Thank you all for your

ratatosk_2 · ‎04-07-2017

Desired result: allow Internet for all devices on subnet 10.32.54.128/28.

Block access to all other internal networks using addreses from 10.0.0.0/8.

Hosts on network must reach resources on 172.18.24.0/24.

ACL is on VLAN (BVI) Interface, VLAN3 ingress.

This is my ACL that currently drops traffic to 172.18.24.0 and I don't understand why.

ip access-list extended externals
10 permit udp any any eq domain
20 permit icmp any any echo
30 permit icmp any any echo-reply
40 deny ip any 10.0.0.0 0.255.255.255
50 deny ip any 152.141.0.0 0.0.255.255
60 permit ip any any
70 deny ip any any log

Interface BVI3

ip access-group externals in

Help my understand why this does not work? Does traffic get filtered becuase the own VLAN subnet is in 10.0.0.0/8? How to write it otherwise?

Thanks!

Diana Karolina Rojas · ‎04-07-2017

Can you do ping to others networks or IP address out of 10.0.0.0/8 and 172.18.24.0/24 range? have you any Access-list applied in an interface? when you do a tracer from a host in the 10.32.54.128/28 network to a 172.18.24.0 host where is it lost?

Regards,

ratatosk_2 · ‎04-08-2017

I will check that on Monday when I am back in the office. I will make a quick Visio of the setup and attach shortly so everyone can be clear on the exact setup.

Julio E. Moisa · ‎04-07-2017

Hi

Could you please provide more details or any basic topology, is the network 10.32.54.128/28 on the same device?

Thank you

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

ratatosk_2 · ‎04-08-2017

The BVI3 is the default gateway for 10.32.54.128/28, it has IP .142.

Julio E. Moisa · ‎04-08-2017

Hi

Thank you, not sure if it is the case because it is mentioned on the subject, but the VLAN ACL (vACL) are applied in 2 ways because they are not stateful, so you should have something like:

ip access-list extended EXTERNAL-OUTBOUND
10 permit udp any any eq domain
20 permit icmp any any echo
30 permit icmp any any echo-reply
40 deny ip any 10.0.0.0 0.255.255.255
50 deny ip any 152.141.0.0 0.0.255.255
60 permit ip any any
70 deny ip any any log <--- it can be removed because you have a permit ip any any above, so it will not be required

ip access-list extended EXTERNAL-INBOUND
10 permit udp any any eq domain
20 permit icmp any any echo
30 permit icmp any any echo-reply
40 deny ip 10.0.0.0 0.255.255.255 any
50 deny ip 152.141.0.0 0.0.255.255 any
60 permit ip any any
70 deny ip any any log <--- it can be removed because you have a permit ip any any above, so it will not be required

ip access-list extended EXTERNAL-DENY
pemit ip any any

vlan access-map EXTERNAL 5
match ip address EXTERNAL-OUTBOUND
action forward

vlan access-map EXTERNAL 10
match ip address EXTERNAL-INBOUND
action forward

vlan access-map EXTERNAL 100
match ip address EXTERNAL-DENY
action drop

vlan filter EXTERNAL vlan-list 10 <--- Applying to the vlan 10

The VACL are applied to a vlan in order to provide protection, basically you can isolated a vlan using this feature.

Hope it is useful

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

ratatosk_2 · ‎04-08-2017

Ok, but I have only ACL inbound (from VLAN) and no ACL at all on the traffic to the VLAN, since there is no ACL the return traffic should be able to flow without creating and ACL for return traffic, no? The message I get in the logs are from the IN ACL and states:

list externals denied tcp 10.32.54.130(80) -> 172.18.24.25(49291), 3 packets

I just now attached a visio of the scenario for extra clarity.

ratatosk_2 · ‎04-08-2017

Also, if I add

35 permit ip any 172.18.24.0 0.0.0.255

then it works.

Julio E. Moisa · ‎04-08-2017

yeap, it should but you also have the permit ip any any, please check the other proposal above.

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Julio E. Moisa · ‎04-08-2017

Just a question, are you using any network into the segment 10.0.0.0/8 for the point to points between devices or to interconnect routers?

Can you execute a: show ip access-list

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Julio E. Moisa · ‎04-08-2017

Hi

You could apply the ACL under the interface connected to the ISP CPE Router instead the BVI3 in order to filter the traffic to the destination network 10.32.54.128/28.

If it is for the inbound traffic:

ip access-list extended EXTERNAL-INBOUND-TRAFFIC
10 permit udp any any eq domain
20 permit icmp any any echo
30 permit icmp any any echo-reply
40 deny ip 10.0.0.0 0.255.255.255 10.32.54.128 0.0.0.15
50 deny ip 152.141.0.0 0.0.255.255 10.32.54.128 0.0.0.15
60 permit ip any any

interface g0/0
ip access-group EXTERNAL-INBOUND-TRAFFIC in

Note: check if you are not blocking the network used as point to point between the local router and the CPE router. It could affect the routing protocol adjacency.

*As good practice the name of the ACL should be configured with uppercase.

Hope it is useful

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

ratatosk_2 · ‎04-10-2017

I am going to try the above tomorrow, I spent the day setting up a lab for this. It seems that ipbasek9 does not support vlan access maps and I suppose setting the ACL on the GigE-IF to the ISP router could do the trick if I define the source network (10.32.54.128/28) as well as the destination that I want to block (10.0.0.0/8). The link network between ISP and customer is from 172.16.0.0/16 so that should not be blocked.

ratatosk_2 · ‎04-18-2017

Thank you all for your solution suggestions but I found the solution in another ACL employed by my company. The missing statement is:

permit tcp any any established.

vACL - Allow all but 2 networks does not work