Access List problem

[hammarj]

Hi,

I am not overly experienced with Cisco configurations although have done about a dozen basic configs to Qwest and Worldcomm. The current problem has me a bit baffled. Wee are setting up a router with two Ethernet interfaces between two local area networks, call them A and B. LAN A has very sensitive data on it, and thus must block traffic from LAN B except for database ports 1583, 3351 and 3352 (Pervasive SQL). LAN A can access anything from LAN B and beyond. So I started looking at access lists. LAN A uses access list 100 while LAN B uses 101. For the purposes of this discussion there is one machine on the LAN A side at 192.168.15.10. For testing purposes, I run a continuous ping from the LAN B to the LAN A machine, while testing various combinations of access list. BTW, the router is a 2504. Without access lists, the LAN A machine can see LAN B and the internet beyond and LAN B can ping the machine on LAN A.

Start of test - run ping from LAN B which reaches .10 machine

access-list 100 permit ip any any
no access-list 101
Result - traffic flows both ways

access-list 101 deny 192.168.15.9 0.0.0.0 any
Result - traffic stops both ways (note diff ip addr)
In fact, any combination including specifying ports kills
any traffic

access-list 100 deny 192.168.15.10 any
Result - traffic continues normally

This seems to contradict what I have read so far. Any insight would be greatly appreciated.

Regards,

John

 

[hexn]

Just remember, if there are no matches in an access-list, then the packet will be denied. So your statement access-list 101 deny 192.168.15.9 0.0.0.0 any will deny any packet from 192.168.15.9, and then deny everything else thereafter. To overcome this you must put a permit ip any any at the end.

 

[Auth]

acls flow top down (first hit)

so if you have that permit statement in acl 100 before that deny statement. That deny statement is useless. also there is an implicit (invisible) deny statement at the end of each ACL you create. So Acl 101 is deny everything. Do what inikis said regarding a permit statement.

 

[hammarj]

Thanks for the reply. Okay, I must be thick. I removed the deny, accepting the implicit action. NO problem. Now, starting from the beginning...

no access-list 101
access-list 101 permit ip 192.168.15.10 any

This blocks all traffic in and out. Why? No clue.

I add..

access-list permit ip any any

Works great except now everything flows to all adresses. Is the mask wrong?

All I am looking to do is permit everything to .10 and block all other addresses. Any help would alleviate a growing headache. Thanks in advance.

Regards,

John

 

[tschouten]

Erase your access lists and start over, this is what you are looking for:
Router(config)#access-list 101 permit ip 192.168.15.10 0.0.0.0 any
Let's break that down, access-list 101 permit ip I'm sure you know what that is all about, then ip address, after ip address you have the lovely source wild card bit (it's like a backwards subnet mask easiest explenation) 0.0.0.0 tells it to match each bit aka look for 192.169.15.10 then the ANY at the end covers the host side say any host is acceptable.

(if you feel like you need to look at though you don't need to this already there in the implicit deny everyone is talking about or what someone called the invisible deny statement. But I put it here if you just feel better seeing it.)

Router(config)#access-list 101 deny ip any any

I am assuming you already know how to apply the acl to an interface. Hope that helps you understand the access list a little bit.