09-16-2009 07:25 AM - edited 03-04-2019 06:04 AM
Greetings:
Following on our router:
access-list 150 permit ip 10.XXX.0.0 0.0.0.255 host 172.16.0.73
access-list 150 permit ip 10.XXX.0.0 0.0.0.255 host 172.16.5.30
access-list 150 permit ip 10.XXX.0.0 0.0.0.255 host 10.1.7.136
access-list 150 permit ip 10.XXX.0.0 0.0.0.255 host 10.1.7.137
access-list 150 permit ip 10.XXX.0.0 0.0.0.255 host 10.1.7.139
access-list 150 permit ip 10.XXX.0.0 0.0.0.255 host 10.1.4.43
access-list 150 permit ip 10.XXX.0.0 0.0.0.255 host 172.28.0.7
access-list 150 permit ip 10.XXX.0.0 0.0.0.255 host 172.28.0.75
access-list 150 permit ip 10.XXX.0.0 0.0.0.255 host 172.28.0.110
access-list 150 permit ip 10.XXX.0.0 0.0.0.255 host 172.28.0.111
access-list 150 permit ip 10.XXX.0.0 0.0.0.255 host 172.16.5.143
access-list 150 permit ip 10.XXX.0.0 0.0.0.255 host 172.16.5.142
access-list 150 permit ip 10.XXX.0.0 0.0.0.255 host 172.16.5.147
access-list 150 deny ip any any
interface FastEthernet4
ip address 10.XXX.0.7 255.255.255.0
ip access-group 150 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip virtual-reassembly
duplex auto
speed auto
When I source ping the target IPs in the ACL using the FastEthernet4 IP I get fully replies. The problem is I also get replies from hosts outside the ACL range.
Did I miss something?
Solved! Go to Solution.
09-16-2009 08:28 AM
Oops, my mistake.
An acl outbound on an interface does not stop traffic sourced from that interface - sorry about that.
In fact, if you were only pinging from devices on the 10.x.0.0/24 network your original config would work ie. the acl applied inbound.
The problem is your are sourcing the pings from the fa4 interface. So you would have to apply your acl on all the other interfaces inbound ie. the interfaces that are used to get to the hosts in your acl.
That would be complicated. If all you are trying to do is allow certain traffic from 10.x.0.0/24 clients to certain hosts then go with your original config but don't test by using the fa4 interface as the source.
Apologies for the original confusing information.
Jon
09-16-2009 07:35 AM
No you didn't miss something, it's just a misunderstanding about how acl directions work.
If you apply the acl inbound on fa4 then that will filter traffic coming from clients on the 10.xxx.0.0/24 network.
So you ping 172.28.0.7 as an example. An icmp echo request with the source address of 10.x.0.7 is routed out to 172.28.0.7. The reply does not come back in on fa4, it comes back in on the interface that is used to get to 172.28.0.7.
If you want to block icmp then apply your acl outbound on fa4. This will allow IP from your 10.x.0.0/24 network to the hosts you have in your acl but then deny all other IP.
Jon
09-16-2009 07:46 AM
Hi Jon,
Made the following change - from in to out on Fa4
interface FastEthernet4
description $FW_OUTSIDE$$ES_WAN$
ip address 10.223.0.7 255.255.255.0
ip access-group 150 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip virtual-reassembly
duplex auto
speed auto
Ran another source ping - and was still able to ping IPs outside the ACL.
09-16-2009 08:03 AM
Hi, could you copy your ping statement here
thanks
09-16-2009 09:04 AM
Here's the IP I pinged - outside the ACL:
ping ip
Target IP address: 10.1.6.9
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.223.0.7
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.6.9, timeout is 2 seconds:
Packet sent with a source address of 10.223.0.7
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
09-16-2009 08:28 AM
Oops, my mistake.
An acl outbound on an interface does not stop traffic sourced from that interface - sorry about that.
In fact, if you were only pinging from devices on the 10.x.0.0/24 network your original config would work ie. the acl applied inbound.
The problem is your are sourcing the pings from the fa4 interface. So you would have to apply your acl on all the other interfaces inbound ie. the interfaces that are used to get to the hosts in your acl.
That would be complicated. If all you are trying to do is allow certain traffic from 10.x.0.0/24 clients to certain hosts then go with your original config but don't test by using the fa4 interface as the source.
Apologies for the original confusing information.
Jon
09-16-2009 09:12 AM
Hi Jon,
My intent is to restrict all clients on the 10.x.0.0/24 network to the specific hosts on the inside network(s)listed in the ACL - and no others.
09-16-2009 09:22 AM
As Jon indicated your access list as originally applied inbound on the interface should be effective in limiting the hosts to which the clients could ping.
You can not test the effectiveness of the access list by pinging from the router. The access list applied inbound will check and control traffic coming into the interface. But when you ping from the router interface then that traffic is not coming into the interface and is not subject to the controls of the access list. To test this access list you really need to be on a client connected to the interface.
HTH
Rick
09-16-2009 09:30 AM
Jon/Rick,
So ... I can only assume that the ACL will be effective since I cannot test as a client attached to the interface as this is a vendor network I cannot access. Is there anything else I could do to be sure they can only get the IPs in the ACL? Thanks for all of you help.
09-16-2009 09:38 AM
I can not think of any way to test the access list other than to be in the subnet connected to the interface. From visual inspection of the access list I am confident that it will restrict the clients connected on that interface to the hosts listed in the access list. I appreciate that you would like some way to evaluate and validate the access list. But I can not think of any other alternative.
HTH
Rick
09-16-2009 09:45 AM
Thanks for all your help guys. I changed the direction back to inbound on fa4.
Take care.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: