Re: Problem regarding ACL configuration

Iseeyou · ‎01-20-2024

Below, i am attaaching a problem i have been trying to solve for a bit but haven't been able to completely resolve. In the network, the only thing that remains to be configured is the ACL(standard) that allows IT to ping all users in LAN site as well as have access on the WAN site. If i apply ACL to block the access to WAN site, allowing only IT department at LAN router - it does not fulfill the condition that IT should also be able to ping all the users from other two departments.

Please help

Joseph W. Doherty · ‎01-21-2024

Sorry, but it's unclear, at least to me, what exactly is trying to be achieved.

The PT file notes:

 IT users must have accessibility to ping all users in the LAN, 

  as well as allowed toaccess WAN.

- Use ACL (standard) to solve the above routing.

So is IT only to be allowed to ping the two other VLANs? (Normally, by default, IT VLAN should should be able to meet those goals.)

Restrictions aren't noted for what the other VLANs are allowed to do.

Unclear how ACLs are to be used for "routing", unless "routing" is meant to convey being able to reach a destination?

Iseeyou · ‎01-21-2024

Yes, the IT (vlan 20) should be able to ping all other VLANs, as well as the WAN site. So basically, VLAN 20 should be able to access VLAN 10 and 30, but they should not be able to access it back.

Also, once I try applying ACL to block the FC (vlan 10) and HR (vlan is 30) from accessing WAN site servers (while allowing IT) - the ping starts going 'request timed out' when i try pinging other two vlans from IT (vlan 20).

David Ruess · ‎01-21-2024

Seems like you could do this but with an extended ACL, not a Standard ACL. Reason being is you are trying to introduce source AND destination IPs along with the ICMP protocol...something only an Extended ACL can match on. Otherwise you'd be blocking all traffic no just ICMP. Is this an assignment requirement?

Joseph W. Doherty · ‎01-21-2024

Ah, I was going to ask the same question, i.e. can we use extended ACLs?

I also wanted to ask, so the only off local network access allowed for VLANs 10 and 30 would be ping replies to VLAN 20?

Like David, at first glance, cannot see how to do this without using extended ACLs. With extended ACLs, should be easy to accomplish.

Iseeyou · ‎01-22-2024

Yes, extended ACL can be used.
Yes, the only network access for vlan 20 and 30 is ping replies to vlan 20. They can not access other vlans or the WAN site of the network with servers.

Joseph W. Doherty · ‎01-22-2024

In that case, possibly all you need is an ACL applied on ingress on VLANs 10 and 30 gateway subinterfaced using one ACE permitting ICMP replies to VLAN 20's network.

Do you know how to do that?

Iseeyou · ‎01-22-2024

I do understand this in principle now that you say it. But i am fairly new to the packet tracer, could you please guide through?

Joseph W. Doherty · ‎01-23-2024

In this case, PT should be configured just like the real devices like you're using in PT.

I assume this is some kind of learning exercise? If so, I would like to help you figure out how to do this without just providing the answer. If that's okay, tell me how you think the "principle" might be done or what's the stumbling block.

You have the info, such as one extended ACL, needing only a single ACE, permitting ICMP ping replies, replying to the VLAN 20 network, applied for ingress on both VLANs 10 and 30 subinterfaces.

So, totally lost, or don't understand a particular ACL concept or concepts?

Iseeyou · ‎01-23-2024

1. Yes, this is a learning exercise. Actually, the real question is on much lager scale, but uses same principles. I am just trying to learn how to solve these in principal.

2. Not completely lost, but i don't have exact idea either as such - i have use standard ACLs but using extended one is a first time for me. They have asked us to apply two variations of it at least. I am supposing one ACL blocks all Vlans from accessing the WAN side, except VLAN 20. But the traffic confirmation between vlan 10 and 30 is confusing for me.

3. Also, they mention 'At LAN site, all departments are using separate network
segments’,

In the light of the above statement, is the current configuration fine? Or
should the networks differ for eg. instead of 192.168.1.1/29 FC (sub-int
gig0/0/1.10) and 192.168.1.9/29 for IT (sub-int gig0/0/1.20), should it be
192.168.2.1/29 for the IT (sub-int gig0/0/1.20?

