Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACL not working

Greetings:

Following on our router:

access-list 150 permit ip 10.XXX.0.0 0.0.0.255 host 172.16.0.73

access-list 150 permit ip 10.XXX.0.0 0.0.0.255 host 172.16.5.30

access-list 150 permit ip 10.XXX.0.0 0.0.0.255 host 10.1.7.136

access-list 150 permit ip 10.XXX.0.0 0.0.0.255 host 10.1.7.137

access-list 150 permit ip 10.XXX.0.0 0.0.0.255 host 10.1.7.139

access-list 150 permit ip 10.XXX.0.0 0.0.0.255 host 10.1.4.43

access-list 150 permit ip 10.XXX.0.0 0.0.0.255 host 172.28.0.7

access-list 150 permit ip 10.XXX.0.0 0.0.0.255 host 172.28.0.75

access-list 150 permit ip 10.XXX.0.0 0.0.0.255 host 172.28.0.110

access-list 150 permit ip 10.XXX.0.0 0.0.0.255 host 172.28.0.111

access-list 150 permit ip 10.XXX.0.0 0.0.0.255 host 172.16.5.143

access-list 150 permit ip 10.XXX.0.0 0.0.0.255 host 172.16.5.142

access-list 150 permit ip 10.XXX.0.0 0.0.0.255 host 172.16.5.147

access-list 150 deny ip any any

interface FastEthernet4

ip address 10.XXX.0.7 255.255.255.0

ip access-group 150 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip virtual-reassembly

duplex auto

speed auto

When I source ping the target IPs in the ACL using the FastEthernet4 IP I get fully replies. The problem is I also get replies from hosts outside the ACL range.

Did I miss something?

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: ACL not working

Oops, my mistake.

An acl outbound on an interface does not stop traffic sourced from that interface - sorry about that.

In fact, if you were only pinging from devices on the 10.x.0.0/24 network your original config would work ie. the acl applied inbound.

The problem is your are sourcing the pings from the fa4 interface. So you would have to apply your acl on all the other interfaces inbound ie. the interfaces that are used to get to the hosts in your acl.

That would be complicated. If all you are trying to do is allow certain traffic from 10.x.0.0/24 clients to certain hosts then go with your original config but don't test by using the fa4 interface as the source.

Apologies for the original confusing information.

Jon

10 REPLIES
Hall of Fame Super Blue

Re: ACL not working

No you didn't miss something, it's just a misunderstanding about how acl directions work.

If you apply the acl inbound on fa4 then that will filter traffic coming from clients on the 10.xxx.0.0/24 network.

So you ping 172.28.0.7 as an example. An icmp echo request with the source address of 10.x.0.7 is routed out to 172.28.0.7. The reply does not come back in on fa4, it comes back in on the interface that is used to get to 172.28.0.7.

If you want to block icmp then apply your acl outbound on fa4. This will allow IP from your 10.x.0.0/24 network to the hosts you have in your acl but then deny all other IP.

Jon

New Member

Re: ACL not working

Hi Jon,

Made the following change - from in to out on Fa4

interface FastEthernet4

description $FW_OUTSIDE$$ES_WAN$

ip address 10.223.0.7 255.255.255.0

ip access-group 150 out

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip virtual-reassembly

duplex auto

speed auto

Ran another source ping - and was still able to ping IPs outside the ACL.

New Member

Re: ACL not working

Hi, could you copy your ping statement here

thanks

New Member

Re: ACL not working

Here's the IP I pinged - outside the ACL:

ping ip

Target IP address: 10.1.6.9

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 10.223.0.7

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.6.9, timeout is 2 seconds:

Packet sent with a source address of 10.223.0.7

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Hall of Fame Super Blue

Re: ACL not working

Oops, my mistake.

An acl outbound on an interface does not stop traffic sourced from that interface - sorry about that.

In fact, if you were only pinging from devices on the 10.x.0.0/24 network your original config would work ie. the acl applied inbound.

The problem is your are sourcing the pings from the fa4 interface. So you would have to apply your acl on all the other interfaces inbound ie. the interfaces that are used to get to the hosts in your acl.

That would be complicated. If all you are trying to do is allow certain traffic from 10.x.0.0/24 clients to certain hosts then go with your original config but don't test by using the fa4 interface as the source.

Apologies for the original confusing information.

Jon

New Member

Re: ACL not working

Hi Jon,

My intent is to restrict all clients on the 10.x.0.0/24 network to the specific hosts on the inside network(s)listed in the ACL - and no others.

Hall of Fame Super Silver

Re: ACL not working

As Jon indicated your access list as originally applied inbound on the interface should be effective in limiting the hosts to which the clients could ping.

You can not test the effectiveness of the access list by pinging from the router. The access list applied inbound will check and control traffic coming into the interface. But when you ping from the router interface then that traffic is not coming into the interface and is not subject to the controls of the access list. To test this access list you really need to be on a client connected to the interface.

HTH

Rick

New Member

Re: ACL not working

Jon/Rick,

So ... I can only assume that the ACL will be effective since I cannot test as a client attached to the interface as this is a vendor network I cannot access. Is there anything else I could do to be sure they can only get the IPs in the ACL? Thanks for all of you help.

Hall of Fame Super Silver

Re: ACL not working

I can not think of any way to test the access list other than to be in the subnet connected to the interface. From visual inspection of the access list I am confident that it will restrict the clients connected on that interface to the hosts listed in the access list. I appreciate that you would like some way to evaluate and validate the access list. But I can not think of any other alternative.

HTH

Rick

New Member

Re: ACL not working

Thanks for all your help guys. I changed the direction back to inbound on fa4.

Take care.

137
Views
3
Helpful
10
Replies