Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
828
Views
3
Helpful
3
Replies

ACL issue

h-kholghi
Level 1
Level 1

‎10-01-2009 04:02 PM - edited ‎03-06-2019 07:58 AM

Hello,

I have applied the following extended ACL to one of our Vlans but it does not seem to be working. I am able to access the 192.168.2.3 web site and telnet successfully to the host 192.168.2.1.

ip access-list extended ExternalVlan

permit tcp 192.168.12.0 0.0.3.255 host 192.168.2.36 eq 510

permit tcp 192.168.12.0 0.0.3.255 host 192.168.2.36 eq smtp

permit tcp 192.168.12.0 0.0.3.255 host 192.168.2.36 eq www

permit tcp 192.168.12.0 0.0.3.255 host 192.168.2.36 eq pop3

permit tcp 192.168.12.0 0.0.3.255 any eq www

permit tcp 192.168.12.0 0.0.3.255 any eq 443

permit tcp 192.168.12.0 0.0.3.255 any eq ftp

deny tcp 192.168.12.0 0.0.3.255 host 192.168.2.3 eq www

deny tcp 192.168.12.0 0.0.3.255 host 192.168.2.1 eq telnet

The host 192.168.2.1 is a Cisco 3550 layer 3 switch (IOS: 12.1)that does the inter-Vlan routing. The network 192.168.12.0/22 has a Dhcp server that is functioning properly. The host 192.168.2.3 is the Firewall and the gateway to the Internet. What seems to be the problem with this ACL?

Thanks.

Labels:
0 Helpful
3 Replies 3

pompeychimes
Level 4
Level 4

‎10-01-2009 06:30 PM

This line, specifically the "any" statement, is permitting your port 80 traffic...

permit tcp 192.168.12.0 0.0.3.255 any eq www

The telnet traffic is permitted because this ACL applies to traffic passing through the Switch and not to traffic terminating on the Switch.

James

0 Helpful

h-kholghi
Level 1
Level 1
In response to pompeychimes

‎10-02-2009 04:30 AM

James,

Thank you so much for your reply. How can I add these deny statements to the ACL list and make them work?

Would something like following work?

Deny tcp 192.168.12.0 0.0.3.255 host 192.168.2.3 eq www

Permit tcp 192.168.12.0 0.0.3.255 any eq www

What would be the best way to block telnet session to the Cisco switch (host 192.168.2.1) from subnet 192.168.12.0/22?

Thanks again,

Hossein Kholghi

0 Helpful

pompeychimes
Level 4
Level 4
In response to h-kholghi

‎10-02-2009 05:41 AM

"Deny tcp 192.168.12.0 0.0.3.255 host 192.168.2.3 eq www

Permit tcp 192.168.12.0 0.0.3.255 any eq www"

Correct. Put your specific denies above your general permits.

For telnet do something like this...

!

ip access-list standard TELNET

deny 192.168.12.0 0.0.3.255

permit ?.?.?.? ?.?.?.? (Define what addresses can telnet to the device)

!

line vty 0 4

access-class TELNET in

!

Now be careful you don't lock yourself out when applying hte access class to the vty lines. Make sure your computer is in the permit statement.

James

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card