Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3620
Views
0
Helpful
1
Replies

SG300 - ACL problem

VWDerf1234
Level 1
Level 1

‎03-07-2012 10:52 PM

I'm trying to setup an ACL on my SG300-20 to enable FTP and a few other protocols to a server, but I'm running data that returns on different ports (ie active FTP).

Below is a sample:

-------------------------------------------

Extended IP access list Protocol_Restriction

    permit  tcp  any ftp any any

-------------------------------------------

Now that works great to allow a connection, but with active ftp when the data tries to come back on a different port (I assume) it is just hung up as all other ports are denied.

I event tried allowing all ports to come back from the server:

-------------------------------------------

Extended IP access list Protocol_Restriction

    permit  tcp  any ftp any any

    permit  ip any host 192.168.0.100

-------------------------------------------

But that also didn't work seem to work.

I've played around with this in layer2 and layer3 to no avail.  I've also seen many tips on applying in and out to the various interfaces, but that doesn't seem to work.  Is that something that is only available on higher end switchers/firewalls?

Can anyone assist with this?

Thanks,

Labels:
0 Helpful
1 Reply 1

David Hornstein
Level 7
Level 7

‎03-08-2012 05:24 PM

Hi

There are a few rules to getting ACLs working.

  • ACL is made up of a number of ACE entries

  • ACE entries use REVERSE MASKING

  • There is an implicit (invisible) deny at the end of the ACE entries, so if you want to include all other traffic at the bottom of a ACE list you have to state with a ACE entry a  permit all any any, like i did in the example below.  I think you got trapped on this rule.

  • ACE entries are ordered in priority from low number  to high number. The ACE entries are executed in desending order starting from a lower number  and down the list as you see it on the GUI.

  • ACL need to be bound to a switch interface.

  • ACL listen for pattern matches on ingress of packets not on egress into a physical switch port.

.So imagine that a ACL is like a ear listening to packets coming into the switch from some other device or IP host.

A scenario to restrict the  FTP access of one host to One FTP server;

I wish to restrict one IP host (192.168.10.106) on switch port 8,  from accessing a FTP server which is at IP address 192.168.10.101

I created a ACE list below as part of a ACL . (I really didn't need  the priority 20 entry )

The restricted Host is on switch port 8, so I would Bind the ACL to switch port 8 to listen for pattern matched within my ACE list

Here is the CLI it created , if you are interested;

ip access-list extended Restrict_FTP

deny tcp 192.168.10.106 0.0.0.0 any 192.168.10.101 0.0.0.0 20-21

permit tcp 192.168.10.0 0.0.0.255 any 192.168.10.101 0.0.0.0 20-21

permit ip any any

exit

interface gigabitethernet8

service-acl input Restrict_FTP

exit

Remember,  to save any  changes.

Hope this helps, but if not check the following community post.

https://supportforums.cisco.com/thread/2061080

regards Dave

0 Helpful
Customers Also Viewed These Support Documents