Access-List between Vlans

Unanswered Question
Aug 14th, 2008

Hi Guys,


Im having trouble with an access list applied to a single sub-interface.


With no access-list applied traffic works both ways no problems.


With it applied to the in it permits traffic in one direction.


With it applied to the out it permits traffic in the other direction


With it applied to both directions neither direction works apart from ICMP.


OUT

!

access-list 102 remark Allowed ports from VLAN1-VLAN200

access-list 102 permit icmp any any echo

access-list 102 permit icmp any any echo-reply

access-list 102 permit tcp any any eq 80

access-list 102 permit tcp any any eq 443

access-list 102 permit tcp any any eq 444

access-list 102 permit tcp any any eq 446

access-list 102 permit tcp any any eq 2598

access-list 102 permit tcp any any eq 3389

access-list 102 permit tcp any any eq 9100

access-list 102 permit tcp any any eq 1494

access-list 102 permit udp any any eq 1604

access-list 102 permit tcp any any eq 5060

access-list 102 permit udp any any eq 5060

!


IN

!

access-list 101 remark Allowed ports from VLAN200-VLAN1

access-list 101 permit icmp any any echo

access-list 101 permit icmp any any echo-reply

access-list 101 permit tcp any any eq 80

access-list 101 permit tcp any any eq 443

access-list 101 permit tcp any any eq 444

access-list 101 permit tcp any any eq 446

access-list 101 permit tcp any any eq 2598

access-list 101 permit tcp any any eq 3389

access-list 101 permit tcp any any eq 9100

access-list 101 permit tcp any any eq 1494

access-list 101 permit udp any any eq 1604

access-list 101 permit tcp any any eq 5060

access-list 101 permit udp any any eq 5060


!


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cdusio Fri, 08/15/2008 - 04:01

So you don't explain which platform you are using which might be part of the issue but from your post and description here's what I think the issue is..


You ACL's are just that. If you apply one, it allows traffic (in 101) from 200 to vlan 1 right? But you never allow the return traffic on the other ACL so when both are applied, the only one that works is ICMP because you specifically allow echo and echo reply on both acl's..


The switch is not a firewall so it doesn't build stateful connections. For example taking one line as an example.


access-list 101 permit tcp any any eq 80

access-list 102 permit tcp any eq 80 any


You can get more granular like


access-list 102 permit tcp any eq 80 (vlan 102) subnet or something as well..


HTH


Chris


acomiskey Fri, 08/15/2008 - 05:59

You could also try the established keyword.


access-list 101 permit tcp any any established

stephenponsford Fri, 08/15/2008 - 15:29

Thanks for helping me out.


I would have thought given i have an "any any" on both and inwards and outwards direction this would have allowed the return traffic to and from the sub interface.


ie.

access-list 101 permit tcp any any eq 3389

access-list 102 permit tcp any any eq 3389


acomiskey Wed, 08/20/2008 - 09:38

The destination port on the "in" acl will be 3389.


But, it would not be the destination port on the way back in your "out" acl, it would be the source port.


access-list 102 permit tcp any eq 3389 any

Actions

This Discussion