Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

My ACL's are not working like i think they should, can anyone take a look???

Status
Not open for further replies.

hidalgo1716

Technical User
May 10, 2014
4
US
Hello everyone,
I am the noob here. I did a google search for my problem and found this site which explained quite a bit and I thought that I understood what was going on, until I entered my ACL's into the router and well, not what I expected. I am trying to restrict all internet access to a certain number of IP addresses within my network, but it's not going well.

First ACL was this:

access-list 101 deny ip 192.168.1.12 0.0.0.0 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any

This completely restricted internet access to all hosts when I was only trying to restrict access to 192.168.1.12

Next I tried:

access-list 101 deny ip 192.168.1.12 0.0.0.0 any
access-list 101 permit ip any any

This apparently did nothing as everyone had access unrestricted.
This ACL is being applied to my VLAN1 outbound.

I am not sure what I am doing wrong, it seems pretty straight forward, unless my wildcards are backwards???

Please if anyone can help it will be greatly appreciated :)
 
where did you apply this ACL ?
and in which direction ?


masks are correct, however for readability, use the HOST command when specifying one host..

access-list 101 deny ip host 192.168.1.12 any


We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.
 
Hello iambadatthi,

I applied this ACL outbound to my VLAN1 interface, apparently it was the only interface which allowed an ACL. I originally wanted to apply it inbound to my BVI1 interface which is my connection to the internet.

Something else I did find was that if I apply the ACL INBOUND on my VLAN1 everything gets blocked and I even lose my connection to the router via PUTTY. The router in question is a Cisco 877W, which I found out was a pain in the behind to configure simply because I never had any experience configuring an ADSL connection before, quite the learning experience which I am finding out is still ongoing.

Any thoughts???
Thanks.
 
either post config, or explain a bit more.


how are you connected?

dialer0 (internet )
bvi1 (bridged with vlan 1?)
vlan 1 (?switchports in the back of the 877w) ?

the 877 allows for multiple vlans and multiple ssid's. so post yer config and scrub it...

as for ACLs, they need to be correctly applied. if you are allowing your Internal address to go OUT but apply it in the wrong direction ofcourse all access is blocked...



We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.
 
Ok, you're right, here is the config:

bridge irb
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$
pvc 8/35
encapsulation aal5snap
!
bridge-group 1
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1 type tunnel
ip unnumbered Vlan1
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!

interface Dot11Radio0
ip address 192.168.2.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface BVI1
ip address 65.41.121.48 255.255.255.192
ip nat outside
ip virtual-reassembly
!
ip local pool SDM_POOL 192.168.3.36 192.168.3.40
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 65.41.121.1
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface BVI1 overload
ip nat inside source list 90 interface BVI1 overload
ip nat inside source list 120 interface BVI1 overload
!
logging trap debugging
access-list 1 deny 192.168.3.0 0.0.0.255
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 10 permit 0.0.0.0 255.255.255.0
access-list 90 permit any
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 65.41.121.0 0.0.0.63 any
access-list 120 deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 120 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 120 permit ip 192.168.1.0 0.0.0.255 any
access-list 120 permit ip 192.168.2.0 0.0.0.255 any
access-list 130 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
no cdp run
!

I left the bit about the NAT cause I thought it might somehow be interfering with the ACL but I don't believe so now. ACL's are applied before NAT.

Now, the ACL I was trying to apply was:

access-list 101 deny tcp host 192.168.1.12 any eq 80
access-list 101 permit tcp any any

I applied this to the VLAN1 inbound and outbound, but i obtained the same result.
The way I understand this, you apply the ACL closest to the source you are filtering out, in my case the 192.168.1.0 network which is in VLAN1, and I should apply this INBOUND, right?

I also tried to apply it to my BVI1 interface both inbound and outbound, but still no joy.

Any ideas???



 
on vlan 1 :
apply the acl outbound
**going off memory here *** ip access-group 101 out

i notice you are only allowing TCP traffic though , so DNS and PING wont work. that might be why you think you dont have internet access since you can't resolve DNS..

you can try having the second line as IP

access-list 101 deny IP host 192.168.1.12 any eq 80
access-list 101 permit IP any any


or be a bit more secure and allow specifics out for everything else such as:
allow udp 53 out
allow icmp out (for testing) but not in.

remember there is an implicit deny at the end of all access-lists, so allowing only TCP blocks everything else..



We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.
 
***correction:
access-list 101 deny tcp host 192.168.1.12 any eq 80
access-list 101 permit IP any any



We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.
 
Thank you very much for the help imbadatthis.
I thought it might have something to do with DNS, but I thought it was a conflict between NAT and my ACL's. I remembered the implicit deny all statement at the end, but it just didn't click on how it worked until you mentioned the permit IP. Now it does. By having an ACL activated on my interface, all packets now get looked at, and you were right, it would let all TCP packets for port 80 go thru, but anything to do with DNS would be blocked because of the deny all statement.
I added my permit addresses first, denied tcp access to what I wanted than allowed tcp any any and ip any any. Now everything is happy.

On a somewhat related note...
I am using ACL's to block tcp eq 80 (access-list 101 deny tcp any any eq 80 ) on most of my network, but here's a glitch. on computers that are denied internet access, if I am using a newer version of IE or Firefox and their homepage is Google, traffic gets thru!!!
I can access google homepage, i can access gmail, i can even search on google and get results, but when I click on the search result links the traffic gets blocked.
Sooo... does google use different port numbers other than 80???
Is it because i am only blocking TCP port 80 and google uses a different port for its connection???
And is Gmail using SNMPT ports???
 
its probably https (tcp / 443) ...

on a side note - and do not do this IF You have alot of traffic - you can add the 'log' keyword at the end of the ACL.
it will then show you on terminal (term mon enabled?) or console what packets are being permitted...

so it helps and allows you to configure things..

gmail is https as well so that is why they work.

cheerios.

and you can give me stars, although i dont know what they are used for..


We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top