Permit Host Extended ACL skipped?

davidmoreno69 · ‎03-23-2013

Hello Guys,

I want to control traffic reaching a server farm, in say VLAN 14. For this I applied a ACL to SVI 14 in the outbound direction.

VLAN 14 = 167.107.230.32 /27

I want to allow host 10.8.184.177 to reach host 167.107.230.37 on port 443, for such purpose I wrote the following ACE:

permit tcp host 10.8.184.177 host 167.107.230.37 eq 443

And the ACL looks like this:

Extended IP access list vl14

120 permit tcp host 10.8.184.177 host 167.107.230.37 eq www

130 permit tcp host 10.8.184.177 host 167.107.230.37 eq 443

140 permit tcp host 10.8.184.178 host 167.107.230.37 eq www

150 permit tcp host 10.8.184.178 host 167.107.230.37 eq 443

160 permit tcp host 10.8.184.177 host 167.107.230.38 eq www

170 permit tcp host 10.8.184.177 host 167.107.230.38 eq 443

180 permit tcp host 10.8.184.178 host 167.107.230.38 eq www

190 permit tcp host 10.8.184.178 host 167.107.230.38 eq 443

200 permit icmp any host 167.107.230.37

210 permit icmp any host 167.107.230.38

220 deny ip 10.10.129.0 0.0.0.255 any log

230 deny ip 10.8.184.96 0.0.0.15 any log

240 deny ip 10.8.184.176 0.0.0.15 any log (7045 matches)

250 deny ip 10.8.184.192 0.0.0.63 any log

260 deny ip 167.107.230.0 0.0.0.255 any log

270 deny ip 167.107.66.0 0.0.0.31 any log

280 permit ip 205.174.35.0 0.0.0.255 any

290 permit ip 205.174.39.0 0.0.0.255 any

300 permit ip 205.174.43.0 0.0.0.255 any

310 permit ip 205.174.44.0 0.0.0.255 any

320 permit ip 192.168.0.0 0.0.255.255 any

330 permit ip 167.107.0.0 0.0.255.255 any

340 permit ip 10.0.0.0 0.255.255.255 any

350 permit ip 172.30.0.0 0.0.255.255 any

370 deny ip any any log (232 matches)

------------------------------------------------------------------------------------------------------------

The SVI is confiigured as follows:

interface Vlan14

ip address 167.107.230.60 255.255.255.224

ip access-group vl14 out

no ip redirects

no ip unreachables

no ip proxy-arp

standby 1 ip 167.107.230.62

standby 1 timers msec 250 msec 800

standby 1 priority 110

arp timeout 300

end

------------------------------------------------------------------------------------------------------------

I see the traffic being dropped:

%SEC-6-IPACCESSLOGP: list vl14 denied tcp 10.8.184.177(40322) -> 167.107.230.37(443), 2 packets

---------

Yuo can see there is an ACE allowing ICMP to reach 167.107.230.x ... that works well. However my explicit rule to reach 167.107.230.37 on 443 seems to be skipped.

Any ideas?

Thanks in advance!

Reza Sharifi · ‎03-23-2013

Hi,

Does the router also skipps the 230.38 eq 443 or just 230.37 eq 443?

Can you try deleting the ACLs, reapply them and test again?

HTH

davidmoreno69 · ‎03-23-2013

Hi Reza,

Both rules are affected.

After writing the ACEs yesterday and seeing them being skipped for no apparent reason I thought best move I could make was to remove the ACL and re-apply it, unfortunately the server admin that was helping me test had to leave and my change window expired.

Before removing and reapplying the ACL next Monday I wanted to check with the people in this board for any error in how my ACEs were written. It all looks good right?

All suggestions are welcome : ]

Thanks!

Richard Burts · ‎03-23-2013

David

We are not in a position to tell you whether it all looks good or not since there are a number of entries in the ACL before entry 120. Since the ACL is processed in order it is quite possible that some entry before 120 is denying your host traffic. Post the entire ACL and we can tell you whether it all looks good or not.

HTH

Rick

HTH

Rick

davidmoreno69 · ‎03-23-2013

Thanks Richard, I made sure to only remove permits.

Sent from Cisco Technical Support iPhone App

johnlloyd_13 · ‎03-23-2013

hi david,

why not put the 'log' key at the end of the said ACE and ask the server admin to do a 'telnet 167.107.230.37 443' from the 10.8.184.17 box to see any hits.

davidmoreno69 · ‎03-24-2013

Thanks, John.

I will add the "log" keyndword for troubleshooting on Moday when re-moving a re-applying the ACL.

paul driver · ‎03-24-2013

Hello

svi acl vlan 14

inbound= from host in vlan 14
outbound= to hosr in vlan 14

res
paul

Sent from Cisco Technical Support Android App

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

davidmoreno69 · ‎03-24-2013

Hello Paul,

If you read my first post through, you will notice that traffic comes from other VLAN; therefore applying the ACL in the outbound direction is correct.

"ip access-group vl14 out

VLAN 14 = 167.107.230.32 /27

I want to allow host 10.8.184.177 to reach host 167.107.230.37 on port 443, for such purpose I wrote the following ACE:

permit tcp host 10.8.184.177 host 167.107.230.37 eq 443"

Thanks anyways.