ACL preventing HTTP from going out

Unanswered Question
Jul 24th, 2009

I have a 3550 running IOS Version 12.1(14)EA1a

With this ACL on none of my workstations on the 10.90.80.0 segment can get out via http. It looks open to me. Any suggestions would be appreciated. I'm looking to permit http traffic outbound with this acl.

permit udp any any range bootps bootpc

permit ip 10.90.80.0 0.0.0.255 host 10.90.200.65

permit ip 10.90.80.0 0.0.0.255 host 10.90.202.65

permit ip 10.90.80.0 0.0.0.255 host 10.90.204.43

permit ip 10.90.80.0 0.0.0.255 host 10.90.204.44

permit ip 10.90.80.0 0.0.0.255 host 10.90.204.41

permit ip 10.90.80.0 0.0.0.255 host 10.90.204.42

permit ip 10.90.80.0 0.0.0.255 host 10.90.202.42

permit ip host 10.90.204.43 10.90.80.0 0.0.0.255

permit ip host 10.90.204.44 10.90.80.0 0.0.0.255

permit ip host 10.90.200.65 10.90.80.0 0.0.0.255

permit ip host 10.90.202.65 10.90.80.0 0.0.0.255

permit ip host 10.90.204.42 10.90.80.0 0.0.0.255

permit ip host 10.90.204.41 10.90.80.0 0.0.0.255

permit ip host 10.90.202.42 10.90.80.0 0.0.0.255

permit ip host 10.90.1.99 10.90.80.0 0.0.0.255

permit ip 10.90.80.0 0.0.0.255 host 10.90.1.99

permit ip host 10.90.44.140 10.90.80.0 0.0.0.255

permit ip 10.90.80.0 0.0.0.255 host 10.90.44.140

permit ip host 10.90.44.122 10.90.80.0 0.0.0.255

permit ip 10.90.80.0 0.0.0.255 host 10.90.44.122

permit ip 10.90.80.0 0.0.0.255 10.90.80.0 0.0.0.255

permit tcp 10.90.80.0 0.0.0.255 10.90.0.0 0.0.255.255 eq 80

permit tcp 10.90.0.0 0.0.255.255 10.90.80.0 0.0.0.255 eq 80

permit ip 10.90.80.0 0.0.0.255 host 10.90.37.132

permit ip host 10.90.37.132 10.90.80.0 0.0.0.255

permit ip 10.90.80.0 0.0.0.255 host 10.90.44.139

permit ip host 10.90.44.139 10.90.80.0 0.0.0.255

permit icmp any any echo

permit icmp any any echo-reply

permit icmp any any unreachable

permit icmp any any time-exceeded

deny tcp any any

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
John Blakley Fri, 07/24/2009 - 06:38

What direction do you have this acl applied in? Try putting:

permit tcp any any established

before deny tcp any any line and see if that helps. The return traffic may be getting blocked.

HTH,

John

rshum Fri, 07/24/2009 - 06:48

I have it as

vlan access-map Phillips-ACCESS-ACL 10

action forward

match ip address Phillips-ACCESS-ACL

vlan filter Phillips-ACCESS-ACL vlan-list 80

Peter Paluch Fri, 07/24/2009 - 07:22

Hi,

I think that using VLAN ACLs is the problem here. If you use the "vlan filter" as you have indicated, all the traffic that either enters or leaves the VLAN 80 is subject to filtering through your ACL - both inbound and outbound traffic. Clearly, your ACL is made so that the clients in your network can access HTTP servers in other networks but the ACL does not accept HTTP replies when they get back to the VLAN80.

Do you have any special need to use the ACL in this way? Wouldn't it be sufficient for you to place it on your interface VLAN80? If you want to leave it this way, you will need to extend your ACL with additional lines allowing bidirectional communication for your services.

Best regards,

Peter

rshum Fri, 07/24/2009 - 07:24

It was put in a long time ago by people who are now long gone. I don't know the reason they did it that way initially. However my core routers are too unstable for me to make any changes, currently. Yes plans are in the works to swap them out but this is how it's got to be until then.

Peter Paluch Fri, 07/24/2009 - 12:33

Hi,

While I believe that removing that VACL and converting it instead to a classical ACL applied on a VLAN interface should be relatively harmless, you certainly know your network better so the decision is upon you. I still think that there is no need to apply this ACL as a VACL ("vlan filter") but I don't want to push you into a particular solution.

If you decide just to tweak your access list, you have to correct a mistake in it: the two lines regarding the HTTP should correctly read as:

permit tcp 10.90.80.0 0.0.0.255 10.90.0.0 0.0.255.255 eq 80

permit tcp 10.90.0.0 0.0.255.255 eq 80 10.90.80.0 0.0.0.255

Note that the second line has the "eq 80" moved into the source specification part, as it references the HTTP replies that are indeed sent from the port 80.

Best regards,

Peter

Actions

This Discussion