Access-lists Help

Unanswered Question
Jul 20th, 2010

Hello,

I'm learning as I go with configuring Cisco routers so please excuse my very basic questions.

I have two networks (172.16.0.0 and 172.17.0.0)  I need to be able to have the traffic from the 172.16 network access systems on the 172.17 network, but the 172.17 network should NOT be able to get to anything on the 172.16 network except for 1 server on one specific port.  Please see my access-lists:

access-list 120 permit tcp 172.17.0.0 0.0.0.255 host 172.16.1.7 eq 15871
access-list 120 deny   ip 172.17.0.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 120 deny   ip 172.17.0.0 0.0.0.255 172.16.0.0 0.15.255.255
access-list 120 deny   ip 172.17.0.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 120 permit ip any any

My feeling is the third deny statement is causing the problem.

So my first question is, are the statements bi-directional?

Someone else configured this router.  Should each ACL have a different #?  I ask because when I issue a NO ACCESS-LIST 120 deny   ip 172.17.0.0 0.0.0.255 172.16.0.0 0.15.255.255 it removes all of the 120 ACLS

Any help or suggestions on what the ACL's should be would be HUGELY appreciated!

Nick Jax

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Edison Ortiz Tue, 07/20/2010 - 08:07

So my first question is, are the statements bi-directional?

No, they are not bidirectional. You apply the access-group under the interface in or out.

Per your syntax, you need to apply this ACL in the out direction towards the 172.16.x.x network.

Or in direction from the 172.17.x.x network.

Should each ACL have a different #?  I ask because when I issue a NO ACCESS-LIST 120 deny   ip 172.17.0.0 0.0.0.255 172.16.0.0 0.15.255.255 it removes all of the 120 ACLS

No, you don't need to create an ACL number for each entry since you are only allowed to enter one access-group command per interface.

If you want to modify an entry, type show ip access-list

Write down the sequence number of the entry you want to remove, then proceed with the command ip access-list extended 120

then remove the entry with a no followed by the sequence number.

For instance:

Rack1R1#sh ip access-list 120
Extended IP access list 120
    10 permit tcp 172.17.0.0 0.0.0.255 host 172.16.1.7 eq 15871
    20 deny ip 172.17.0.0 0.0.0.255 10.0.0.0 0.255.255.255
    30 deny ip 172.17.0.0 0.0.0.255 172.16.0.0 0.15.255.255
    40 deny ip 172.17.0.0 0.0.0.255 192.168.0.0 0.0.255.255
    50 permit ip any any

Rack1R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Rack1R1(config)#ip access-list exten 120

Rack1R1(config-ext-nacl)#$no 30 deny ip 172.17.0.0 0.0.0.255 172.16.0.0 0.15.255.255

 
Rack1R1(config-ext-nacl)#do show ip access-list

Extended IP access list 120
    10 permit tcp 172.17.0.0 0.0.0.255 host 172.16.1.7 eq 15871
    20 deny ip 172.17.0.0 0.0.0.255 10.0.0.0 0.255.255.255
    40 deny ip 172.17.0.0 0.0.0.255 192.168.0.0 0.0.255.255
    50 permit ip any any
Rack1R1(config-ext-nacl)#

Regards

Edison

Richard Burts Tue, 07/20/2010 - 08:13

Nick

Access lists are very useful but can become quite complex and confusing. Good luck to you as you work your way to a better understanding of how they work.

The question of whether access lists or bi-directional is an interesting question. Basically the answer is that no they are not bi-directional. An extended access list is coded to permit or deny certain source addresses and/or certain destination addresses and the access list is applied to an interface specifying a direction (in or out). So the access list is really uni-directional. But to work effectively with access lists you frequently need to think bi-directionally. For example your requirement that 172.17 not be able to get to anything on 172.16 seems straightforward. But it gets more complex when you think that if 172.16 gets to 172.17 then 172.17 needs to send responses. So how do you allow responses but not allow 172.17 to initiate traffic? (and the answer is that for TCP permitting responses is pretty easy - you permit "established" - but for UDP it is a bit more complex and you frequently wind up specifying source and destination ports - for example for TFTP you allow port 69 as the destination port on traffic from 172.16 to 172.17 and allow as the source port for traffic from 172.17 to 172.16 and deny port 69 in the reverse directions).

I do not understand the third deny - it specifies 192.168.0.0 but you have not told us anything about how that network relates to your environment. And in fact there is not anything in your post that explains what problem you are encountering. So it is hard to give good advice about that particular access list.

As to the question about numbering the access list. A numbered access list may have a single statement or may have multiple statements (multiple statements in the access list are much more common). It is one of the behaviors of numbered access lists that if you attempt to remove a single line that it will remove the entire access list. In recent versions of IOS they have used the concept of sequence numbers which can make editing the access list a bit more easy.

HTH

Rick

TheJax2009 Tue, 07/20/2010 - 09:22

Thank you Rick/Edison,

Rick - sorry for not being specific..here is my issue (for reference I am posting my acl again and interface info)

interface Ethernet0
ip address 172.16.1.1 255.255.255.0
no ip directed-broadcast
media-type 10BaseT


interface Ethernet1
ip address 172.17.0.1 255.255.255.0
ip access-group 120 in
no ip directed-broadcast
media-type 10BaseT

access-list 120 permit tcp 172.17.0.0 0.0.0.255 host 172.16.1.7 eq 15871
access-list 120 deny   ip 172.17.0.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 120 deny   ip 172.17.0.0 0.0.0.255 172.16.0.0 0.15.255.255
access-list 120 deny   ip 172.17.0.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 120 permit ip any any

172.17.0.0 - Company 1 network

172.16.0.0 - Company 2 network

192.168.0.0 - DMZ

My tech team needs to be able to support users on the Company 1 network.  USers in company 1 should NOT be able to see Company 2 servers/workstations or other networked resources with the exception of the device listed on the first ACL.  I want my team to have full access to teh 172.17 network.

Have another question too: I noticed the "IP access-group 120 in" statement on the ethernet 1 interface. If I am reading this right, it is saying to apply acl 120 for inbound traffic.  The first ACL reads permit traffic from the 172.17 network to host 172.16.1.7.  Isn't that OUTBOUND from the interface instead of IN?  By the way, I have no issue with the way the current ACLs are working, Im just confused about the "in" and "out" (and I want to be able to add the ability of 172.16 accessing 172.17 network).

Thank you again for your time.

Richard Burts Tue, 07/20/2010 - 09:44

Nick

One of the (several) potentially confusing things about access lists is the issue of direction. So your confusion is understandable. The in and out of the access list is from the perspective of the router interface.  Ethernet1 is in subnet 172.17.0.0 and traffic coming IN to the interface from hosts in that subnet will have 172.17.0.x as the source address. And traffic going OUT of that interface will have 172.17.0.x as the destination.

HTH

Rick

Actions

This Discussion