ACL direction

Unanswered Question
Jul 26th, 2011

hi,

i have applied following ACL to interface vlan 10 inward direction.

access-list 121 deny ip 10.86.60.0 0.0.0.127 any log

interface vlan 10

ip access-group 121 in

i tried to open google.com from 10.86.60.5, but it is denied.

here i have denied traffic from internet to my lan, then how come it is denying traffic from lan to internet?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
naiduccnp Tue, 07/26/2011 - 03:18

Hi Vishal,

The rule what you defined is wrong.

And coming to your issue, when you applied "ip access-group 121 in" It means when the packet entering to inside from the interface it will be denied as per the above defined rule.

So When you try to open google the packet is going out but the reverse packet (reverse route/traffic) is wont come as per the above rule.

So instead of that rule you need to like....

access-list 121 permit ip 10.86.60.0 0.0.0.127 any log


Please rate the helpfull posts.
Regards,
Naidu.

vishalpatil86 Tue, 07/26/2011 - 03:26

So When you try to open google the packet is going out but the reverse packet (reverse route/traffic) is wont come as per the above rule.

reverse packet will come since the source will be google and destination will be 10.86.60.5 for packet cuming into vlan 10. out traffic is permitted

Jon Marshall Tue, 07/26/2011 - 03:30

Vishal

Is vlan 10 using the subnet 10.86.0.0/25 ?

If so traffic will never get out of that vlan with your acl because you have denied it with your acl.

Jon

Jon Marshall Tue, 07/26/2011 - 03:20

Vishal

an acl applied inbound on a vlan interface filters traffic from clients in that vlan

an acl applied outbound on a vlan interfac filters traffic to clients on that vlan

so you acl is blocking the traffic from 10.86.60.0/25 clients to the internet.

But even if you applied an outbound acl ie.

access-list 101 deny ip any 10.86.0.0 0.0.0.127

int vlan 10

ip access-group 101 out

this still wouldn't work because then the return traffic from google would be blocked.

Basically to do what you want to need a firewall (or reflexive acls). Do you not have a firewall ?

Jon

naiduccnp Tue, 07/26/2011 - 03:35

Hi Vishal,

The in/out directions will filter the packets within the vlan from its clients.
As i said you need to permit instead of deny to get internet from the clients.


Please rate the helpfull posts.
Regards,
Naidu.

