ACL help on simple 2 router OSPF Lab

Unanswered Question
Apr 13th, 2009

Hello,

I'm trying to practise with some ACL's in my small 2 router lab. On Router0 I want to be able to deny and log access from 192.168.100.192/27 (Router1 LAN) to 192.168.100.97/27 (Loopback0 LAN).

As you can see on Router0 I have created an Extended ACL and bound this to the destination interface which is the loopback0 in the "outbound" direction to the LAN. This how I have been taught to do it anyway, set the ACL on the destination interface and to outbound to the LAN of the interface.

Router0#sh run

!

interface Loopback0

ip address 192.168.100.97 255.255.255.224

ip access-group inbound out

!

interface FastEthernet0/0

ip address 192.168.100.129 255.255.255.252

duplex auto

speed auto

!

interface Serial0/0

description WAN link to RouterA

ip address 10.10.10.13 255.255.255.252

no fair-queue

!

interface Serial0/1

no ip address

!

router ospf 1

log-adjacency-changes

network 10.10.10.12 0.0.0.3 area 0

network 192.168.100.96 0.0.0.31 area 0

network 192.168.100.128 0.0.0.3 area 0

!

ip http server

no ip http secure-server

ip classless

!

!

!

ip access-list extended inbound

deny ip 192.168.100.192 0.0.0.31 any log

permit ip any any log

!

----------------------------------------------------------------

Router1#sh run

!

ip dhcp pool client

network 192.168.100.192 255.255.255.224

default-router 10.10.10.14

!

!

interface FastEthernet0/0

ip address 192.168.100.193 255.255.255.224

ip nat inside

duplex auto

speed auto

!

interface Serial0/0

ip address 10.10.10.14 255.255.255.252

ip nat outside

no fair-queue

clock rate 4000000

!

interface Serial0/1

no ip address

shutdown

!

router ospf 1

log-adjacency-changes

network 10.10.10.12 0.0.0.3 area 0

network 192.168.100.192 0.0.0.31 area 0

!

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 04/13/2009 - 11:52

You need to apply the acl inbound. Outbound is traffic leaving the loopback interface. Inbound is traffic arriving on the loopback interface.

Jon

whiteford Mon, 04/13/2009 - 12:10

I changed it to inbound and the LAN in question still didn't get blocked, I can ping the LAN and telnet to 192.168.100.97 still.

thotsaphon Mon, 04/13/2009 - 12:44

Andy,

It will not work in either outbound or inbound. Because the traffic going to the loopback ip address will not be forwarded out of the interface. So Outbound or Inbound ACL will not work in this case.

In case you want to see log from that acl. You can do things as follows:

Router0

!

int loop 0

ip ospf net point-to-point

ip access-group inbound out

no ip route-cache

!

R1#ping 192.168.100.98

!

Those packets will be forwarded out of the loopback interface. You should see the logs.

But you can ping/telnet to 192.168.100.97 anyway.

HTH,

Toshi

whiteford Mon, 04/13/2009 - 13:17

Hello, so basically if I use the fastethernet interface instead this will work? I just need a device to bring up the interface.

thotsaphon Mon, 04/13/2009 - 13:28

Andy,

You are trying to access Router0 via Router1. Thinking about the direction of traffic. Traffic going out from Router1 to Router0. So Serial0/0 of Router0 is the first place that traffic are coming in. You can apply ACL there with inbound direction.

HTH,

Toshi

whiteford Mon, 04/13/2009 - 21:49

Thanks, do you find extended are more widely used in the industry?

whiteford Mon, 04/13/2009 - 22:08

I will try this as soon as I get to work.

It makes sense to me to use extended as it stops unnecessary traffic using bandwidth before getting denied.

Although standard could be used for a simple ACL on the destination?

whiteford Tue, 04/14/2009 - 07:27

Hi,

I have just created the setup below with one Extended access list close to the source and outbound in the direction of the remote network:

C1841#sh run

!

ip dhcp pool scope

network 10.20.20.0 255.255.255.0

dns-server 192.168.21.100

default-router 10.20.20.1

lease 0 2

!

!

ip domain name gb.vo.local

!

interface FastEthernet0/0

description WAN Port

ip address 192.168.60.245 255.255.255.0

ip access-group MYACL1 out

duplex auto

speed auto

!

interface FastEthernet0/1

description LAN Port

ip address 10.20.20.1 255.255.255.0

duplex auto

speed auto

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.60.254

!

!

ip access-list extended MYACL1

permit ip 10.20.20.0 0.0.0.255 192.168.28.0 0.0.0.255 log

permit ip 10.20.20.0 0.0.0.255 192.168.21.0 0.0.0.255 log

permit ip 10.20.20.0 0.0.0.255 192.168.20.0 0.0.0.255 log

deny ip any any log

!

What I'm find is a host IP of 10.20.20.2 can access resources on 192.168.20.x, 192.168.21.x and 192.168.28.x, but these 3 subnets can also access 10.20.20.2.

