ACL help

Unanswered Question
Jun 24th, 2008

I am trying to apply two ACL to one of the VLAN but it seems that the "in" option is denying incoming packets because when users from inside my network are initiating connection to the other LAN, they open a random port and that is the port that the other server is trying to establish a session back to my LAN. I mean, if I launch a connection to port25, my workstation open a random port (i.e. 4447) and the server tries to connect back to my workstation on that port but my ACL denies because it is a random port that it is not in the ACL.

workstation netstat:

TCP 10.33.64.104:4447 10.18.128.4:25 SYN_SENT

switch log:

%SEC-6-IPACCESSLOGP: list CHI-IN denied tcp 10.18.128.4(25) -> 10.33.64.104(4447), 1 packet

How do I restrict what the other LAN can access and still allow my LAN to access only some ports that are allowed on the other side?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Tue, 06/24/2008 - 13:29

Etienne

I'm not entirely sure what you mean. Are you applying the ACL both inbound and outbound on the vlan interface ?

ACL's are not stateful unlike firewalls but you can use the "established" keyword in your ACL which allows traffic back through.

Could you give some more details as to the acl's and the direction on the vlan interface.

Jon

Tshi M Tue, 06/24/2008 - 15:21

Hi Jon,

Here is the scenario:

The other LAN is allowing us to access port 25 and 80. Our LAN is allowing them to access port 25, 1494, and 1604.

So I tried the following ACL:

ip access-list extended CHI-IN

permit eigrp any host 224.0.0.10

permit tcp host 10.17.14.13 host 10.33.66.204 eq 1494 log

permit tcp host 10.17.14.13 host 10.33.66.204 eq 1604 log

permit tcp host 10.18.200.5 host 10.33.66.205 eq smtp log

deny ip any any log

int vlan 15

ip access-group CHI-IN in

From this I can see why it incoming traffic generated by the random ports of our workstations are being denied. How do I solve this problem and still allow only some traffic.

Jon Marshall Tue, 06/24/2008 - 15:28

Etienne

An inbound access-list applied to vlan interface is for traffic generated FROM hosts on that vlan.

An outbound access-list applied to a vlan interface is for traffic going TO hosts on that vlan.

The above access-list allows 25, 1494 & 1860 from hosts on vlan 15 to 10.33.66.x servers and no other traffic (apart from the EIGRP). Is this what you want ? What subnet is on vlan 15 ?

Jon

Jon

Tshi M Tue, 06/24/2008 - 16:33

Hi Jon,

I did try both in and out on the interface before posting. The VLAN is on the 10.33.x.x subnet.

I want to limit 10.17..x.x and 10.18.x.x sbunet to only few hosts and ports on the 10.33.x.x while still allowing 10.33.x.x to access 10.17.x.x and 10.18.x.x on the ports that are allowed on these subnets.

Edison Ortiz Tue, 06/24/2008 - 15:51

Your ACL has the incorrect direction and your ACL Log explained the problem.

As the server are coming into Vlan 15, they are the source and devices sitting behind Vlan 15 are the destination.

Your ACL should look like this:

ip access-list extended CHI-IN

permit tcp host 10.33.66.204 eq 1494 host 10.17.14.13

permit tcp host 10.33.66.204 eq 1604 host 10.17.14.13

permit tcp host 10.33.66.205 eq smtp host 10.18.200.5

You don't need to add a deny ip any any is implicit without it and routing protocols aren't blocked by this ACL as its traffic that is locally generated, unless you have EIGRP devices sitting in Vlan 15.

HTH,

__

Edison.

Please rate helpful posts

Edison Ortiz Tue, 06/24/2008 - 16:47

In another post you mentioned the subnet is 10.33.x.x so the servers are 10.17.x.x

Your ACL should be like this:

ip access-list extended CHI-IN

permit tcp host 10.17.14.13 eq 1494 host 10.33.66.204

permit tcp host 10.17.14.13 eq 1604 host 10.33.66.204

permit tcp host 10.18.200.5 eq smtp host 10.33.66.205

Tshi M Tue, 06/24/2008 - 17:02

Hi Edison,

No dice. I tried to have it "in" or "out".