Edit: I tried doing the extended acl implementation on my own, to no success sadly.

Joseph W. Doherty · ‎01-23-2024

At the moment, Cisco's forums isn't, at least for me, working normally, so unable to provide the reply, at this time, I intended.

Joseph W. Doherty · ‎01-24-2024

Ah, forum working again, for me. . .

Extended ACLs aren't hugely different from standard ACLs, they just provide some additional (and very worthwhile) parameters.

Remember what we want to do with the ACL, block all outbound, from VLANs 10 or 30, except for ping replies. Also, keep in mind, an ACL is going to be a major component to our solution.

If we look at PT ACL help first we can use access-list number to denote standard or extended (we can also used named ACLs, but I'll use numbered for this discussion):

Router(config)#access-list ?
  <1-99>     IP standard access list
  <100-199>  IP extended access list

If we look at the standard options:

Router(config)#access-list 1 ?
  deny    Specify packets to reject
  permit  Specify packets to forward
  remark  Access list entry comment
Router(config)#access-list 1 permit ?
  A.B.C.D  Address to match
  any      Any source host
  host     A single host address
Router(config)#access-list 1 permit any ?
  <cr>

We're lacking parameters for dealing with source or destination of packets and/or kind of traffic.

But the extended ACL seems to offer all the options we need.

So, what should the ACE look like?

Router(config)#access-list 100 ?
  deny    Specify packets to reject
  permit  Specify packets to forward
  remark  Access list entry comment
Router(config)#access-list 100 permit ?
  ahp    Authentication Header Protocol
  eigrp  Cisco's EIGRP routing protocol
  esp    Encapsulation Security Payload
  gre    Cisco's GRE tunneling
  icmp   Internet Control Message Protocol
  ip     Any Internet Protocol
  ospf   OSPF routing protocol
  tcp    Transmission Control Protocol
  udp    User Datagram Protocol
Router(config)#access-list 100 permit icmp ?
  A.B.C.D  Source address
  any      Any source host
  host     A single source host
Router(config)#access-list 100 permit icmp any ?
  A.B.C.D  Destination address
  any      Any destination host
  host     A single destination host
Router(config)#access-list 100 permit icmp any any ?
  <0-256>               type-num
  echo                  Echo (ping)
  echo-reply            Echo reply
  host-unreachable      Host unreachable
  net-unreachable       Net unreachable
  port-unreachable      Port unreachable
  protocol-unreachable  Protocol unreachable
  ttl-exceeded          TTL exceeded
  unreachable           All unreachables
  <cr>

What do you think this ACE should be?

Again, look at the above and remember we want the source to be VLANs 10 or 30, the destination to be VLAN 20 and allow ping responses. We also need to insure all other traffic is blocked (two ACEs required?).

One you have the necessary ACL, you need to decide where and how it should be deployed. Of course, thinking about where and how the ACL should be deployed, might impact the structure of the ACL. Your thoughts?

Iseeyou · ‎01-25-2024

I did try applying the Extended ACL over and over and i was able to block the access to WAN site but the inter VLAN conditions, i just could not match however much i tried. Could you please help and apply it for me? I literally cant wait to see what i am missing now. For your ease i am attaching the actual project i need to do it on. I have mentioned all the conditions needed to be met. I haven't been able to crack the inter-vlan implementation of the extended ACL.

Iseeyou · ‎01-21-2024

Yes, i think you are right. The use of extended ACL (two or more variations
thereof) is allowed in the scenario.

Also, they mention 'At LAN site, all departments are using separate network
segments’,

In the light of the above statement, is the current configuration fine? Or
should the networks differ for eg. instead of 192.168.1.1/29 FC (sub-int
gig0/0/1.10) and 192.168.1.9/29 for IT (sub-int gig0/0/1.20), should it be
192.168.2.1/29 for the IT (sub-int gig0/0/1.20?

David Ruess · ‎01-21-2024

Hello,

You attached your packet capture but not any Packet Tracer file or configs so we can see what it is that isnt working. Can you please provide more information such as a diagram and configs.

EDIT: For some reason the file shows as a Wireshark invalid file. I opened it with PT and it opened fine. Agree with Joseph on unclear directions.

-David