My (simple) understanding of the ACL I have added is this should be one direction only: from 10.20.20.x towards (outbound) the 3 subnets only, what is allowing these 3 subnets full access to host 10.20.20.2 as I haven't specified this (Or have I)?

Is my outbound rule both directions?

thotsaphon Tue, 04/14/2009 - 07:36

Andy,

10.20.20.X will do ARP to access 10.20.20.2. No matter what direction of ACL you apllied.

EDIT: They will not go the gateway,10.20.20.1 to reach 10.20.20.2. They just do ARP for that

HTH,

Toshi

whiteford Tue, 04/14/2009 - 07:41

Hello,

Not sure I understand. I allowed 10.20.20.x access outbound to the remote subnets. Coming backwards from the 3 subnets I don't see an access list to allow say for example 192.168.21.x to access \\10.20.20.2\c$

thotsaphon Tue, 04/14/2009 - 07:44

Andy,

Assuming that I am 192.168.21.x. I'm trying to access \\10.20.20.2\c$. Properly be file-sharing. let's think when packet routed back to the host.

Source-Address : 10.20.20.2

Destination-Address : 192.168.21.X

Am I allowed to pass these ACLs?

ip access-list extended MYACL1

permit ip 10.20.20.0 0.0.0.255 192.168.28.0 0.0.0.255 log

permit ip 10.20.20.0 0.0.0.255 192.168.21.0 0.0.0.255 log

permit ip 10.20.20.0 0.0.0.255 192.168.20.0 0.0.0.255 log

deny ip any any log

HTH,

Toshi

whiteford Tue, 04/14/2009 - 07:48

I think it's the way I look at it:

I see it as, I'm 192.168.21.x (the source) so:

Source-Address : 192.168.21.x (server)

Destination-Address : 10.20.20.2 (PC)

And permit ip 10.20.20.0 0.0.0.255 192.168.21.0 0.0.0.255 log doesn't fit.

:S

thotsaphon Tue, 04/14/2009 - 07:51

Andy,

What do you mean that log doesn't fit?

10.20.20.0 0.0.0.255 should be hosts,10.20.20.1-10.20.20.254.

I'm now a bit headache. (Grin)

Toshi

whiteford Tue, 04/14/2009 - 07:54

Sorry (my London lingo)

And permit ip 10.20.20.0 0.0.0.255 192.168.21.0 0.0.0.255 log.

I mean I would expect this to say:

permit ip 192.168.21.0 0.0.0.255 10.20.20.0 0.0.0.255 log

I see as I'm the source (192.168.21.x) so permit 192.168.21.x to 10.20.20.x

thotsaphon Tue, 04/14/2009 - 07:59

Andy,

You applied the ACL as outbound direction.

!

interface FastEthernet0/0

ip access-group MYACL1 out

!

It means, the traffic going out of the router via FastEthernet0/0. Then hit the ACL. So It's not possible to see the source as 192.168.21.X. The source would be your lan,10.20.20.x.

HTH,

Toshi

whiteford Tue, 04/14/2009 - 08:45

That is the part I understand, I wanted to allow 10.20.20.x outbound access only to those 3 subnets and that works, but what gives the 3 remote subnets access backwards to the 10.20.20.x?

Is it because I don't have an access inbound to the 10.20.20.x network all is allowed?

thotsaphon Tue, 04/14/2009 - 08:50

Andy,

ACL is state-less. It's not FIREWALL. You have to think about the direction you apply. Yes, 3 remote subnets can access to 10.20.20.x. Because you didn't have inbound ACL to block them. What happens if you do that. Connecting from 10.20.20.x to 192.168.X.y network may not work when packets routed back from 3 remote subnets.

My 2 cents

Toshi

whiteford Tue, 04/14/2009 - 09:13

This makes a lot more sense. I've tested and all 3 subnets can access this, however a new subnet 192.168.90.x can't?

Also I was to restrict access would I simple add a new access list to fa0/1 inbound?

thotsaphon Tue, 04/14/2009 - 09:23

Andy,

New remote subnet 192.168.90.x added? Well,let's modify ACL to allow them.

You want to restrict accessing by using inbound ACL. Well, let's test it out. You will see what's going on.

Toshi

whiteford Tue, 04/14/2009 - 09:31

What I mean is before adding the inbound acl 192.168.90.x should have access to 10.20.20.x as there are no acl's inbound to stop this? Well it can't, but the 3subnets can.

thotsaphon Tue, 04/14/2009 - 09:37

Andy,

We are now in page number2 for this thread. (grin) What I told you is that you have assigned the outbound ACL. let's modify things as follows:

!

ip access-list extended MYACL1

permit ip 10.20.20.0 0.0.0.255 192.168.28.0 0.0.0.255 log

permit ip 10.20.20.0 0.0.0.255 192.168.21.0 0.0.0.255 log

permit ip 10.20.20.0 0.0.0.255 192.168.20.0 0.0.0.255 log

permit ip 10.20.20.0 0.0.0.255 192.168.90.0 0.0.0.255 log

deny ip any any log

!

Like I said, It's not a firewall. Just think about how the packets go back and forth.

Toshi

Actions

This Discussion