102466: Jun 24 20:55:27.122 EST: %SEC-6-IPACCESSLOGP: list CHI-IN denied tcp 10.33.64.104(1112) -> 10.18.128.4(25), 1 packet

102469: Jun 24 20:56:29.779 EST: %SEC-6-IPACCESSLOGP: list CHI-IN denied tcp 10.18.128.4(25) -> 10.33.64.104(1115), 1 packet

Edison Ortiz Tue, 06/24/2008 - 19:56

I keep seeing this device as the server "10.18.128.4(25)" but you never had that server listed in your ACL.

You also don't have the host 10.33.64.104 in the ACL

Allow this server 10.18.128.4 eq smtp while using the 'in', as well as adding the host devices that need access to smtp. You seem to be excluding plenty of devices.

__

Edison.

Jon Marshall Wed, 06/25/2008 - 01:11

Etienne

Using a simple example.

Vlan 15 = 10.33.66.x

Remote vlan = 10.17.14.x

You want to allow access from the remote vlan to vlan 15 on ports 25, 1494 & 1604

access-list 101 permit tcp 10.17.14.0 0.0.0.255 10.33.66.0 0.0.0.255 eq 25

access-list 101 permit tcp 10.17.14.0 0.0.0.255 10.33.66.0 0.0.0.255 eq 1494

access-list 101 permit tcp 10.17.14.0 0.0.0.255 10.33.66.0 0.0.0.255 eq 1604

access-list 101 permit tcp 10.17.14.0 0.0.0.255 10.33.66.0 0.0.0.255 established

access-list 101 deny ip 10.17.14.0 0.0.0.255 10.33.66.0 0.0.0.255

This access-list is not host specific but you can make it so. You need the "established" line to stop return traffic being blocked.

The above access-list is for controlling traffic going to the devices on vlan 15 so it needs to be applied to the vlan 15 interface in an outbound direction ie.

int vlan 15

ip access-group 101 out

For traffic from vlan 15 to the remote server vlan on ports 25, 80

access-list 102 permit tcp 10.33.66.0 0.0.0.255 10.17.14.0 0.0.0.255 eq 25

access-list 102 permit tcp 10.33.66.0 0.0.0.255 10.17.14.0 0.0.0.255 eq 1494

access-list 102 permit tcp 10.33.66.0 0.0.0.255 10.17.14.0 0.0.0.255 eq 1604

access-list 102 permit tcp 10.33.66.0 0.0.0.255 10.17.14.0 0.0.0.255 established

access-list 102 deny ip 10.33.66.0 0.0.0.255 10.17.14.0 0.0.0.255

This access-list is for traffic coming from devices on vlan 15 to the remote vlan

int vlan 15

ip access-group 102 in

Now you need to modify the above to match your requirements.

The other way to do it is not use the established keyword and write them as such - note this is just a small example you need to extrapolate

access-list 101 permit tcp 10.17.14.0 0.0.0.255 10.33.66.0 0.0.0.255 eq 25

access-list 101 permit tcp 10.17.14.0 0.0.0.255 eq 25 10.33.66.0 0.0.0.255

access-list 101 would still be applied in the outbound direction on vlan 15. What it does is allow 10.17.14.0/24 to talk to 10.33.66.0/24 on port 25.

Because you also want 10.33.66.0/24 to talk to 10.17.14.0/24 on port 25 you need to allow return traffic from 10.17.14.0/24 with a SOURCE port of 25. Remember this acl is being applied outbound on vlan 15.

Which way you choose to do it is up to you. Using the established keyword will make your acl shorter.

Does this make sense ?

Jon

Tshi M Wed, 06/25/2008 - 05:29

Hi Jon,

what you said makes perfect sense but it is not working. I actually don't need an ACL that controls my LAN to the other LAN. I only need to limit what ports the other LAN can see on my side.

I tried all combination of in/out without much luck. This seems to only work when I use IP rather than ports in the ACL.

Tshi M Wed, 06/25/2008 - 05:30

I mean using permit ip instead of using permit tcp...

Tshi M Wed, 08/06/2008 - 02:34

I just wanted to let people who replied to my posting that I solved the problem using reflexive access-list.

Actions

This Discussion