08-14-2008 09:05 PM - edited 02-20-2020 09:40 PM
Hi Guys,
Im having trouble with an access list applied to a single sub-interface.
With no access-list applied traffic works both ways no problems.
With it applied to the in it permits traffic in one direction.
With it applied to the out it permits traffic in the other direction
With it applied to both directions neither direction works apart from ICMP.
OUT
!
access-list 102 remark Allowed ports from VLAN1-VLAN200
access-list 102 permit icmp any any echo
access-list 102 permit icmp any any echo-reply
access-list 102 permit tcp any any eq 80
access-list 102 permit tcp any any eq 443
access-list 102 permit tcp any any eq 444
access-list 102 permit tcp any any eq 446
access-list 102 permit tcp any any eq 2598
access-list 102 permit tcp any any eq 3389
access-list 102 permit tcp any any eq 9100
access-list 102 permit tcp any any eq 1494
access-list 102 permit udp any any eq 1604
access-list 102 permit tcp any any eq 5060
access-list 102 permit udp any any eq 5060
!
IN
!
access-list 101 remark Allowed ports from VLAN200-VLAN1
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit tcp any any eq 80
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq 444
access-list 101 permit tcp any any eq 446
access-list 101 permit tcp any any eq 2598
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp any any eq 9100
access-list 101 permit tcp any any eq 1494
access-list 101 permit udp any any eq 1604
access-list 101 permit tcp any any eq 5060
access-list 101 permit udp any any eq 5060
!
08-15-2008 04:01 AM
So you don't explain which platform you are using which might be part of the issue but from your post and description here's what I think the issue is..
You ACL's are just that. If you apply one, it allows traffic (in 101) from 200 to vlan 1 right? But you never allow the return traffic on the other ACL so when both are applied, the only one that works is ICMP because you specifically allow echo and echo reply on both acl's..
The switch is not a firewall so it doesn't build stateful connections. For example taking one line as an example.
access-list 101 permit tcp any any eq 80
access-list 102 permit tcp any eq 80 any
You can get more granular like
access-list 102 permit tcp any eq 80 (vlan 102) subnet or something as well..
HTH
Chris
08-15-2008 05:59 AM
You could also try the established keyword.
access-list 101 permit tcp any any established
08-15-2008 07:54 AM
Except that won't work for UDP.
08-15-2008 08:11 AM
Correct, that's why I only listed an example of tcp.
08-15-2008 03:29 PM
Thanks for helping me out.
I would have thought given i have an "any any" on both and inwards and outwards direction this would have allowed the return traffic to and from the sub interface.
ie.
access-list 101 permit tcp any any eq 3389
access-list 102 permit tcp any any eq 3389
08-20-2008 09:38 AM
The destination port on the "in" acl will be 3389.
But, it would not be the destination port on the way back in your "out" acl, it would be the source port.
access-list 102 permit tcp any eq 3389 any
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide