04-06-2010 02:15 PM - edited 03-06-2019 10:29 AM
I have a 3750 catalyst (12.2(46)SE) with eigrp routing turned on and three L3 vlan interfaces created. I need to limit the IP access to/from a particular host in one of the vlans to just TCP port 80. So I created an extended ACL and applied it to the vlan interface such as:
int vlan 54
ip address 10.1.1.1 255.255.255.0
ip access-group Block_PC_to_WWW_only in
ip helper-address 10.3.1.25
ip access-list extended Block_PC_to_WWW_only
permit tcp host 10.1.1.50 eq 80 any
permit tcp any host 10.1.1.50 eq 80
permit tcp host 10.1.1.50 any eq 80
permit tcp any eq 80 host 10.1.1.50
deny ip any host 10.1.1.50
deny ip host 10.1.1.50 any
permit ip any any
When I apply the ACL to the vlan, not only can I access the web from 10.1.1.50, but I can telnet to other devices outside of vlan 54. As can be seen from the ACL counters, nothing is hitting the permit statements except the permit at the end.
VoIP-MDF-3750-54-1#sh access-list Block_PC_to_WWW_only
Extended IP access list Block_PC_to_WWW_only
10 permit tcp host 10.1.1.50 eq 80 any
20 permit tcp any host 10.1.1.50 eq 80
30 permit tcp host 10.1.1.50 any eq 80
40 permit tcp any eq 80 host 10.1.1.50
50 deny ip any host host 10.1.1.50
60 deny ip host host 10.1.1.50 any (104 matches)
70 permit ip any any (259 matches)
Am I doing this wrong?
04-06-2010 02:22 PM
Hi,
Everything is working because of the last permit ip any any statement.
If you attempt a connection to 10.1.1.50 on port 80, it should match the first permit statements.
The question is, is the www traffic that you're testing in fact entering int vlan 54?
Federico.
04-06-2010 02:29 PM
Also, Don't hold the hit counts as gospel.
http://www.cisco.com/web/about/security/intelligence/acl-logging.html
If you really want it to log you should permit a deny tcp/udp equal to 0, then add your permits and add log at the end of each permit (that should be temporary or you could get very large logs). As Federico mentioned, the permit ip any any is allowing everything through.
04-06-2010 02:32 PM
Edit - just ignore me
04-06-2010 02:26 PM
jkeeffe wrote:
I have a 3750 catalyst (12.2(46)SE) with eigrp routing turned on and three L3 vlan interfaces created. I need to limit the IP access to/from a particular host in one of the vlans to just TCP port 80. So I created an extended ACL and applied it to the vlan interface such as:
int vlan 54
ip address 10.1.1.1 255.255.255.0
ip access-group Block_PC_traffic_to_WWW_only in
ip helper-address 10.3.1.25
ip access-list extended Block_PC_to_WWW_only
permit tcp host 10.1.1.50 eq 80 any
permit tcp any host 10.1.1.50 eq 80
permit tcp host 10.1.1.50 any eq 80
permit tcp any eq 80 host 10.1.1.50
deny ip any host 10.1.1.50
deny ip host 10.1.1.50 any
permit ip any anyWhen I apply the ACL to the vlan, not only can I access the web from 10.1.1.50, but I can telnet to other devices outside of vlan 54. As can be seen from the ACL counters, nothing is hitting the permit statements except the permit at the end.
Your problem is that the acl is applied inbound so it won't affect traffic from host 10.1.1.50 outbound to any destinations not on that vlan eg.
permit tcp host 10.1.1.50 eq 80 any
this line will never be hit because the source is 10.1.1.50 and inbound traffic to vlan 54 will never have a source IP of 10.1.1.50.
However it's not as simple as just applying an acl outbound as well because this would block return http traffic from 10.1.1.50 to clients that had initiated a connection.
So you need to use the established keyword or look at reflexive access-lists. However on the 3750 i don't think reflexive acls are supported so you could try the established keyword.
What exactly do you want to do with host 10.1.1.50 ? ie. you only want to allow http connections to it from outside but what about from that host ?
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide