Using an ACL to restrict access to a server

Unanswered Question
Sep 22nd, 2009

We're trying to restrict access to a server by only allowing a limited number of hosts to access the server. It seems like it would be a pretty simple ACL, something like this (assuming the server is 10.10.10.100):

permit ip host 10.10.10.1 host 10.10.10.100

But where should we apply it? We'd planned to apply it on the interface that directly connects to the server, but it appears we can only apply it inbound on that interface (i.e. it would apply to traffic sourced from the server, inbound into the switch). So do we have to apply it to the VLAN on which the server resides, using it with a "permit ip any any" at the end to allow other traffic to flow freely over the VLAN?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Tue, 09/22/2009 - 07:56

Patrick

You should apply it outbound on the vlan interface that is the server vlan ie. -

access-list 101 permit ip host 10.10.10.1 host 10.10.10.100

access-list 101 permit ip host 10.10.10.20 host 10.10.10.100

access-list 101 deny ip any host 10.10.10.100

access-list 101 permit ip any any

int vlan 10

ip access-group 101 out

the above will allow hosts 10.10.10.1 & 20 to talk to the server 10.10.10.100

then all other traffic to the server is denied

then all other traffic is allowed to the server vlan

Jon

pweinhold Tue, 09/22/2009 - 08:37

Thanks very much, Jon. That was exactly the answer we were looking for.

ekuvinka Wed, 08/08/2012 - 11:22

I used to work with the original poster and I need to add another host to the above acl. I simply added the extra lines:

access-list 101 permit ip host 10.10.10.1 host 10.10.10.200

access-list 101 permit ip host 10.10.10.20 host 10.10.10.200

access-list 101 deny ip any host 10.10.10.200

access-list 101 permit ip any any

But I can't get it to work and can't seem to find an answer online anywhere that makes sense to me.

Richard Burts Wed, 08/08/2012 - 12:11

We do not have very much to work with here. When you say that you added extra lines does that mean that you went into config mode and input the lines shown in your post? If so than probably the issue is that IOS adds additional lines to an existing access list at the bottom of the existing access list. And since the existing access list ended with permit ip any any, then any lines that you add below that will have no effect.

If that does not seem to explain your issue then I suggest that you post the relevant parts of the configuration as it exists. And a better explanation of what is not working would also help. Is the issue that no one can get to host 10.10.10.200? Or is the issue that everyone can get to that host? Or what is not working as you expect it to?

HTH

Rick

rahulmukherjee Wed, 08/08/2012 - 12:16

Hi,

The sequence of the access-list statements is important.

Could you please show the sequence of the statements?

Regards, Rahul.

ekuvinka Wed, 08/08/2012 - 12:38

I deleted the existing acl and added this:

access-list 101 permit ip host 10.10.10.1 host 10.10.10.100

access-list 101 permit ip host 10.10.10.1 host 10.10.10.200

access-list 101 permit ip host 10.10.10.20 host 10.10.10.100

access-list 101 permit ip host 10.10.10.20 host 10.10.10.200

access-list 101 deny ip any host 10.10.10.100

access-list 101 deny ip any host 10.10.10.200

access-list 101 permit ip any any

int vlan 10 (10.10.10.0/24)

ip access-group 101 out

I was able to reach 10.10.10.100 from a restricted IP but not 10.10.10.200

Richard Burts Wed, 08/08/2012 - 12:53

Thanks for the additional information. Deleting the existing access list and then creating it again with the added statements is the correct way to change it. From a syntax perspective I would say that your access list is correct. So my next question is which restricted IP are you testing from? And is your test using the same restricted IP to access both of the servers?

The overall approach of Jon's access list is certainly correct. You want to permit the specific hosts that can access the server, then you need to deny all other access to the server, and then you need to permit everything else. But there is a significant flaw in its detailed implementation.  The source addresses are in subnet 10.10.10 and the server destination is also in subnet 10.10.10. This means that the sources and the destinations are all locally connected. And we do not have any capability to restrict connections within the local subnet..

The approach that Jon suggests works well if the source addresses are in remote subnets and are attempting to access the server through the VLAN interface where the access list is applied. This access we can control very well with the access list. So my question to you now becomes are you testing from a device that is outside of the 10.10.10 subnet or from a device that is in the 10.10.10 subnet?

HTH

Rick

Actions

This Discussion