02-05-2024 02:49 AM
Can anyone advise me as to where I have gone wrong with this config please. I normally do ACLs on ASAs using asdm but for this I have to do the ACLs on the layer3 switch using cli.
I am wanting to allow port 80 and ping between the Pc and Server and nothing else. But when i use telnet on the PC using port 443 it is still open.
interface GigabitEthernet1/0/1
switchport access vlan 10
switchport mode access
ip access-group vlan20_10 in
!
interface GigabitEthernet1/0/2
switchport access vlan 20
switchport mode access
ip access-group vlan10_20 in
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
switchport mode trunk
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface Vlan1
ip address 192.168.99.1 255.255.255.0
!
interface Vlan10
mac-address 0002.4a2d.ab01
ip address 192.168.10.254 255.255.255.0
!
interface Vlan20
mac-address 0002.4a2d.ab02
ip address 172.16.200.254 255.255.255.0
!
ip default-gateway 192.168.99.254
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.99.254
!
ip flow-export version 9
!
!
ip access-list extended vlan10_20
permit tcp 192.168.10.0 0.0.0.255 172.16.200.0 0.0.0.255 eq www
permit icmp 192.168.10.0 0.0.0.255 172.16.200.0 0.0.0.255
deny ip any any
ip access-list extended vlan20_10
permit tcp 172.16.200.0 0.0.0.255 192.168.10.0 0.0.0.255 eq www
permit icmp 172.16.200.0 0.0.0.255 192.168.10.0 0.0.0.255
deny ip any any
!
!
Solved! Go to Solution.
02-05-2024 06:48 AM
Enter this ACL
ip access-list extended vlan20_10
permit tcp 192.168.10.0 0.0.0.255 172.16.200.0 0.0.0.255 eq www
permit icmp 192.168.10.0 0.0.0.255 172.16.200.0 0.0.0.255
deny ip any any
Apply this on SVI 10
That should be ok now:
02-05-2024 03:03 AM
Hello @peat
You only need ACL on Gi0/0/1 first.
interface GigabitEthernet1/0/1
switchport access vlan 10
switchport mode access
ip access-group vlan20_10 in
!
ip access-list extended vlan20_10
permit tcp 192.168.10.0 0.0.0.255 172.16.200.0 0.0.0.255 eq www
permit icmp 192.168.10.0 0.0.0.255 172.16.200.0 0.0.0.255
deny ip any any
02-05-2024 03:41 AM
thanks just tried that but 443 still open.
!
!
!
!
interface GigabitEthernet1/0/1
switchport access vlan 10
switchport mode access
ip access-group vlan20_10 in
!
interface GigabitEthernet1/0/2
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
!
interface GigabitEthernet1/0/24
switchport mode trunk
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface Vlan1
ip address 192.168.99.1 255.255.255.0
!
interface Vlan10
mac-address 0002.4a2d.ab01
ip address 192.168.10.254 255.255.255.0
!
interface Vlan20
mac-address 0002.4a2d.ab02
ip address 172.16.200.254 255.255.255.0
!
ip default-gateway 192.168.99.254
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.99.254
!
ip flow-export version 9
!
!
ip access-list extended vlan20_10
permit tcp 192.168.0.0 0.0.0.255 172.16.200.0 0.0.0.255 eq www
permit icmp 192.168.0.0 0.0.0.255 172.16.200.0 0.0.0.255
deny ip any any
!
!
!
!
02-05-2024 03:54 AM - edited 02-05-2024 03:54 AM
Sorry @peat
Apply ACL on SVI 10, not under interface Gi0/0/1
02-05-2024 06:33 AM
Sorry to be a pain but that has blocked all traffic from 192.168.10.1 now.
!
!
interface GigabitEthernet1/0/1
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/2
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
!
interface GigabitEthernet1/0/24
switchport mode trunk
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface Vlan1
ip address 192.168.99.1 255.255.255.0
!
interface Vlan10
mac-address 0002.4a2d.ab01
ip address 192.168.10.254 255.255.255.0
ip access-group vlan20_10 in
!
interface Vlan20
mac-address 0002.4a2d.ab02
ip address 172.16.200.254 255.255.255.0
!
ip default-gateway 192.168.99.254
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.99.254
!
ip flow-export version 9
!
!
ip access-list extended vlan20_10
permit tcp 192.168.0.0 0.0.0.255 172.16.200.0 0.0.0.255 eq www
permit icmp 192.168.0.0 0.0.0.255 172.16.200.0 0.0.0.255
deny ip any any
!
!
!
!
02-05-2024 06:48 AM
Enter this ACL
ip access-list extended vlan20_10
permit tcp 192.168.10.0 0.0.0.255 172.16.200.0 0.0.0.255 eq www
permit icmp 192.168.10.0 0.0.0.255 172.16.200.0 0.0.0.255
deny ip any any
Apply this on SVI 10
That should be ok now:
02-05-2024 06:56 AM
arghghgh typo! silly me.
Thanks very much thats sorted it.
02-05-2024 07:02 AM
You're very welcome @peat
02-05-2024 08:38 AM
BTW, although what M02@rt37 appears to be correct, its correctness depends on how thoroughly you want to limit traffic to/from those subnets and what specific traffic you want to limit.
For example, your OP notes "I am wanting to allow port 80 and ping between the Pc and Server and nothing else."
The ACE for ICMP allows any two way ICMP, not just ping.
If you want to limit ICMP to ping, you can restrict only allowing ping ICMPs.
Also, with ping, do you want to allow both networks to ping each other, or only one side initiate the ping and the other side respond?
Since you're only using an ingress ACL on the SVI, you're allowing any kind of traffic to enter this VLAN. As most traffic looks for two way communication, blocking just one direction will curtail two way communications, but the outside could send anything it wants to that VLAN. Is that okay? If not, you could also apply an egress ACL on the SVI.
Further BTW, if there's only the one subnet on VLAN 10, your ingress ACEs could use "any" for source.
As every ACL ends with an implicit deny everything, the last ACE isn't actually needed.
e.g.
rather than:
ip access-list extended vlan20_10 !BTW, believe from your OP this should be using ip access-list extended vlan10_20
permit tcp 192.168.10.0 0.0.0.255 172.16.200.0 0.0.0.255 eq www
permit icmp 192.168.10.0 0.0.0.255 172.16.200.0 0.0.0.255
deny ip any any
possibly:
ip access-list extended vlan10_20 !for VL10 SVI ingress
permit tcp any 172.16.200.0 0.0.0.255 eq www
permit icmp any 172.16.200.0 0.0.0.255 echo
permit icmp any 172.16.200.0 0.0.0.255 echo-reply
ip access-list extended vlan20_10 !for VL10 SVI egress
permit tcp 172.16.200.0 0.0.0.255 eq www any established
permit icmp 172.16.200.0 0.0.0.255 any echo
permit icmp 172.16.200.0 0.0.0.255 any echo-reply
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide