Confused. When I created the following ACL:
access-list 150 permit ip 10.233.0.0 0.0.0.255 host 172.16.5.30
access-list 150 permit ip 10.233.0.0 0.0.0.255 host 10.1.7.136
access-list 150 permit ip 10.233.0.0 0.0.0.255 host 10.1.7.137
access-list 150 permit ip 10.233.0.0 0.0.0.255 host 10.1.7.139
access-list 150 permit ip 10.233.0.0 0.0.0.255 host 10.1.4.43
access-list 150 permit ip 10.233.0.0 0.0.0.255 host 172.28.0.7
access-list 150 permit ip 10.233.0.0 0.0.0.255 host 172.28.0.75
access-list 150 permit ip 10.233.0.0 0.0.0.255 host 172.28.0.110
access-list 150 permit ip 10.233.0.0 0.0.0.255 host 172.28.0.111
access-list 150 permit ip 10.233.0.0 0.0.0.255 host 172.16.5.143
access-list 150 permit ip 10.233.0.0 0.0.0.255 host 172.16.5.142
access-list 150 permit ip 10.233.0.0 0.0.0.255 host 172.16.5.147
access-list 150 deny ip any any
and apply it to the WAN interface as:
ip access-group 150 in
I cannot ping the 10.233.x.x network and they can't ping the router's WAN ip (10.223.0.7)
As soon as I remove the ACL - normal connectivity resumes - but no protection using acl-150.
What am I missing? Thanks
Solved! Go to Solution.
This ingress ACL applied to the WAN interface will allow source addresses in the 10.223.0.0 range to get to destnations of 172.16.5.x and 10.1.7.x hosts.
Perhaps you want to flip those around so that the the sources are the 172.16.5.x and 10.1.7.x hosts and the destinations are 10.223.0.0 subnets.
The intent is to allow 10.223.x.x hosts restrited access to only those hosts listed under acl-150. Hosts on th LAN segment will never initiate connections to 10.233.x.x. When I apply access-group 150 in on the WAN (10.233.0.7) interface - acl-150 as defined blocks all traffic in either direction - even if I source ping 10.233.x.x from the WAN (10.233.x.x) interface. When I remove the access-group - traffic flows in both dirctions, but obviously there are no rstrictions in place per acl-150. Thanks for your help.
Sorry, I thought maybe your 10.223.0.0/24 subnet was the source subnet.
The access list entries are exclusively allowing source subnet 10.223.0.0/24, which means any other subnet mask would not be allowed. Is the subnet mask on the router a /24?
Sorry again, I thought 10.233.0.0 might be the DESTINATION subnet, not the source subnet. However, I am still wondering about the subnet mask. Are you possibly expecting the 10.233.0.0/16 to be allowed through?
No. 10.223.x.x/24 is the source subnet - that won't change. I just need to restrict their access to only the IPs listed in acl-150 - block all other access. but when I apply the 'access-group 150 in' on the source interface (10.223.0.7) traffic is blocked in both directions. Either acl-150 is defined incorrectly or it's being applied on the wrong interface or wrong dirction - or a combination of the above. Thanks.
The access list is specifying that you have devices with host addresses in the 10.233.0.0/24 range that are on the WAN side of your router. They need access to the destination hosts specified in your access list. The traffic originates on the side of the WAN interface, comes through the WAN interface on the router to those specific destination hosts, which I assume are on internal LANs.
Do you have a diagram of your setup and/or a sanitized configuration of the router?
Thanks for all of your help. I just needed to add either of the two rules below:
access-list 150 permit ip 10.233.0.0 0.0.0.255 host 10.233.0.7
or two restrict it down to icmp only:
access-list 150 permit icmp any any
just before the access-list 150 deny any any
works like a charm. Thanks again.
The first additional rule allows your clients on 10.233.0.0/24 to reach the WAN interface on your router, which you had indicated was not reachable.
The second rule accomplishes the same objective, allowing pings to your router's WAN interface.
For what it's worth, you may want to consider not using the ICMP filter since it opens up your internal network to all types of ICMP traffic from any source, which could have security ramifications. If you don't need to ping anything except the specific internal hosts and your router's WAN interface I would just add the first rule.