04-13-2009 11:46 AM - edited 03-06-2019 05:08 AM
Hello,
I'm trying to practise with some ACL's in my small 2 router lab. On Router0 I want to be able to deny and log access from 192.168.100.192/27 (Router1 LAN) to 192.168.100.97/27 (Loopback0 LAN).
As you can see on Router0 I have created an Extended ACL and bound this to the destination interface which is the loopback0 in the "outbound" direction to the LAN. This how I have been taught to do it anyway, set the ACL on the destination interface and to outbound to the LAN of the interface.
Router0#sh run
!
interface Loopback0
ip address 192.168.100.97 255.255.255.224
ip access-group inbound out
!
interface FastEthernet0/0
ip address 192.168.100.129 255.255.255.252
duplex auto
speed auto
!
interface Serial0/0
description WAN link to RouterA
ip address 10.10.10.13 255.255.255.252
no fair-queue
!
interface Serial0/1
no ip address
!
router ospf 1
log-adjacency-changes
network 10.10.10.12 0.0.0.3 area 0
network 192.168.100.96 0.0.0.31 area 0
network 192.168.100.128 0.0.0.3 area 0
!
ip http server
no ip http secure-server
ip classless
!
!
!
ip access-list extended inbound
deny ip 192.168.100.192 0.0.0.31 any log
permit ip any any log
!
----------------------------------------------------------------
Router1#sh run
!
ip dhcp pool client
network 192.168.100.192 255.255.255.224
default-router 10.10.10.14
!
!
interface FastEthernet0/0
ip address 192.168.100.193 255.255.255.224
ip nat inside
duplex auto
speed auto
!
interface Serial0/0
ip address 10.10.10.14 255.255.255.252
ip nat outside
no fair-queue
clock rate 4000000
!
interface Serial0/1
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
network 10.10.10.12 0.0.0.3 area 0
network 192.168.100.192 0.0.0.31 area 0
!
Thanks
04-13-2009 11:52 AM
You need to apply the acl inbound. Outbound is traffic leaving the loopback interface. Inbound is traffic arriving on the loopback interface.
Jon
04-13-2009 12:10 PM
I changed it to inbound and the LAN in question still didn't get blocked, I can ping the LAN and telnet to 192.168.100.97 still.
04-13-2009 12:44 PM
Andy,
It will not work in either outbound or inbound. Because the traffic going to the loopback ip address will not be forwarded out of the interface. So Outbound or Inbound ACL will not work in this case.
In case you want to see log from that acl. You can do things as follows:
Router0
!
int loop 0
ip ospf net point-to-point
ip access-group inbound out
no ip route-cache
!
R1#ping 192.168.100.98
!
Those packets will be forwarded out of the loopback interface. You should see the logs.
But you can ping/telnet to 192.168.100.97 anyway.
HTH,
Toshi
04-13-2009 01:17 PM
Hello, so basically if I use the fastethernet interface instead this will work? I just need a device to bring up the interface.
04-13-2009 01:28 PM
Andy,
You are trying to access Router0 via Router1. Thinking about the direction of traffic. Traffic going out from Router1 to Router0. So Serial0/0 of Router0 is the first place that traffic are coming in. You can apply ACL there with inbound direction.
HTH,
Toshi
04-13-2009 09:13 PM
HI
I little thing that i want to say about ACL is that
* You should apply Standard ACL near to the destination
* You should apply Extended ACL near to the Source
In your case you are using Extended ACL so you should apply your ACL near the source in your case it is ROUTER1 LAN
By doing this you are dropping the traffic before it goes to other router and uses your WAN bandwidth.
H2H
Bhargav
04-13-2009 09:49 PM
Thanks, do you find extended are more widely used in the industry?
04-13-2009 09:58 PM
Yes they are
But the whole thing come to the different network and it's need.
Have you tried the solution in your test environment
H2H
Bhargav
04-13-2009 10:08 PM
I will try this as soon as I get to work.
It makes sense to me to use extended as it stops unnecessary traffic using bandwidth before getting denied.
Although standard could be used for a simple ACL on the destination?
04-13-2009 10:50 PM
Yes standard ACL should be more appropriate to apply near the Destination.
As standard ACL deal with Source address only it is better to apply on destination because if you apply St. ACL near the source it will block all the traffic which you don't want.
H2H
Bhargav
04-14-2009 07:27 AM
Hi,
I have just created the setup below with one Extended access list close to the source and outbound in the direction of the remote network:
C1841#sh run
!
ip dhcp pool scope
network 10.20.20.0 255.255.255.0
dns-server 192.168.21.100
default-router 10.20.20.1
lease 0 2
!
!
ip domain name gb.vo.local
!
interface FastEthernet0/0
description WAN Port
ip address 192.168.60.245 255.255.255.0
ip access-group MYACL1 out
duplex auto
speed auto
!
interface FastEthernet0/1
description LAN Port
ip address 10.20.20.1 255.255.255.0
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.60.254
!
!
ip access-list extended MYACL1
permit ip 10.20.20.0 0.0.0.255 192.168.28.0 0.0.0.255 log
permit ip 10.20.20.0 0.0.0.255 192.168.21.0 0.0.0.255 log
permit ip 10.20.20.0 0.0.0.255 192.168.20.0 0.0.0.255 log
deny ip any any log
!
What I'm find is a host IP of 10.20.20.2 can access resources on 192.168.20.x, 192.168.21.x and 192.168.28.x, but these 3 subnets can also access 10.20.20.2.
My (simple) understanding of the ACL I have added is this should be one direction only: from 10.20.20.x towards (outbound) the 3 subnets only, what is allowing these 3 subnets full access to host 10.20.20.2 as I haven't specified this (Or have I)?
Is my outbound rule both directions?
04-14-2009 07:36 AM
Andy,
10.20.20.X will do ARP to access 10.20.20.2. No matter what direction of ACL you apllied.
EDIT: They will not go the gateway,10.20.20.1 to reach 10.20.20.2. They just do ARP for that
HTH,
Toshi
04-14-2009 07:41 AM
Hello,
Not sure I understand. I allowed 10.20.20.x access outbound to the remote subnets. Coming backwards from the 3 subnets I don't see an access list to allow say for example 192.168.21.x to access \\10.20.20.2\c$
04-14-2009 07:44 AM
Andy,
Assuming that I am 192.168.21.x. I'm trying to access \\10.20.20.2\c$. Properly be file-sharing. let's think when packet routed back to the host.
Source-Address : 10.20.20.2
Destination-Address : 192.168.21.X
Am I allowed to pass these ACLs?
ip access-list extended MYACL1
permit ip 10.20.20.0 0.0.0.255 192.168.28.0 0.0.0.255 log
permit ip 10.20.20.0 0.0.0.255 192.168.21.0 0.0.0.255 log
permit ip 10.20.20.0 0.0.0.255 192.168.20.0 0.0.0.255 log
deny ip any any log
HTH,
Toshi
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide