ACL problems

mchance · ‎06-08-2016

I have an ASR 1002x with 2 GIGe pipes setup bgp. Both ports have the ip access-list extended WAN_TO_LAN added as "in".

I would like to add to that acl to block all traffic from the internet to those ports except for eq 443. The IP I want to control is a public ip.

permit tcp xxx.49.xxx.8 0.0.0.255 any eq 443 does not work.

What am i missing?

Nagendra Kumar Nainar · ‎06-08-2016

Hi,

"permit tcp xxx.49.xxx.8 0.0.0.255 any eq 443" will permit any incoming traffic (assuming the ACL is applied inbound) with source as xxx.49.xxx.0/24 and destination as any address with TCP destination port as 443 (and source port as any). Is it what you want to permit?.

mchance · ‎06-08-2016

I only want to allow traffic on 443 to that ip. When i add that rule to the ACL that is applied as in and do a port scan there are still a ton of ports open.

Nagendra Kumar Nainar · ‎06-08-2016

Can you share the full config?. From where are you doing the port scan?.

mchance · ‎06-08-2016

I did the port scan from outside the network. I remoted into a computer at my house and did the port scan from there.

interface GigabitEthernet0/0/1
description ***blah***
ip address xx.164.248.34 255.255.255.252
no ip proxy-arp
ip nat outside
ip access-group WAN_TO_LAN in
negotiation auto

interface TenGigabitEthernet0/2/0
description ***blah***
ip address xx.85.243.82 255.255.255.252
ip nat outside
ip access-group WAN_TO_LAN in

ip access-list extended WAN_TO_LAN
permit ip host xx.85.254.162 any
remark **** blah ****
permit ip xx.60.160.0 0.0.1.255 any
remark **** blah ****
permit ip xx.60.162.192 0.0.0.63 any
permit tcp xxx.49.xxx.8 0.0.0.255 any eq 443

The other rules in the ACL work. Just not the last one.

TO recap;

I only want to allow traffic to ip xx.49.178.x (our email server) on port 443.