Solved: Outbound ACL

s.kanth · ‎12-18-2012

Hi ,

Outbound ACL applied on Gi0/0.40 and three different ip scope defined.

interface GigabitEthernet0/0.40
encapsulation dot1Q 10
ip address 192.168.0.254 255.255.255.0 secondary
ip address 192.168.1.254 255.255.255.0 secondary
ip address 10.60.15.252 255.255.255.0
ip access-group Test out

IP access list extended Test
10 permit ip 192.168.0.0 0.0.0.255 10.62.15.0 0.0.0.255
20 permit ip 192.168.1.0 0.0.0.255 10.62.15.0 0.0.0.255
30 permit ip 10.62.15.0 0.0.0.255 192.168.0.0 0.0.0.255
40 permit ip 10.62.15.0 0.0.0.255 192.168.1.0 0.0.0.255
50 deny ip any any log

Issue:

wheneven we try to do RDP (3389) to 192.168.0.80 from 10.62.15.10.
we do not see any hits on above ACLs but blocks seen in syslog server.

Hence we exclusively added specific ACL in both direction ..then it started working...

45 permit tcp 192.168.0.0 0.0.0.255 eq 3389 10.60.15.0 0.0.0.255
46 permit tcp 10.60.15.0 0.0.0.255 192.168.0.0 0.0.0.255 eq 7777

Do you have any idea , we had allowed entire subnet and did not work ( Subnet to subnet).

Thanks

Sri

bharat.rajwanshi · ‎12-18-2012

Actually ACL number 30 will surve your solution

View solution in original post

bharat.rajwanshi · ‎12-18-2012

The "interface GigabitEthernet0/0.40" is Inside facing port or outside facing port?

you may try with command "ip access-group Test IN" instead of OUT so that it will match the source from traffic.

s.kanth · ‎12-18-2012

Hi Bharat,

Thanks for your reply.. ACL applied in outbound direction...

Thanks

Sri

bharat.rajwanshi · ‎12-18-2012

Okay,

The thing you was trying - access the RDP (3389) to 192.168.0.80 from 10.62.15.10 what you have also applied in your ACL, NOTE - your source IP is - 10.62.15.10 & Destination 192.168.0.80 which is OK per ACL, but i guess you might tried to verify port access to 192.168.0.80 from Router itself which has Source IP 10.60.15.252, thats why you might get syslog for failure report and once you add an ACL 46 it started working.

in that case host 10.62.15.10 was working but router was getting failure, please check the subnet you provided 10.62.15.0/24 was correct.

Thx!

s.kanth · ‎12-18-2012

No, we tried from 10.60.15.10 system and seen deny logs in syslog server. I am sure subnet mask is correct what i have provided (10.62.15.0/24) :-)

Thanks

Sri

Abzal · ‎12-18-2012

Hi,

It didn't work because the return traffic coming from 192.168.0.0/24 wasn't allowed in ACL. You don't have inbound ACL so traffic goes to 192.168.0.0/24 from 10.62.15.024 unfiltered. For return traffic you added few statements and now it's OK.

Hope it will help

Sent from Cisco Technical Support iPhone App

Best regards,
Abzal

bharat.rajwanshi · ‎12-18-2012

Dude,

if you were soucing the traffic from 10.60.15.10 the you ACL statement should have been like below ---

IP access list extended Test

10 permit ip 192.168.0.0 0.0.0.255 10.60.15.0 0.0.0.255

20 permit ip 192.168.1.0 0.0.0.255 10.60.15.0 0.0.0.255

30 permit ip 10.60.15.0 0.0.0.255 192.168.0.0 0.0.0.255

40 permit ip 10.60.15.0 0.0.0.255 192.168.1.0 0.0.0.255

bharat.rajwanshi · ‎12-18-2012

Actually ACL number 30 will surve your solution

s.kanth · ‎12-18-2012

Bharat , you are right.. It was my my mistake :-(

I will update the ACL with 10.60.*.* ..

Thanks again..

Sri