11-09-2005 11:05 AM - edited 03-03-2019 12:44 AM
Ive pasted my vlan and acl config.... here's what strange, from vlan 2 i can ping vlan 1 int.. shouldnt the ACLs prevent this:
interface Vlan1
ip address 10.0.0.171 255.0.0.0
!
interface Vlan2
description DMZ_192.168.1.0
ip address 192.168.1.5 255.255.255.0
ip access-group 101 in
ip access-group 101 out
!
interface Vlan3
description Public_Wireless_192.168.2.0
ip address 192.168.2.10 255.255.255.0
ip access-group 102 in
ip access-group 102 out
shutdown
!
ip classless
no ip http server
!
!
access-list 101 remark regulate traffic for dmz_192.168.1.x
access-list 101 permit tcp host 192.168.1.21 245.255.255.105 10.0.0.150 eq smtp
access-list 101 permit tcp host 192.168.1.21 245.255.255.73 10.0.0.36 eq 389
access-list 101 permit tcp host 192.168.1.21 245.255.255.73 10.0.0.36 eq 636
access-list 101 permit tcp host 192.168.1.21 245.255.255.73 10.0.0.36 eq 3268
access-list 101 permit tcp host 192.168.1.21 245.255.255.73 10.0.0.36 eq 3269
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq ftp
access-list 101 deny ip any any
access-list 102 remark regulate traffic for public_wireless_192.168.2.x
access-list 102 permit tcp any any eq www
access-list 102 permit tcp any any eq 443
access-list 102 permit tcp any any eq smtp
access-list 102 permit tcp any any eq ftp
access-list 102 deny ip any any
11-09-2005 01:23 PM
The upper lines of acl 101 are really "special"
I find it hard to imagine that you were able to enter them as they are shown. If they are entered as shown, I cannot even guess what the IOS will do with them. Please rewrite your ACL 101. I think it should look like:
access-list 101 permit tcp host 192.168.1.21 eq smtp host 10.0.0.150 eq smtp and so on.
For the rest, are you perhaps pinging from the interface vlan2? This is not affected by the acl.
It is also no good configuration habit to apply the same acl both in- and out. You are permitting a source on vlan2 (192.168.1.X) hence the access-list should be applied ingress. This should be sufficient to block the traffic.
Regards,
Leo
11-09-2005 02:03 PM
I pinged from a workstation of 192.168.1.200 to the vlan int.
11-09-2005 02:48 PM
Brook
I agree with Leo that what you posted may be what you pasted into the router. But the syntax of access list 101 is highly irregular and I doubt that the router interpreted it the way that you think. It would be helpful if you post the output of the command show access-list from this router so we can see what the router is really using.
Another aspect to keep in mind is that if you are pinging to an interface on the router instead of pinging through the router to some connected address is that outbound access lists on a router do not filter packets generated by the router itself. So if you ping to a router interface and the router generates a response then an outbound access list on any interface will not be able to stop the response.
HTH
Rick
11-10-2005 05:56 AM
(quick fyi not sure that it matters but its a catalyst switch 4507)
ok so i corrected the ACL to use this:
access-list 101 permit tcp host 192.168.1.21 eq smtp host 10.0.0.150 eq smtp
and took out:
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq ftp
I also removed configured the ACL so its only ingress
All of my previous problems have resolved except:
192.168.21.1 cannot reach 10.0.0.150 for smtp.
Any suggestions?
11-10-2005 06:20 AM
That one for basic troubleshooting:
step one: Remove the ACL and try again.
step two: Test end-end IP connectivity with and without the ACL.
If that is not sufficient, you might as well hire some professional to do the job.
Regards,
Leo
11-10-2005 06:32 AM
some of us do like to learn, while they have the luxury of a test environment.
i have this revised plan. The goals of these ACL's are to prevent 192.168.1.x from reaching the 10.0.x.x network except for the pinholes listed, also i do not wish for 192.186.2.x to hit the 10.0.0.0 network at all. What do you guys think?
access-list 100 remark regulate outbound traffic for dmz_192.168.1.x
access-list 100 permit tcp host 192.168.1.21 eq 389 host 10.0.0.36 eq 389
access-list 100 permit tcp host 192.168.1.21 eq 636 host 10.0.0.36 eq 636
access-list 100 permit tcp host 192.168.1.21 eq 3268 host 10.0.0.36 eq 3268
access-list 100 permit tcp host 192.168.1.21 eq 3269 host 10.0.0.36 eq 326
access-list 100 permit tcp any any eq www
access-list 100 permit tcp any any eq 443
access-list 100 permit tcp any any eq smtp
access-list 100 permit tcp any any eq ftp
access-list 100 deny ip any any
access-list 101 remark regulate inbound traffic for dmz_192.168.1.x
access-list 101 permit tcp host 10.0.0.150 eq smtp host 192.168.1.21 eq smtp
access-list 101 permit tcp host 10.0.0.36 eq 389 host 192.168.1.21 eq 389
access-list 101 permit tcp host 10.0.0.36 eq 636 host 192.168.1.21 eq 636
access-list 101 permit tcp host 10.0.0.36 eq 3268 host 192.168.1.21 eq 3268
access-list 101 permit tcp host 10.0.0.36 eq 3269 host 192.168.1.21 eq 326
access-list 101 deny ip any any
access-list 102 remark regulate outbound traffic for public_wireless_192.168.2.x
access-list 102 permit tcp any any eq www
access-list 102 permit tcp any any eq 443
access-list 102 permit tcp any any eq smtp
access-list 102 permit tcp any any eq ftp
access-list 102 deny ip any any
access-list 103 remark regulate inbound traffic for production_network_10.0.x.x
access-list 103 permit tcp host 192.168.1.21 eq 389 host 10.0.0.36 eq 389
access-list 103 permit tcp host 192.168.1.21 eq 636 host 10.0.0.36 eq 636
access-list 103 permit tcp host 192.168.1.21 eq 3268 host 10.0.0.36 eq 3268
access-list 103 permit tcp host 192.168.1.21 eq 3269 host 10.0.0.36 eq 326
access-list 103 deny ip 192.168.0.0. 255.255.0.0 any
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: