Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
646
Views
5
Helpful
2
Replies

ACL problem on 3750e

tffmaguire
Level 1
Level 1

‎03-12-2010 09:28 AM - edited ‎03-06-2019 10:06 AM

Our Pix 525 gig port just went belly up.

While awaiting spare part, I connected our Internet connection directly to a 3750e gig port instead of the PIX.

Everything works great.

I then want to apply the same ACL I used on the firewall to the 3750e's  port.

Brief example of ACl:

! lots of ACE's

.

.

.

access-list 103 permit tcp any host 155.x.x.32 eq 80
access-list 103 permit tcp any host 155.x.x.33 eq 80
access-list 103 permit tcp any host 155.x.x.33 eq 4063
access-list 103 permit tcp any host 155.x.x.33 eq 4064
access-list 103 permit tcp any host 155.x.x.40 eq 4063
access-list 103 permit tcp any host 155.x.x.40 eq 4064
access-list 103 permit udp any host 155.x.x.40 eq 31335
access-list 103 deny ip any any

When I apply this to my interface, it works as advertised on the inbound side.   However, nobody can get to the Internet via outbound.

see below.

int gi1/0/25

no switchport

ip address xxx.xxx.xxx.98 255.255.255.252

ip access-group 103 in

speed nonegotiate

I create the following ACL and applied that to the above interface as "ip access-group 101 out"

access-list 101 permit ip any any

Any help or guidance would be greatly appreciated.

Thanks,

Tom

Labels:
0 Helpful
2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

‎03-12-2010 09:34 AM

Tom

The pix is a stateful firewall and your 3750 is not. So when you allow traffic out through the pix from your clients to the internet the return traffic is automatically allowed back in because your firewall is keeping track of the connections.

But on your acl applied to the 3750 the last line is -

access-list 103 deny ip any any

this stops all return traffic from the internet being allowed in to your clients because the 3750 is not stateful. And there really isn't a way to make it stateful. You can -

1) use the "established" keyword for TCP connections which would allow tcp packets back in.

2) use reflexive access-lists which would also cater for ICMP and UDP but i don't think the 3750 will support reflexive acls.

To be honest you probably should just wait for your pix to be replaced because to allow your internal clients internet access would mean compromising the security of your network.

Jon

tffmaguire
Level 1
Level 1
In response to Jon Marshall

‎03-12-2010 10:24 AM

Thanks Jon.   Your answer was quite helpful.

Tom

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card