vishalpatil86 Tue, 07/26/2011 - 03:46

no access-list 111

access-list 111 permit icmp 10.86.60.16 0.0.0.15 10.86.60.0 0.0.0.15

access-list 111 permit icmp 10.86.60.64 0.0.0.31 10.86.60.0 0.0.0.15

access-list 111 permit icmp 10.86.60.128 0.0.0.31 10.86.60.0 0.0.0.15

access-list 111 permit tcp 10.86.60.64 0.0.0.31 eq 53 10.86.60.0 0.0.0.15

access-list 111 permit udp 10.86.60.64 0.0.0.31 eq 53 10.86.60.0 0.0.0.15

access-list 111 permit udp 10.86.60.16 0.0.0.15 eq 161 10.86.60.0 0.0.0.15

access-list 111 permit udp 10.86.60.64 0.0.0.31 eq 161 10.86.60.0 0.0.0.15

access-list 111 permit udp 10.86.60.128 0.0.0.31 eq 161 10.86.60.0 0.0.0.15

access-list 111 permit udp 10.86.60.16 0.0.0.15 10.86.60.0 0.0.0.15 eq 161

access-list 111 permit udp 10.86.60.64 0.0.0.31 10.86.60.0 0.0.0.15 eq 161

access-list 111 permit udp 10.86.60.128 0.0.0.31 10.86.60.0 0.0.0.15 eq 161

access-list 111 permit tcp 10.86.60.64 0.0.0.31 eq 389 10.86.60.0 0.0.0.15

access-list 111 permit udp 10.86.60.64 0.0.0.31 eq 389 10.86.60.0 0.0.0.15

access-list 111 permit tcp 10.86.60.16 0.0.0.15 10.86.60.0 0.0.0.15 eq 445

access-list 111 permit tcp 10.86.60.64 0.0.0.31 10.86.60.0 0.0.0.15 eq 445

access-list 111 permit tcp 10.86.60.128 0.0.0.31 10.86.60.0 0.0.0.15 eq 445

access-list 111 permit tcp 10.86.60.16 0.0.0.15 eq 445 10.86.60.0 0.0.0.15

access-list 111 permit tcp 10.86.60.64 0.0.0.31 eq 445 10.86.60.0 0.0.0.15

access-list 111 permit tcp 10.86.60.128 0.0.0.31 eq 445 10.86.60.0 0.0.0.15

access-list 111 permit tcp 10.86.60.16 0.0.0.15 eq 443 10.86.60.0 0.0.0.15

access-list 111 permit tcp 10.86.60.64 0.0.0.31 eq 443 10.86.60.0 0.0.0.15

access-list 111 permit tcp 10.86.60.128 0.0.0.31 eq 443 10.86.60.0 0.0.0.15

access-list 111 permit udp 10.86.60.16 0.0.0.15 eq 500 10.86.60.0 0.0.0.15

access-list 111 permit udp 10.86.60.64 0.0.0.31 eq 500 10.86.60.0 0.0.0.15

access-list 111 permit udp 10.86.60.128 0.0.0.31 eq 500 10.86.60.0 0.0.0.15

access-list 111 permit tcp 10.86.60.16 0.0.0.15 eq 1026 10.86.60.0 0.0.0.15

access-list 111 permit tcp 10.86.60.64 0.0.0.31 eq 1026 10.86.60.0 0.0.0.15

access-list 111 permit tcp 10.86.60.128 0.0.0.31 eq 1026 10.86.60.0 0.0.0.15

access-list 111 permit tcp 10.86.60.64 0.0.0.31 10.86.60.0 0.0.0.15 eq 1521

access-list 111 permit tcp 10.86.60.16 0.0.0.15 eq 3268 10.86.60.0 0.0.0.15

access-list 111 permit udp 10.86.60.191 0.0.0.63 10.86.60.0 0.0.0.15 eq 7301

access-list 111 permit udp 10.86.61.0 0.0.0.127 10.86.60.0 0.0.0.15 eq 7301

access-list 111 permit tcp 10.86.60.191 0.0.0.63 eq 9100 10.86.60.0 0.0.0.15

access-list 111 permit tcp 10.86.61.0 0.0.0.127 eq 9100 10.86.60.0 0.0.0.15

access-list 111 permit udp 10.86.60.191 0.0.0.63 eq 10004 10.86.60.0 0.0.0.15

access-list 111 permit udp 10.86.61.0 0.0.0.127 eq 10004 10.86.60.0 0.0.0.15

access-list 111 permit tcp 10.86.60.191 0.0.0.63 10.86.60.0 0.0.0.15 range 1024 65535

access-list 111 permit tcp 10.86.61.0 0.0.0.127 10.86.60.0 0.0.0.15 range 1024 65535

access-list 111 permit tcp 10.86.63.0 0.0.0.255 10.86.60.0 0.0.0.15 range 1024 65535

access-list 111 permit icmp 140.95.0.0 0.0.255.255 10.86.60.0 0.0.0.15

access-list 111 permit tcp 140.95.0.0 0.0.255.255 eq 80 10.86.60.0 0.0.0.15

access-list 111 permit tcp 140.95.0.0 0.0.255.255 eq 443 10.86.60.0 0.0.0.15

access-list 111 permit tcp 140.95.0.0 0.0.255.255 10.86.60.0 0.0.0.15 eq 80

access-list 111 permit tcp 140.95.0.0 0.0.255.255 10.86.60.0 0.0.0.15 eq 443

access-list 111 permit tcp 140.95.0.0 0.0.255.255 10.86.60.0 0.0.0.15 eq 1521

access-list 111 permit tcp 140.95.0.0 0.0.255.255 10.86.60.0 0.0.0.15 eq 9001

access-list 111 permit tcp 208.89.43.0 0.0.0.255 eq 3995 10.86.60.0 0.0.0.15

access-list 111 permit tcp 172.16.0.0 0.0.0.255 eq 2463 10.86.60.0 0.0.0.15

access-list 111 permit tcp host 192.168.89.33 10.86.60.0 0.0.0.15 eq 80

access-list 111 permit tcp host 192.168.89.33 10.86.60.0 0.0.0.15 eq 3389

access-list 111 deny ip any 10.86.60.0 0.0.0.15 log

no access-list 121

access-list 121 permit ip 10.86.60.0 0.0.0.15 10.86.60.16 0.0.0.15

access-list 121 permit ip 10.86.60.0 0.0.0.15 10.86.60.64 0.0.0.31

access-list 121 permit ip 10.86.60.0 0.0.0.15 10.86.60.128 0.0.0.31

access-list 121 permit ip 10.86.60.0 0.0.0.15 10.86.60.191 0.0.0.63

access-list 121 permit ip 10.86.60.0 0.0.0.15 10.86.61.0 0.0.0.127

access-list 121 permit ip 10.86.60.0 0.0.0.15 10.86.63.0 0.0.0.255

access-list 121 permit tcp 10.86.60.0 0.0.0.15 140.95.0.0 0.0.255.255 eq 80

access-list 121 permit tcp 10.86.60.0 0.0.0.15 140.95.0.0 0.0.255.255 eq 443

access-list 121 permit tcp 10.86.60.0 0.0.0.15 eq 80 140.95.0.0 0.0.255.255

access-list 121 permit tcp 10.86.60.0 0.0.0.15 eq 1521 140.95.0.0 0.0.255.255

access-list 121 permit tcp 10.86.60.0 0.0.0.15 172.16.0.0 0.0.0.255 eq 2463

access-list 121 permit icmp 10.86.60.0 0.0.0.15 any

access-list 121 deny ip 10.86.60.0 0.0.0.15 any log

interface vlan 10

ip access-group 111 out

ip access-group 121 in

thats the access list i have configured.

I didn't understand above explanation

Jon Marshall Tue, 07/26/2011 - 03:51

Vishal

What is the subnet used with vlan 10 ie. what is the IP address + subnet mask assigned to vlan 10 interface ?

As i said before -

inbound acl - this will filter traffic coming from clients in that vlan. So if you apply acl 121 inbound on vlan 10 then it will filter traffic from clients in vlan 10

outbound acl - if you apply acl 111 outbound on vlan 10 then it will filter traffic going to clients in vlan 10.

Jon

naiduccnp Tue, 07/26/2011 - 03:56

Hi Vishal,

ip access-group 111 in..
Applied when packet coming to the clients in that vlan

ip access-group 111 in..
Applied when packet going out from the clients in that vlan


Coming to your access-list rules there are lot of unnecessary rules defined.
Tell us clearly what is the subnet you gave for vlan 10 and what is needs to be permit and what not.


Please rate the helpfull posts.
Regards,
Naidu.

naiduccnp Tue, 07/26/2011 - 04:08

Hi Vishal,

According to your ip and subnet mask of vlan 10 try to configure like below to get internet access.

ip access-list extended 121
ip permit 10.86.60.0 0.0.0.15 any


interface vlan 10
ip access-group 121 in


Please rate the helpfull posts.
Regards,
Naidu.

Jon Marshall Tue, 07/26/2011 - 04:08

Well, your acls will deny internet traffic anyway because nowhere do you allow an "any" except to deny it at the end.

Please read what has been posted about direction of traffic. If you have both an in and an out acl and you want to allow internet or http traffic you would need before the last line of your acls -

access-list 111 permit tcp any 10.86.0.0 0.0.0.15 eq http

access-list 121 permit tcp 10.86.0.0 0.0.0.15 any eq http

Jon

gazillion_dwolfe Tue, 07/26/2011 - 08:29

something great I found on a cisco forum somewhere that has always helped me to determine what direction is correct.

The "in" ACL has a source on a segment of the interface to which it is applied and a destination off of any other interface. The "out" ACL has a source on a segment of any interface other than the interface to which it is applied and a destination off of the interface to which it is applied.

maybe that will help someone else

netengdj

Marwan ALshawi Tue, 07/26/2011 - 21:26

Hi Doug Wolfe

just about your statment about ACL, it is not correct becuase you might have lan interface connected to routed network and you can source the ACL from any L3 IP with/without L4 port for packet filtering

in other words it is not has to be same as the source interface IP as with L3 the IP addrress is preserved when it pass any routed network unless it get NATed

HTH

Actions

Login or Register to take actions

This Discussion

Posted July 26, 2011 at 3:02 AM
Stats:
Replies:17 Avg. Rating:
Views:957 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 15,007
2 8,150
3 7,730
4 7,083
5 6,742
Rank Username Points
160
77
70
69
50