Using an ACL to restrict access to a server

Unanswered Question
Sep 22nd, 2009
User Badges:

We're trying to restrict access to a server by only allowing a limited number of hosts to access the server. It seems like it would be a pretty simple ACL, something like this (assuming the server is 10.10.10.100):


permit ip host 10.10.10.1 host 10.10.10.100


But where should we apply it? We'd planned to apply it on the interface that directly connects to the server, but it appears we can only apply it inbound on that interface (i.e. it would apply to traffic sourced from the server, inbound into the switch). So do we have to apply it to the VLAN on which the server resides, using it with a "permit ip any any" at the end to allow other traffic to flow freely over the VLAN?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Tue, 09/22/2009 - 07:56
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Patrick


You should apply it outbound on the vlan interface that is the server vlan ie. -


access-list 101 permit ip host 10.10.10.1 host 10.10.10.100

access-list 101 permit ip host 10.10.10.20 host 10.10.10.100

access-list 101 deny ip any host 10.10.10.100

access-list 101 permit ip any any


int vlan 10

ip access-group 101 out


the above will allow hosts 10.10.10.1 & 20 to talk to the server 10.10.10.100

then all other traffic to the server is denied

then all other traffic is allowed to the server vlan


Jon

pweinhold Tue, 09/22/2009 - 08:37
User Badges:

Thanks very much, Jon. That was exactly the answer we were looking for.

Jon Marshall Tue, 09/22/2009 - 08:40
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Glad to have helped.

ekuvinka Wed, 08/08/2012 - 11:22
User Badges:

I used to work with the original poster and I need to add another host to the above acl. I simply added the extra lines:


access-list 101 permit ip host 10.10.10.1 host 10.10.10.200

access-list 101 permit ip host 10.10.10.20 host 10.10.10.200

access-list 101 deny ip any host 10.10.10.200

access-list 101 permit ip any any


But I can't get it to work and can't seem to find an answer online anywhere that makes sense to me.

Richard Burts Wed, 08/08/2012 - 12:11
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

We do not have very much to work with here. When you say that you added extra lines does that mean that you went into config mode and input the lines shown in your post? If so than probably the issue is that IOS adds additional lines to an existing access list at the bottom of the existing access list. And since the existing access list ended with permit ip any any, then any lines that you add below that will have no effect.


If that does not seem to explain your issue then I suggest that you post the relevant parts of the configuration as it exists. And a better explanation of what is not working would also help. Is the issue that no one can get to host 10.10.10.200? Or is the issue that everyone can get to that host? Or what is not working as you expect it to?


HTH


Rick

rahulmukherjee Wed, 08/08/2012 - 12:16
User Badges:

Hi,


The sequence of the access-list statements is important.


Could you please show the sequence of the statements?


Regards, Rahul.

ekuvinka Wed, 08/08/2012 - 12:38
User Badges:

I deleted the existing acl and added this:


access-list 101 permit ip host 10.10.10.1 host 10.10.10.100

access-list 101 permit ip host 10.10.10.1 host 10.10.10.200

access-list 101 permit ip host 10.10.10.20 host 10.10.10.100

access-list 101 permit ip host 10.10.10.20 host 10.10.10.200

access-list 101 deny ip any host 10.10.10.100

access-list 101 deny ip any host 10.10.10.200

access-list 101 permit ip any any



int vlan 10 (10.10.10.0/24)

ip access-group 101 out


I was able to reach 10.10.10.100 from a restricted IP but not 10.10.10.200

Richard Burts Wed, 08/08/2012 - 12:53
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Thanks for the additional information. Deleting the existing access list and then creating it again with the added statements is the correct way to change it. From a syntax perspective I would say that your access list is correct. So my next question is which restricted IP are you testing from? And is your test using the same restricted IP to access both of the servers?


The overall approach of Jon's access list is certainly correct. You want to permit the specific hosts that can access the server, then you need to deny all other access to the server, and then you need to permit everything else. But there is a significant flaw in its detailed implementation.  The source addresses are in subnet 10.10.10 and the server destination is also in subnet 10.10.10. This means that the sources and the destinations are all locally connected. And we do not have any capability to restrict connections within the local subnet..


The approach that Jon suggests works well if the source addresses are in remote subnets and are attempting to access the server through the VLAN interface where the access list is applied. This access we can control very well with the access list. So my question to you now becomes are you testing from a device that is outside of the 10.10.10 subnet or from a device that is in the 10.10.10 subnet?


HTH


Rick

Actions

This Discussion