cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1004
Views
0
Helpful
2
Replies

Strange ACL Behaviour

eagletec1
Level 1
Level 1

Hi all,

Please help with an annoying ACL issue. I have the following extended ACL configured but for some I still can’t get web access when the time range is active.

The email and other ports work perfectly but when the time range shows active in the router still no web access is possible on the controlled vlans and networks, any ideas?

Thanks

Louise

QQQ_Control                                              

time-range periodic daily 21:00 to 23:59

MAIL-PORTS

tcp eq smtp

tcp eq pop3

tcp eq 995

tcp eq 993

tcp eq telnet

tcp eq ftp

tcp eq domain

tcp eq 5900

tcp eq ftp-data

tcp eq 3389

tcp eq 20410

udp lt rip

udp lt domain

udp lt ntp

udp lt tftp

QQQ_User_Group

range 192.168.0.26 192.168.0.199

192.168.2.0 255.255.255.0

192.168.3.0 255.255.255.0

192.168.6.0 255.255.255.0

QQQ_Management_Group                               

range 192.168.0.1 192.168.0.25           

range 192.168.0.200 192.168.0.254                 

192.168.1.0 255.255.255.0                         

192.168.4.0 255.255.255.0                         

192.168.5.0 255.255.255.0

192.168.7.0 255.255.255.0                         

192.168.8.0 255.255.255.0                         

192.168.9.0 255.255.255.0                         

192.168.10.0 255.255.255.0                           

10.1.0.0 255.255.0.0                                  

10.8.0.0 255.255.255.0

QQQ_ACL

5 permint ip host 203.xxx.xxx.xxx any

10 permit udp host 203.12.160.2 eq ntp any eq ntp

20 permit udp host 192.168.0.6 eq domain any

30 permit ip object-group QQQ_Management_Group any

40 permit object-group MAIL-PORTS object-group QQQ_User_Group any

50 permit icmp object-group QQQ_User_Group any

60 permit tcp 192.168.2.0 0.0.0.255 eq www 443 8080 5190 1863 any time-range QQQ_Control

70 permit tcp 192.168.3.0 0.0.0.255 eq www 443 8080 5190 1863 any time-range QQQ_Control

80 permit tcp 192.168.6.0 0.0.0.255 eq www 443 8080 5190 1863 any time-range QQQ_Control

90 permit tcp 192.168.0.0 0.0.0.255 eq www 443 8080 5190 1863 any time-range QQQ_Control

2 Replies 2

mahmoodmkl
Level 7
Level 7

Hi

I cannot see any where the http or https traffic is allowed in the ACL.

Please allow traffic to port 80 and try.

Hi

The web traffic (http, 80 and https, 443) are allowed in lines 60 to 90 per subnet which inturn is controlled by the time range QQQ_Control, the Cisco IOS changes port 80 to www when you type it into the ACL.

60 permit tcp 192.168.2.0 0.0.0.255 eq www 443 8080 5190 1863 any time-range QQQ_Control

70 permit tcp 192.168.3.0 0.0.0.255 eq www 443 8080 5190 1863 any time-range QQQ_Control

80 permit tcp 192.168.6.0 0.0.0.255 eq www 443 8080 5190 1863 any time-range QQQ_Control

90 permit tcp 192.168.0.0 0.0.0.255 eq www 443 8080 5190 1863 any time-range QQQ_Control

Louise

Review Cisco Networking for a $25 gift card