ACL not working

Answered Question
Sep 16th, 2009

Greetings:

Following on our router:

access-list 150 permit ip 10.XXX.0.0 0.0.0.255 host 172.16.0.73

access-list 150 permit ip 10.XXX.0.0 0.0.0.255 host 172.16.5.30

access-list 150 permit ip 10.XXX.0.0 0.0.0.255 host 10.1.7.136

access-list 150 permit ip 10.XXX.0.0 0.0.0.255 host 10.1.7.137

access-list 150 permit ip 10.XXX.0.0 0.0.0.255 host 10.1.7.139

access-list 150 permit ip 10.XXX.0.0 0.0.0.255 host 10.1.4.43

access-list 150 permit ip 10.XXX.0.0 0.0.0.255 host 172.28.0.7

access-list 150 permit ip 10.XXX.0.0 0.0.0.255 host 172.28.0.75

access-list 150 permit ip 10.XXX.0.0 0.0.0.255 host 172.28.0.110

access-list 150 permit ip 10.XXX.0.0 0.0.0.255 host 172.28.0.111

access-list 150 permit ip 10.XXX.0.0 0.0.0.255 host 172.16.5.143

access-list 150 permit ip 10.XXX.0.0 0.0.0.255 host 172.16.5.142

access-list 150 permit ip 10.XXX.0.0 0.0.0.255 host 172.16.5.147

access-list 150 deny ip any any

interface FastEthernet4

ip address 10.XXX.0.7 255.255.255.0

ip access-group 150 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip virtual-reassembly

duplex auto

speed auto

When I source ping the target IPs in the ACL using the FastEthernet4 IP I get fully replies. The problem is I also get replies from hosts outside the ACL range.

Did I miss something?

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 7 years 2 months ago

Oops, my mistake.

An acl outbound on an interface does not stop traffic sourced from that interface - sorry about that.

In fact, if you were only pinging from devices on the 10.x.0.0/24 network your original config would work ie. the acl applied inbound.

The problem is your are sourcing the pings from the fa4 interface. So you would have to apply your acl on all the other interfaces inbound ie. the interfaces that are used to get to the hosts in your acl.

That would be complicated. If all you are trying to do is allow certain traffic from 10.x.0.0/24 clients to certain hosts then go with your original config but don't test by using the fa4 interface as the source.

Apologies for the original confusing information.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Jon Marshall Wed, 09/16/2009 - 07:35

No you didn't miss something, it's just a misunderstanding about how acl directions work.

If you apply the acl inbound on fa4 then that will filter traffic coming from clients on the 10.xxx.0.0/24 network.

So you ping 172.28.0.7 as an example. An icmp echo request with the source address of 10.x.0.7 is routed out to 172.28.0.7. The reply does not come back in on fa4, it comes back in on the interface that is used to get to 172.28.0.7.

If you want to block icmp then apply your acl outbound on fa4. This will allow IP from your 10.x.0.0/24 network to the hosts you have in your acl but then deny all other IP.

Jon

iholdings Wed, 09/16/2009 - 07:46

Hi Jon,

Made the following change - from in to out on Fa4

interface FastEthernet4

description $FW_OUTSIDE$$ES_WAN$

ip address 10.223.0.7 255.255.255.0

ip access-group 150 out

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip virtual-reassembly

duplex auto

speed auto

Ran another source ping - and was still able to ping IPs outside the ACL.

iholdings Wed, 09/16/2009 - 09:04

Here's the IP I pinged - outside the ACL:

ping ip

Target IP address: 10.1.6.9

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 10.223.0.7

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.6.9, timeout is 2 seconds:

Packet sent with a source address of 10.223.0.7

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Correct Answer
Jon Marshall Wed, 09/16/2009 - 08:28

Oops, my mistake.

An acl outbound on an interface does not stop traffic sourced from that interface - sorry about that.

In fact, if you were only pinging from devices on the 10.x.0.0/24 network your original config would work ie. the acl applied inbound.

The problem is your are sourcing the pings from the fa4 interface. So you would have to apply your acl on all the other interfaces inbound ie. the interfaces that are used to get to the hosts in your acl.

That would be complicated. If all you are trying to do is allow certain traffic from 10.x.0.0/24 clients to certain hosts then go with your original config but don't test by using the fa4 interface as the source.

Apologies for the original confusing information.

Jon

iholdings Wed, 09/16/2009 - 09:12

Hi Jon,

My intent is to restrict all clients on the 10.x.0.0/24 network to the specific hosts on the inside network(s)listed in the ACL - and no others.

Richard Burts Wed, 09/16/2009 - 09:22

As Jon indicated your access list as originally applied inbound on the interface should be effective in limiting the hosts to which the clients could ping.

You can not test the effectiveness of the access list by pinging from the router. The access list applied inbound will check and control traffic coming into the interface. But when you ping from the router interface then that traffic is not coming into the interface and is not subject to the controls of the access list. To test this access list you really need to be on a client connected to the interface.

HTH

Rick

iholdings Wed, 09/16/2009 - 09:30

Jon/Rick,

So ... I can only assume that the ACL will be effective since I cannot test as a client attached to the interface as this is a vendor network I cannot access. Is there anything else I could do to be sure they can only get the IPs in the ACL? Thanks for all of you help.

Richard Burts Wed, 09/16/2009 - 09:38

I can not think of any way to test the access list other than to be in the subnet connected to the interface. From visual inspection of the access list I am confident that it will restrict the clients connected on that interface to the hosts listed in the access list. I appreciate that you would like some way to evaluate and validate the access list. But I can not think of any other alternative.

HTH

Rick

iholdings Wed, 09/16/2009 - 09:45

Thanks for all your help guys. I changed the direction back to inbound on fa4.

Take care.

Actions

This Discussion