Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access List question

Hello

I've been fighting with a C1700 for many hours and can't seem to figure out where the problem with my access lists lies. Hopefully someone here can please help me out as I'm getting a little desperate!

Configuration:

C1700 with WIC 4ESW

IOS ver 12.3(3.5)T

FE0 172.17.0.0/24

FE1 192.168.200.0/24 (VLAN200)

FE4 192.168.100.0/24 (VLAN100)

I've got the router and VLAN configuration correct as it works fine until I apply access lists.

Desired results:

(1) All hosts on 172.17.0.0 can access TCP 1494 and UDP 1604 on host 192.168.200.58

(2) Only hosts 172.17.0.0-63 can access WWW and DNS anywhere

(3) All other outbound requests on 172.17.0.0 are blocked

(4) All hosts on 192.168.100.0 and 200.0 can access WWW and TCP 3389 on host 172.17.0.29

(5) All hosts on 192.168.100.0 and 200.0 have unrestricted access to each other

List entries:

access-list 100 permit tcp 172.17.0.0 0.0.0.63 any eq www

access-list 100 permit tcp any host 192.168.200.58 eq 1494

access-list 100 permit udp any host 192.168.200.58 eq 1604

access-list 100 permit tcp 172.17.0.0 0.0.0.63 any eq domain

access-list 100 permit udp 172.17.0.0 0.0.0.63 any eq domain

access-list 150 permit tcp any host 172.17.0.29 eq www

access-list 150 permit tcp any host 172.17.0.29 eq 3389

Results:

on FE0

ip access-group 100 in

works fine

ip access-group 150 out

works fine

ip access-group 100 in

ip access-group 150 out

no routing happens from 172.17.0.0 network

Thanks in advance

Scott

1 REPLY

Re: Access List question

Based on the info above, I would argue that:

"ip access-group 150 out

works fine"

does not work fine. You have to remember that there is an implicit deny at the end of every ACL. What is happening here is that you are not accounting for return traffic in your ACL's. For instance, let's say that a host on the 172.17.0.0 network initiates a TCP/1494 connection to 192.168.200.58 network. If the both ACL 100 and 150 are in place as shown above, the reply from the 192.168.200.58 host will be blocked by ACL 150 due to the implicit 'deny ip any any' at the end of the ACL. This is a common frustration with creating ACL's such as you are trying to do. To alleviate this, we created a feature known as CBAC (Context Based Access Control). This feature allows the router to "watch" traffic as it passes and dynamically create an ACL entry to allow the return traffic back in. You can get some more information on this feature here:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t5/iosfw2/iosfw2_2.htm

One other less effective way to accomplish the desired result is to use the 'estblished' keyword in your ACL. You can find some info on this option out on CCO as well.

Let me know if there is anything I can clarify.

Scott

204
Views
4
Helpful
1
Replies