local
 transport input ssh
line vty 5 15
 login local
 transport input ssh
!
!
mac address-table notification mac-move
!
!
!
!
!
end

There are quite a few large unused ACLs here, but the only ones I'm currently interested in are the AMARANTH_X ones.

VIP Mentor

Re: Help with ACL Issue

Hello,

 

can your hosts in Vlan 100 actually ping their own default gateway ? Your Vlan 100 has room for only 5 hosts (10.0.100.2 - 10.0.100.6).

 

What is the purpose of the static route:

 

ip route 10.0.100.0 255.255.255.248 10.0.100.2

Highlighted
Beginner

Re: Help with ACL Issue

With the ACL applied, they cannot ping the GW. When the ACL is removed, they can ping it until the cows come home. The static route was a move of desperation that was removed after posting this. It didn't need to be there in hindsight.
Participant

Re: Help with ACL Issue

your direction is wrong. Looking specifically at the amarinth-in acl, which is applied inbound on the SVI for vlan 100. What that means is that any traffic on vlan 100 coming to the SVI. So your source hosts would have to be 10.0.100.x to see hits on the acl as you are expecting. What you are seeing now is the acl doing exactly what you told it to do.

this will sound corny, but to clarify how the direction works, imagine you are standing right at the vlan 100 SVI, facing the LAN for vlan 100. an acl applied inbound would be sourced on vlan 100. an acl applied outbound would be destined for valn 100.

Beginner

Re: Help with ACL Issue

That seems counter-intuitive, but perhaps I'm conceptualizing direction incorrectly. My assumption was that inbound in relation to the VLAN meant sourced outside the VLAN, destined to a target within the VLAN; outbound was sourced inside the VLAN, destined to a target outside the VLAN.
Participant

Re: Help with ACL Issue

yep, your conceptualization is backward. It's all from the perspective of the SVI. Inbound acl on the SVI means traffic sourced from vlan 100 destined for the network, and outbound acl on the SVI means traffic from the network destined for vlan 100. It can be a little counter intuitive at first but once you get it it's easy. 

Hall of Fame Expert

Re: Help with ACL Issue

Hello dctadmin,

think of an SVI layer3 interface as an host connected to the corresponding L2 broadcast domain and providing L3 routing services to other hosts in the Vlan:

the inbound direction is traffic sent to the default gateway by hosts in Vlan and destined to other subnets

the outbound direction is traffic coming from other networks and with a destination in the Vlan subnet.

 

At the beginning of multilayer switching on Catalyst 6500 or 5500 the routing card was added running a separate IOS image and the L2 supervisor was running CatOS.

The choice of direction meaning was made in those times when the MSFC was actually a separate device connected via internal trunk ports to the L2 switch.

 

Hope to help

Giuseppe

 

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards