Solved: Extended Access-List Problem

colinmcadam · ‎11-28-2006

I have tried to setup an extended access-list entry to deny traffic on port 8080 from being sent out of the router but it is not working, although the matches on the rule does go up when I try to communicate on the port. Here is what i have entered;

ip access-list extended 102

deny tcp any any eq 8080

interface serial0/0

ip access-group 107 out

Can somebody please tell me if i need to do anything else or how i can check if it is setup ok?

Many Thanks

Colin

Richard Burts · ‎11-29-2006

Colin

Your original post led the discussion in a different direction when it included this:

interface serial0/0

ip access-group 107 out

As Narayan correctly points out the router config that you posted is using that access list as part of configuring Quality of Service not as access-group on an interface.

If you want to deny tcp traffic to port 8080 I would suggest something like this:

access-list 110 deny tcp any any eq 8080

access-list 110 permit ip any any

interface ser0/0.101

ip access-group 110 out

note that the access-group is applied on the subinterface where the IP address is configured and not on the main physical interface.

HTH

Rick

HTH

Rick

View solution in original post

Edison Ortiz · ‎11-28-2006

Colin,

Unless you have a typo, the ACL on S0/0 should be

ip access-group 102 out

not

ip access-group 107 out

amit-singh · ‎11-28-2006

Hi Colin,

As per your config, you have the access-list configured as 102 and you have binded on the interface using access-group 107. Is that a typo mistake?

Please check it. Please send your router config and " show access-list "

HTH,

-amit singh

Richard Burts · ‎11-28-2006

Colin

The previous posts indicating mismatch between the number in the access list and in the access group raise a good point. From your comment that you see the hit count in the access list go up I am assuming that it was indeed a typo in your posting.

But I believe that there is another issue with what you have posted. The access list that you show has a single line which denies tcp any any eq 8080. If that is really the entire access list then you are denying ALL traffic since anything that does not match your configured entry will match the implicit deny any any at the bottom of the access list. Either there is more to the access list that you have shown us or I do not understand how any traffic is getting through. Perhaps you can provide some more detail about your configuration.

HTH

Rick

HTH

Rick

drhague · ‎11-28-2006

First of all, I'm guessing that you have a typo in your post; the access-list reads 102, and the access-group reads 107. If this is not a typo, then ensure the numbers match.

The last entry in your access-list should look something like "permit ip any any", otherwise the implicit deny all will filter all traffic.

tarandeep · ‎11-28-2006

save time

royalblues · ‎11-28-2006

Hi Friend,

As rick posted earlier, the problem seems to be with your access-list statement which is denying all traffic.

Modify your access-list in the following way

ip access-list extended 102

deny tcp any any eq 8080

permit ip any any

interface serial0/0

ip access-group 102 out

It would make sense to apply the access-list inbound on the correct interface.

HTH, rate if it does

Narayan

colinmcadam · ‎11-29-2006

Thanks everybody for your replys.

As you all suggest the last line was a typo and i have actually entered ip access-group 102 out.

I have not put permit ip any any into access-list 102 but have not had any other adverese affects.

If i add this will it help? Should the traffic on port 8080 not still be filtered out?

Thanks

Colin

colinmcadam · ‎11-29-2006

As requested here is the output from the show ip access-lists on my router;

star-derby#show ip access-lists

Extended IP access list 102

permit udp any any range 16384 32767 (92 matches)

permit udp any any precedence critical (27004015 matches)

permit udp any any dscp ef

deny tcp any any eq 8080 (122 matches)

Extended IP access list 103

permit tcp any eq 1720 any (13958 matches)

permit tcp any any eq 1720 (26400 matches)

Extended IP access list 104

permit tcp any any eq 1494 (95464127 matches)

Extended IP access list 105

permit tcp any any eq domain (8820 matches)

permit udp any any eq domain (61712 matches)

Extended IP access list 106

permit udp any any eq 88 (20135 matches)

permit udp any any eq 135

permit udp any any eq netbios-ns (367768 matches)

permit udp any any eq netbios-dgm (3254561 matches)

permit tcp any any eq 139 (1498258 matches)

permit udp any any eq 389 (10695 matches)

permit udp any any eq 445

I am new to all of this but it is worth pointing out the routers were setup by a Cisco Engineer.

Thanks

Colin

colinmcadam · ‎11-29-2006

A little bit more imformation for everybody.

I put the line permit tcp any any into access-list 102 and as soon as i done this it caused problems connecting to any device beyond the router.

Once removed i could connect again without any problems

Thanks again

Colin

p.s. here is the full router config

Current configuration : 2921 bytes

!

version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname star-derby

!

enable secret xxxx

enable password **********

!

memory-size iomem 15

ip subnet-zero

!

ip flow-cache timeout inactive 10

ip flow-cache timeout active 6

!

class-map match-any citrix

match access-group 104

--More-- match access-group 105

class-map match-all voice-signaling

match access-group 103

class-map match-all voice-traffic

match access-group 102

class-map match-all voice

match ip precedence 4

class-map match-any windows

match access-group 106

!

policy-map VOICE-POLICY

class voice-traffic

priority percent 10

police cir 86000

conform-action set-prec-transmit 4

exceed-action drop

class voice-signaling

bandwidth remaining percent 2

class citrix

bandwidth remaining percent 60

--More-- class windows

bandwidth remaining percent 20

class class-default

fair-queue

!

voice call carrier capacity active

!

mta receive maximum-recipients 0

!

interface FastEthernet0/0

ip address 172.16.2.1 255.255.255.0

--More-- ip helper-address 172.16.1.8

ip helper-address 172.16.1.9

ip helper-address 172.16.1.10

ip helper-address 172.16.1.11

ip helper-address 172.16.1.12

ip route-cache flow

no keepalive

speed auto

!

interface Serial0/0

bandwidth 512

no ip address

encapsulation frame-relay IETF

ip route-cache flow

frame-relay traffic-shaping

frame-relay lmi-type ansi

!

interface Serial0/0.101 point-to-point

ip unnumbered FastEthernet0/0

frame-relay interface-dlci 101

class voice-traffic

!

ip classless

--More-- ip route 0.0.0.0 0.0.0.0 Serial0/0.101

no ip http server

ip flow-export version 5

ip flow-export destination 172.16.1.107 2053

!

map-class frame-relay voice-traffic

frame-relay cir 512000

frame-relay mincir 512000

service-policy output VOICE-POLICY

frame-relay fragment 400

access-list 102 permit udp any any range 16384 32767

access-list 102 permit udp any any precedence critical

access-list 102 permit udp any any dscp ef

access-list 102 deny tcp any any eq 8080

access-list 103 permit tcp any eq 1720 any

access-list 103 permit tcp any any eq 1720

access-list 104 permit tcp any any eq 1494

access-list 105 permit tcp any any eq domain

access-list 105 permit udp any any eq domain

access-list 106 permit udp any any eq 88

access-list 106 permit udp any any eq 135

access-list 106 permit udp any any eq netbios-ns

--More-- access-list 106 permit udp any any eq netbios-dgm

access-list 106 permit tcp any any eq 139

access-list 106 permit udp any any eq 389

access-list 106 permit udp any any eq 445

!

snmp-server community public RO

snmp-server enable traps tty

call rsvp-sync

!

mgcp profile default

!

dial-peer cor custom

!

line con 0

line aux 0

line vty 0 4

royalblues · ‎11-29-2006

Hi Colin,

Seeing your posts now, it is clear that the access-list is actually referring to a QoS configured for VoIP.

The access-list need not be applied to the interface. It is actually referenced when you configure the service policy command on the Interface.

so in your case you do not need the permit tcp any any command.

In fact you dont even need the access-list 102 deny tcp any any eq 8080

If a match is not found in your access-list then that particular traffic is not going to be prioritised

HTH, rate if it does

Narayan

colinmcadam · ‎11-29-2006

Thanks Narayan for your reply.

From what you have said i have added the deny entry to the worng place.

I want to block traffic on port 8080 from leaving the router and thought adding it to an access-list was the correct way to do it.

can you suggest the correct way to achieve this please?

Many Thanks

Colin

Richard Burts · ‎11-29-2006

Colin

Your original post led the discussion in a different direction when it included this:

interface serial0/0

ip access-group 107 out

As Narayan correctly points out the router config that you posted is using that access list as part of configuring Quality of Service not as access-group on an interface.

If you want to deny tcp traffic to port 8080 I would suggest something like this:

access-list 110 deny tcp any any eq 8080

access-list 110 permit ip any any

interface ser0/0.101

ip access-group 110 out

note that the access-group is applied on the subinterface where the IP address is configured and not on the main physical interface.

HTH

Rick

HTH

Rick

colinmcadam · ‎11-29-2006

Rick

Thanks for that - I have applied this and it has achieved what i wanted.

Thanks everybody for their help and applogies for leading you down the garden path as it were!

If anybody wishes to take the time to explain the difference between what i had on the extended interface and what i now have which is on the subinterface and what the two access-lists are used for that would be great - i will go and do some research now.

Thanks again

Colin

Richard Burts · ‎11-29-2006

Colin

It can seem confusing when you have a main physical interface and also have a subinterface on the physical interface. But I believe that we can clear up the confusion. The main physical interface provides physical connectivity. This is where the signaling takes place. But for some media, and Frame Relay is a prime example, we may configure subinterfaces under the main physical interface. In your configuration there is no IP address on the physical interface (as is typical) and the IP address is assigned on the subinterface. If you think about it that means that there is no IP processing on the main physical interface and the IP processing takes place on the subinterface. When you think about it that way it should make better sense that you would not apply the ip access-group on the main physical interface (where there is no IP processing) and would use ip access-group on the subinterface (where there is IP processing).

HTH

Rick

HTH

Rick