Re: MAJOR VLAN/ACL ISSUE!!! NEED HELP!!!

jlamotte · ‎06-14-2006

We have a router with 4 switches connected via fiber in this situation. Each port has its own VLAN and ACL. In some instances we have people that want us to strictly provide a feed and make them wide open. Before, we just moved their public IP address to the top of the ACL and permit any. We also mapped static public to private. They would be able to be wide open that way. Now, we can not figure out how to get the user wide open. Take 0/0.47 for instance. Their router is 10.0.11.130 and we gave it a static IP. We can not get them wide open on that IP address while still maintaining security horizontally. I have attached our config. Please help...

leighharrison · ‎06-15-2006

Hi there,

I'm not 100% sure what you're asking. But if you wanted to add 10.0.11.130 into the acl, then you would simply add them to the top of the acl for that interface. i.e.:

access-list 2147 permit ip any host 10.0.11.130

access-list 2147 permit ip any 10.0.0.0 0.0.0.63

access-list 2147 permit ip any 10.0.11.128 0.0.0.63

access-list 2147 deny ip any 10.0.0.0 0.0.255.255

access-list 2147 permit ip any any

Although - this would be covered by the 10.0.11.128 0.0.0.63 line.

Could you explain a little more?

LH

jlamotte · ‎06-15-2006

LH,

I will give that a try...But in the meantime...

We used to have the same setup with a different configuration. We had Access-List 101 and it defined all of the open ports and what not. We had it defined on the main interface and every VLAN used that same Access-List. So, if we opened port 995 for one person, the whole complex had that port open. So, we tried it a different route by setting up each VLAN with their own access-list. We want them to not be able to see horizontally but be able to get to the internet which is what the access-list is allowing right now for each VLAN.

The problem is that we have had a few people ask us to give them a wide open feed. Before, we would map a static private to a public address and use

access-list 101 permit ip and host xx.xx.xx.xx (Public IP Address). We would put that at the top of the ACL. Now, when we put that it makes no difference. Nothing opens up differently. Fo ex.

access-list 2147 permit ip any host xxx.xx.xx.xx (Public IP Address). I will try using the private like you did there and see if it proves to work (I PRAY!)

Let me know what you think...I will update you if this works though.

jlamotte · ‎06-15-2006

I moved the private to the top of the ACL as you suggested but still can not do anything across the VPN.

leighharrison · ‎06-15-2006

Hey there,

My next step would be to debug the acl's and see what is being hit. As this looks lik a pretty hefty production box, you should specify the interface in the debug too.

Which way is the traffic flowing? That address should have been allowed to pass through the access-list, so it must be being stopped somewhere else. What other steps are there along the way?

Also, at the bottom of the access-list, it may be worth putting "deny ip any any" - I know that it is already there, but if you type it in, then you will be able to see hits against it.

This is a fixable problem - it just may take a few goes ;)

Regards,

LH

Please rate all posts

jlamotte · ‎06-19-2006

How do you want me to debug the ACL?

leighharrison · ‎06-20-2006

Hey,

if you type "debug interface fas 0/0.47" to specify only that interface, then "debug ip access-list" make sure you're logging to buffer (or a syslog server), set the buffer to at least 16384 so you get some good info and if it's not already set, set the time and use the command "service sequence-numbers" so that we can see when these things occur.

The acl that is on the interface should already be letting the address through, so it would suggest that something else is stopping it. Can you post a quick diagram too? So that I can see the nodes in the path?

Regards,

LH

Please rate all posts