Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1024
Views
0
Helpful
6
Replies

Router ignoring ACL applied to external interface

dunnoyet42
Level 1
Level 1

‎09-27-2013 02:53 AM - edited ‎03-11-2019 07:44 PM

I have a router with an ACL configured on the external interface, I restrict access so only specific hosts can connect to it, there is a deny statement at the end of the ACL which it never seems to reach. I am able to ssh to the router from any host even though the ACL denies access, I have an identical router set up in the same wat which seems to be working fine. config below:

interface GigabitEthernet0/0

description Outside Interface

ip address A.B.C.D 255.255.254.0

ip access-group CSM_FW_ACL_GigabitEthernet0/0 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip virtual-reassembly in

duplex auto

speed auto

!

Extended IP access list CSM_FW_ACL_GigabitEthernet0/0

    11 permit icmp any any echo-reply

    21 permit icmp any any time-exceeded (71 matches)

    31 permit icmp any any unreachable (80 matches)

    41 permit ip host x.147.110.244 any

    51 permit ip host x.147.110.245 any (3443 matches)

    61 permit ip host x.169.152.249 any (114 matches)

    71 permit ip host x.169.152.251 any

    81 permit ip host x.169.153.86 any

    91 permit ip host x.169.152.116 any

    101 permit ip host x.147.110.17 any

    111 permit ip host x.196.60.102 any

    121 permit ip host x.196.60.50 any

    131 permit ip host x.97.169.18 any

    141 permit udp any any eq bootps

    151 permit udp any any eq bootpc

    161 permit gre any any

    171 permit esp any any (47057911 matches)

    181 permit udp any any eq isakmp (15751 matches)

    182 permit object-group udp-4500 any any (12210 matches)

    183 permit object-group udp-848 any any

    211 permit udp object-group ext-hst-140.142.16.34 any eq ntp

    221 permit udp object-group ext-hst-129.6.15.29 any eq ntp

    231 permit udp object-group ext-hst-198.123.30.132 any eq ntp

    241 permit icmp any any echo

    251 permit tcp any any established

    252 permit object-group HSRP any object-group hst-int-224.0.0.2

    271 deny ip any any log-input

Labels:
0 Helpful
6 Replies 6

Richard Burts
Hall of Fame
Hall of Fame

‎09-28-2013 12:17 PM

I see that there are multiple object groups configured and wonder about the possibility that some object group has a more broad permit than the names suggest.

Perhaps one way to get some insight into the issue would be to issue the show access list command, note all the counters. Then do the SSH from an outside host. Then do show access list again and look for statements where the counter has increased.

HTH

Rick

HTH

Rick
0 Helpful

dfeurt1969
Level 1
Level 1

‎09-29-2013 08:46 PM

Hello Ian,
Check the vty configuration for an access class statement. The ACL controls traffic through the router, not traffic connecting to the router on a vty line.

Sent from Cisco Technical Support iPad App

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to dfeurt1969

‎09-30-2013 10:37 AM

David

You raise an interesting point that for SSH access to be successful it must be permitted by the access-class on the vty - if an access-class is configured. But you are a bit off the mark in saying that ACL controls traffic through the router, not traffic connecting to the router. Traffic to the router must be permitted by the interface inbound ACL as well as by the access-class. If the SSH request is really coming through the interface Gig0/0 then the interface ACL must permit it or else the SSH request would fail.

So perhaps there are several possibilities to check on. As I suggested in my previous response, I wonder if there is some statement which permits more traffic than its name suggests. And the possibility that the SSH request is not getting to the router through interface Gig0/0.

HTH

Rick

HTH

Rick
0 Helpful

dunnoyet42
Level 1
Level 1
In response to Richard Burts

‎10-01-2013 01:47 AM

There is no access list specified on the vty lines, access to or through the router is controlled by the access-list and logon access is controlled through AAA.

the two object groups in the ACL are for services only, however hits seem to stop at line 182. I have an identical router but sifferent model with the same config which works fine.

!

object-group service udp-4500

udp eq non500-isakmp

!

object-group service udp-848

udp eq 848

!

I am going to upgrade the IOS tomorrow evening and see if that resolves the issue.

Current IOS:

Cisco IOS Software, C3900e Software (C3900e-UNIVERSALK9-M), Version 15.1(3)T1, RELEASE SOFTWARE (fc2)

0 Helpful

Rejohn Cuares
Level 4
Level 4

‎09-29-2013 09:14 PM

Can you remove this line

  251 permit tcp any any established

and retest.

Please rate replies and mark question as "answered" if applicable.

Please rate replies and mark question as "answered" if applicable.
0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to Rejohn Cuares

‎10-01-2013 01:26 AM

Hi,

if this line is removed then all inside to outside TCP sessions won't work as return traffic will be blocked by the explicit deny all at the end.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card