Re: ACLs acting strange

bkaren1278 · ‎11-09-2005

Ive pasted my vlan and acl config.... here's what strange, from vlan 2 i can ping vlan 1 int.. shouldnt the ACLs prevent this:

interface Vlan1

ip address 10.0.0.171 255.0.0.0

!

interface Vlan2

description DMZ_192.168.1.0

ip address 192.168.1.5 255.255.255.0

ip access-group 101 in

ip access-group 101 out

!

interface Vlan3

description Public_Wireless_192.168.2.0

ip address 192.168.2.10 255.255.255.0

ip access-group 102 in

ip access-group 102 out

shutdown

!

ip classless

no ip http server

!

access-list 101 remark regulate traffic for dmz_192.168.1.x

access-list 101 permit tcp host 192.168.1.21 245.255.255.105 10.0.0.150 eq smtp

access-list 101 permit tcp host 192.168.1.21 245.255.255.73 10.0.0.36 eq 389

access-list 101 permit tcp host 192.168.1.21 245.255.255.73 10.0.0.36 eq 636

access-list 101 permit tcp host 192.168.1.21 245.255.255.73 10.0.0.36 eq 3268

access-list 101 permit tcp host 192.168.1.21 245.255.255.73 10.0.0.36 eq 3269

access-list 101 permit tcp any any eq www

access-list 101 permit tcp any any eq 443

access-list 101 permit tcp any any eq smtp

access-list 101 permit tcp any any eq ftp

access-list 101 deny ip any any

access-list 102 remark regulate traffic for public_wireless_192.168.2.x

access-list 102 permit tcp any any eq www

access-list 102 permit tcp any any eq 443

access-list 102 permit tcp any any eq smtp

access-list 102 permit tcp any any eq ftp

access-list 102 deny ip any any

lgijssel · ‎11-09-2005

The upper lines of acl 101 are really "special"

I find it hard to imagine that you were able to enter them as they are shown. If they are entered as shown, I cannot even guess what the IOS will do with them. Please rewrite your ACL 101. I think it should look like:

access-list 101 permit tcp host 192.168.1.21 eq smtp host 10.0.0.150 eq smtp and so on.

For the rest, are you perhaps pinging from the interface vlan2? This is not affected by the acl.

It is also no good configuration habit to apply the same acl both in- and out. You are permitting a source on vlan2 (192.168.1.X) hence the access-list should be applied ingress. This should be sufficient to block the traffic.

Regards,

Leo

bkaren1278 · ‎11-09-2005

I pinged from a workstation of 192.168.1.200 to the vlan int.

Richard Burts · ‎11-09-2005

Brook

I agree with Leo that what you posted may be what you pasted into the router. But the syntax of access list 101 is highly irregular and I doubt that the router interpreted it the way that you think. It would be helpful if you post the output of the command show access-list from this router so we can see what the router is really using.

Another aspect to keep in mind is that if you are pinging to an interface on the router instead of pinging through the router to some connected address is that outbound access lists on a router do not filter packets generated by the router itself. So if you ping to a router interface and the router generates a response then an outbound access list on any interface will not be able to stop the response.

HTH

Rick

HTH

Rick

bkaren1278 · ‎11-10-2005

(quick fyi not sure that it matters but its a catalyst switch 4507)

ok so i corrected the ACL to use this:

access-list 101 permit tcp host 192.168.1.21 eq smtp host 10.0.0.150 eq smtp

and took out:

access-list 101 permit tcp any any eq www

access-list 101 permit tcp any any eq 443

access-list 101 permit tcp any any eq smtp

access-list 101 permit tcp any any eq ftp

I also removed configured the ACL so its only ingress

All of my previous problems have resolved except:

192.168.21.1 cannot reach 10.0.0.150 for smtp.

Any suggestions?

lgijssel · ‎11-10-2005

That one for basic troubleshooting:

step one: Remove the ACL and try again.

step two: Test end-end IP connectivity with and without the ACL.

If that is not sufficient, you might as well hire some professional to do the job.

Regards,

Leo

bkaren1278 · ‎11-10-2005

some of us do like to learn, while they have the luxury of a test environment.

i have this revised plan. The goals of these ACL's are to prevent 192.168.1.x from reaching the 10.0.x.x network except for the pinholes listed, also i do not wish for 192.186.2.x to hit the 10.0.0.0 network at all. What do you guys think?

access-list 100 remark regulate outbound traffic for dmz_192.168.1.x

access-list 100 permit tcp host 192.168.1.21 eq 389 host 10.0.0.36 eq 389

access-list 100 permit tcp host 192.168.1.21 eq 636 host 10.0.0.36 eq 636

access-list 100 permit tcp host 192.168.1.21 eq 3268 host 10.0.0.36 eq 3268

access-list 100 permit tcp host 192.168.1.21 eq 3269 host 10.0.0.36 eq 326

access-list 100 permit tcp any any eq www

access-list 100 permit tcp any any eq 443

access-list 100 permit tcp any any eq smtp

access-list 100 permit tcp any any eq ftp

access-list 100 deny ip any any

access-list 101 remark regulate inbound traffic for dmz_192.168.1.x

access-list 101 permit tcp host 10.0.0.150 eq smtp host 192.168.1.21 eq smtp

access-list 101 permit tcp host 10.0.0.36 eq 389 host 192.168.1.21 eq 389

access-list 101 permit tcp host 10.0.0.36 eq 636 host 192.168.1.21 eq 636

access-list 101 permit tcp host 10.0.0.36 eq 3268 host 192.168.1.21 eq 3268

access-list 101 permit tcp host 10.0.0.36 eq 3269 host 192.168.1.21 eq 326

access-list 101 deny ip any any

access-list 102 remark regulate outbound traffic for public_wireless_192.168.2.x

access-list 102 permit tcp any any eq www

access-list 102 permit tcp any any eq 443

access-list 102 permit tcp any any eq smtp

access-list 102 permit tcp any any eq ftp

access-list 102 deny ip any any

access-list 103 remark regulate inbound traffic for production_network_10.0.x.x

access-list 103 permit tcp host 192.168.1.21 eq 389 host 10.0.0.36 eq 389

access-list 103 permit tcp host 192.168.1.21 eq 636 host 10.0.0.36 eq 636

access-list 103 permit tcp host 192.168.1.21 eq 3268 host 10.0.0.36 eq 3268

access-list 103 permit tcp host 192.168.1.21 eq 3269 host 10.0.0.36 eq 326

access-list 103 deny ip 192.168.0.0. 255.255.0.0 any