ACL Problem

bret · ‎06-17-2008

I have created an ACL to allow one network to get to the listed servers and I want to deny all other traffic. My problem is that when I apply my ACL to the interface my handhelds do not get any IP addresses from the DHCP server thus not allowing them to access any other servers. I have read as much information about ACL's that I can, but have yet to find my problem with my ACL. Is my problem that obvious, that gleaming that I can not find it. All hints and tips would be greatly appreciated.

permit udp 192.168.116.0 0.0.0.255 host 172.16.3.4

permit udp 192.168.116.0 0.0.0.255 host 192.168.7.6

permit tcp 192.168.116.0 0.0.0.255 host 172.16.15.25

permit tcp 192.168.116.0 0.0.0.255 host 172.18.155.20

permit tcp 192.168.116.0 0.0.0.255 host 172.18.155.21

permit tcp 192.168.116.0 0.0.0.255 host 172.16.26.85

permit tcp 192.168.116.0 0.0.0.255 host 172.16.26.86

permit udp 192.168.116.0 0.0.0.255 host 172.18.155.20

permit udp 192.168.116.0 0.0.0.255 host 172.18.155.21

permit udp 192.168.116.0 0.0.0.255 host 172.16.26.85

permit udp 192.168.116.0 0.0.0.255 host 172.16.26.86

permit udp 192.168.116.0 0.0.0.255 host 172.16.1.122

permit tcp 192.168.116.0 0.0.0.255 host 172.18.156.20

permit tcp 192.168.116.0 0.0.0.255 host 172.16.26.87

permit tcp 192.168.116.0 0.0.0.255 host 172.25.15.17

permit udp 192.168.116.0 0.0.0.255 host 172.25.15.17

permit tcp 192.168.116.0 0.0.0.255 host 172.25.15.25

permit udp 192.168.116.0 0.0.0.255 host 172.25.15.25

permit icmp any any

deny ip any any log

On my vlan 116 I am applying the following line.

ip access-group WirelessClients in

Thanks in advance for your help.

Collin Clark · ‎06-17-2008

Do you have a helper for the DHCP server on the VLAN interface?

ip helper-address DHCP SERVER IP

bret · ‎06-17-2008

Yes the line below is on my vlan 116 interface.

ip helper-address 192.168.7.6

Collin Clark · ‎06-17-2008

Just checking, try changing your ACL to out

ip access-group WirelessClients out

bret · ‎06-17-2008

No that is a good catch for the helper address. I will try the out, but other then that does the ACL look ok. Ive been told that there is a problem with it, but I can not find the answer after all my ACL digging.

Collin Clark · ‎06-17-2008

The format looks correct.

mike-greene · ‎06-17-2008

Hi,

Are you seeing anything in your logs since you logging the denys at the end of the ACL? Have you tried adding a line in your ACL to permit UDP any any to make sure it's not denying the UDP broadcasts?

HTH

bret · ‎06-17-2008

I am seeing several hits on the Deny ip any any log (6249) to be exact.

I will give this a try later in the day when traffic allows me to apply it.

permit udp any any

mike-greene · ‎06-17-2008

Hi,

If you do a "show log" can you see whats getting denied? You may need to turn "logging on" if you don't see anything in the logs but since your logging the denies you should see them.

HTH

bret · ‎06-17-2008

Yes my udp packets are getting denied. should i put something like this in?

I see the packets being denied to 192.168.7.6 and to 224.0.0.2. Should ip put the following lines in?

permit udp any any

or

permit udp 192.168.116.0 0.0.0.255 host 224.0.0.2

michael.leblanc · ‎06-17-2008

Add the following entry to accommodate the DHCP clients:

permit udp any eq bootpc any eq bootps

The client is "broadcasting" to any DHCP server. Therefore the destination IP is 255.255.255.255, and will not match any of your IP-specific ACEs.

The client packets will be using a source address of 0.0.0.0 prior to obtaining a lease on an IP address, therefore you will need to use the keyword "any" as the source in the ACE also.

Keep in mind that you need to provision the return path for the server responses (i.e.: use inspection, or provision ACLS in the return path).

bret · ‎06-17-2008

Thanks Michael. You said "Keep in mind that you need to provision the return path for the server responses (i.e.: use inspection, or provision ACLS in the return path). " Does this mean I need to add the following line.

permit upd host 192.168.7.6 192.168.116.0 0.0.0.255

I appreciate all the great help and great ideas, this is deffinately going to help me get closer to an answer.

michael.leblanc · ‎06-17-2008

In your situation (using a helper address), you would be concerned with the exchange between the router and the DHCP server (specifically, the packets returning from the DHCP server).

Unfortunately, I've never used a sniffer to examine one of these exchanges (I don't use the helper address function). Presumably, the DHCP server could be several hops away. If it were, then the packets would use unicast addresses for sure.

Depending on whether you have an ACL on the router interface facing the DHCP server (and the ACEs it contains), you may not have a provisioning issue for the return traffic from the DHCP server.

Add the previously indicated ACE to allow the DHCP clients to reach the router, and leverage the help of the router (via the helper address), and then determine whether an issue still exists with router-to-DHCP-server communications.