Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Correctly applying ACLs

Greetings:

Confused. When I created the following ACL:

access-list 150 permit ip 10.233.0.0 0.0.0.255 host 172.16.5.30

access-list 150 permit ip 10.233.0.0 0.0.0.255 host 10.1.7.136

access-list 150 permit ip 10.233.0.0 0.0.0.255 host 10.1.7.137

access-list 150 permit ip 10.233.0.0 0.0.0.255 host 10.1.7.139

access-list 150 permit ip 10.233.0.0 0.0.0.255 host 10.1.4.43

access-list 150 permit ip 10.233.0.0 0.0.0.255 host 172.28.0.7

access-list 150 permit ip 10.233.0.0 0.0.0.255 host 172.28.0.75

access-list 150 permit ip 10.233.0.0 0.0.0.255 host 172.28.0.110

access-list 150 permit ip 10.233.0.0 0.0.0.255 host 172.28.0.111

access-list 150 permit ip 10.233.0.0 0.0.0.255 host 172.16.5.143

access-list 150 permit ip 10.233.0.0 0.0.0.255 host 172.16.5.142

access-list 150 permit ip 10.233.0.0 0.0.0.255 host 172.16.5.147

access-list 150 deny ip any any

and apply it to the WAN interface as:

ip access-group 150 in

I cannot ping the 10.233.x.x network and they can't ping the router's WAN ip (10.223.0.7)

As soon as I remove the ACL - normal connectivity resumes - but no protection using acl-150.

What am I missing? Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: Correctly applying ACLs

Thanks. Please consider rating my response if it helped you.

10 REPLIES
Silver

Re: Correctly applying ACLs

This ingress ACL applied to the WAN interface will allow source addresses in the 10.223.0.0 range to get to destnations of 172.16.5.x and 10.1.7.x hosts.

Perhaps you want to flip those around so that the the sources are the 172.16.5.x and 10.1.7.x hosts and the destinations are 10.223.0.0 subnets.

Community Member

Re: Correctly applying ACLs

The intent is to allow 10.223.x.x hosts restrited access to only those hosts listed under acl-150. Hosts on th LAN segment will never initiate connections to 10.233.x.x. When I apply access-group 150 in on the WAN (10.233.0.7) interface - acl-150 as defined blocks all traffic in either direction - even if I source ping 10.233.x.x from the WAN (10.233.x.x) interface. When I remove the access-group - traffic flows in both dirctions, but obviously there are no rstrictions in place per acl-150. Thanks for your help.

Silver

Re: Correctly applying ACLs

Sorry, I thought maybe your 10.223.0.0/24 subnet was the source subnet.

The access list entries are exclusively allowing source subnet 10.223.0.0/24, which means any other subnet mask would not be allowed. Is the subnet mask on the router a /24?

Silver

Re: Correctly applying ACLs

Sorry again, I thought 10.233.0.0 might be the DESTINATION subnet, not the source subnet. However, I am still wondering about the subnet mask. Are you possibly expecting the 10.233.0.0/16 to be allowed through?

Community Member

Re: Correctly applying ACLs

No. 10.223.x.x/24 is the source subnet - that won't change. I just need to restrict their access to only the IPs listed in acl-150 - block all other access. but when I apply the 'access-group 150 in' on the source interface (10.223.0.7) traffic is blocked in both directions. Either acl-150 is defined incorrectly or it's being applied on the wrong interface or wrong dirction - or a combination of the above. Thanks.

Silver

Re: Correctly applying ACLs

The access list is specifying that you have devices with host addresses in the 10.233.0.0/24 range that are on the WAN side of your router. They need access to the destination hosts specified in your access list. The traffic originates on the side of the WAN interface, comes through the WAN interface on the router to those specific destination hosts, which I assume are on internal LANs.

Do you have a diagram of your setup and/or a sanitized configuration of the router?

Community Member

Re: Correctly applying ACLs

Thanks for all of your help. I just needed to add either of the two rules below:

access-list 150 permit ip 10.233.0.0 0.0.0.255 host 10.233.0.7

or two restrict it down to icmp only:

access-list 150 permit icmp any any

just before the access-list 150 deny any any

works like a charm. Thanks again.

Silver

Re: Correctly applying ACLs

The first additional rule allows your clients on 10.233.0.0/24 to reach the WAN interface on your router, which you had indicated was not reachable.

The second rule accomplishes the same objective, allowing pings to your router's WAN interface.

For what it's worth, you may want to consider not using the ICMP filter since it opens up your internal network to all types of ICMP traffic from any source, which could have security ramifications. If you don't need to ping anything except the specific internal hosts and your router's WAN interface I would just add the first rule.

Community Member

Re: Correctly applying ACLs

I removed icmp rule and added back the first rule. Thank for all your help.

Silver

Re: Correctly applying ACLs

Thanks. Please consider rating my response if it helped you.

136
Views
0
Helpful
10
Replies
CreatePlease to create content