Solved: ACL doesn't seem to work

zak_falingepark · ‎12-30-2013

Hello,

Please see the attached diagram. The people who own our building have a few VLAN's on our switches. The vlans in the circles belong to them. I have setup some ACL's so that any devices in these VLAN's can communicate with each other. EG a device in VLAN 120 can communicate with a device in VLAN 121 but they cannot communicate with devices outside these 3 VLANS. They can't communicate with VLAN 110, devices in VLAN 110 cannot communicated with the circled VLANs. Basically separating the left (of the switch) and the right from talking with each other. These ACL's work a treat.

I would like it so any device in VLAN 110 can go to port 80 to 172.32.3.2 (VLAN 123). But the IP Access list called BMS-WEB to allow this doesn't seem work, but it is showing matches on the rule.

Below are my rules

Extended IP access list CCTV-SEC
    10 permit ip 172.32.1.0 0.0.0.255 172.32.2.0 0.0.0.255 (12 match(es))
    20 permit ip 172.32.1.0 0.0.0.255 172.32.3.0 0.0.0.255 (12 match(es))
Extended IP access list ACC-CTRL
    10 permit ip 172.32.2.0 0.0.0.255 172.32.1.0 0.0.0.255 (11 match(es))
    20 permit ip 172.32.2.0 0.0.0.255 172.32.3.0 0.0.0.255 (13 match(es))
Extended IP access list BMS-NEW
    10 permit ip 172.32.3.0 0.0.0.255 172.32.1.0 0.0.0.255 (8 match(es))
    20 permit ip 172.32.3.0 0.0.0.255 172.32.2.0 0.0.0.255 (11 match(es))
Extended IP access list BMS-WEB
    10 permit tcp 172.16.1.0 0.0.0.255 host 172.32.3.2 eq www (36 match(es))

Below is my VLAN config

interface Vlan110
 ip address 172.16.1.254 255.255.255.0
!
interface Vlan120
 description CCTV Security
 ip address 172.32.1.254 255.255.255.0
 ip access-group CCTV-SEC in
!
interface Vlan121
 description Access CRTL
 ip address 172.32.2.254 255.255.255.0
 ip access-group ACC-CTRL in
!
interface Vlan123
 description BMS
 ip address 172.32.3.254 255.255.255.0
 ip access-group BMS-NEW in
 ip access-group BMS-WEB out

Thanks for the help.

Jon Marshall · ‎12-30-2013

Zak

You need to allow the return traffic from vlan 123. Add this line to your BMS-NEW acl -

permit tcp host 172.32.3.2 eq www 172.16.1.0 0.0.0.255

Jon

View solution in original post

John Blakley · ‎12-30-2013

Zak,

You'll need to allow the return traffic in your BMS-NEW acl:

Extended IP access list BMS-NEW
    10 permit ip 172.32.3.0 0.0.0.255 172.32.1.0 0.0.0.255 (8 match(es))
    20 permit ip 172.32.3.0 0.0.0.255 172.32.2.0 0.0.0.255 (11 match(e

30 permit tcp host 172.32.3.2 eq www 172.16.1.0 0.0.0.255



HTH,

John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

View solution in original post

Jon Marshall · ‎12-30-2013

Zak

You need to allow the return traffic from vlan 123. Add this line to your BMS-NEW acl -

permit tcp host 172.32.3.2 eq www 172.16.1.0 0.0.0.255

Jon

John Blakley · ‎12-30-2013

Zak,

You'll need to allow the return traffic in your BMS-NEW acl:

Extended IP access list BMS-NEW
    10 permit ip 172.32.3.0 0.0.0.255 172.32.1.0 0.0.0.255 (8 match(es))
    20 permit ip 172.32.3.0 0.0.0.255 172.32.2.0 0.0.0.255 (11 match(e

30 permit tcp host 172.32.3.2 eq www 172.16.1.0 0.0.0.255



HTH,

John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

zak_falingepark · ‎12-30-2013

Thanks Jon & John, i should have known that, much appreciated!

In production we have a pair of 4500X switches, am i right in thinking that these bigger switches have a special type of ACL function that will allow the traffic one way? What i mean is in my example with the ACL, devices in VLAN 123 can access port 80 on devices in VLAN 110. Is there a special ACL that will only allow the return traffic to flow to VLAN 110 from 123, but now allow the traffic to be initiated from VLAN 123?

I read about this a while back, is there something like this please?

Thanks

John Blakley · ‎12-30-2013

Yes, reflexive acls will do it:

http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfreflx.html

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

zak_falingepark · ‎12-30-2013

Thanks for that, shame i don't have anything to test this on.

1 last question. On the ACL you posted why is the eq www not at the end please? On my test i can't get port 80 to the posts in VLAN 110 from 123. So its acting like a 1 way mirror. I assume these are linked?

Thanks for the help.

Jon Marshall · ‎12-30-2013

Zak

On the ACL you posted why is the eq www not at the end please?

Because it is return traffic. So the traffic to the web server has a random src port and a dst port of 80. But when the web server sends the traffic back the src port is now 80 and the dst port is the random src port.

By the way, i don't think reflexive acls are supported on the 4500X although John may know otherwise. I believe they are only supported on the 6500 (and maybe the new 6800 - i haven't checked).

If they are not supported the best you can do is use the "established" keyword in your acl which works with TCP connections. I'm assuming that is supported but like you i don't have a switch to test with.

Jon

John Blakley · ‎12-30-2013

Jon,

You're 100% correct, and I didn't think to look at the supported feature for the switch. It's not supported for the 4500-X series.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

zak_falingepark · ‎12-30-2013

Thanks chaps.

Im not worries too much, i have a firewall that can handle the DMZ.

For my scenario, its working like a reflective ACL. Its only working 1 way, thats great. If i have understood it, its the random src port that is doing that?

Thanks for the help, its much appreciated.

zak_falingepark · ‎01-07-2014

Hi guys,

Just put this in, i can't ping the degault gateway (IP of VLAN) for machines that belong to that same VLAN. For example the devices in the CCTV Security vlan cannot pint the CCTV Security DG.

why is this please?

Thanks

Jon Marshall · ‎01-07-2014

Zak

If the acl is applied inbound on the SVI for that vlan then if you want to ping the SVI IP address from devices in that vlan you need to explicitly allow it in your acl.

Note that it will not stop traffic goign between vlans because the destination IP is never the SVI IP address unless you are actually trying to ping it as you are.

Jon

zak_falingepark · ‎01-07-2014

ok so what rule do i put in please?

Thanks

Jon Marshall · ‎01-07-2014

Zak

permit icmp 172.32.1.0 0.0.0.255 host 172.30.1.x echo <--- where 172.30.1.x is the SVI IP

the above just allows ICMP echo requests to the SVI IP.

Jon