PDA

View Full Version : ACL help



Stevo
20-Mar-2014, 23:29
Need some assistance, apparently I'm an idiot with acls anymore. We
have a vlan we need to allow basically only to the internet. A couple
internal servers (for anti-virus updates, dns reponses, etc) need to be
able to get to this vlan without the communication initiated from this
particular vlan, but nothing else.

I have this acl set up, and everything seems to work properly except a
machine on this vlan cannot get to any web page, internal or external,
but email & messenging software work fine. What am I missing?

192.168.10.98 and 10.5.10.98 are our dns servers
192.168.10.39 & 40 are a couple different a/v servers.

ip access-list extended blah_vlan_Out
permit udp host 192.168.10.98 any eq domain
permit udp host 10.5.10.98 any eq domain
permit tcp host 192.168.10.40 any eq 8192
permit tcp host 192.168.10.40 any eq 8193
permit tcp host 192.168.10.40 any eq 8194
permit tcp host 192.168.10.40 any eq 4460
permit tcp host 192.168.10.39 any eq 80
permit tcp host 192.168.10.39 any eq 443
permit tcp host 192.168.10.39 any eq 8081
permit tcp host 192.168.10.39 any eq 8082
permit tcp host 192.168.10.39 any eq 8443
permit tcp host 192.168.10.39 any eq 8444
permit tcp any any established
deny ip any any

--
Stevo

ab
21-Mar-2014, 04:23
These all look like rules that allow your servers (DNS and antivirus) to
do whatever they want out from themselves, right? Where's the rule
allowing anything else to get to the outside world to port 80? Maybe this
is an obvious oversight on my part, but I've never done Cisco ACLs so if
so feel free to laugh at me.

http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html

By my guessing:

> permit udp host 192.168.10.98 any eq domain
> permit udp host 10.5.10.98 any eq domain

These allow these machines to access UDP 53 anywhere.

> permit tcp host 192.168.10.40 any eq 8192
> permit tcp host 192.168.10.40 any eq 8193
> permit tcp host 192.168.10.40 any eq 8194
> permit tcp host 192.168.10.40 any eq 4460

These allow this machine to access these four TCP ports anywhere.

> permit tcp host 192.168.10.39 any eq 80
> permit tcp host 192.168.10.39 any eq 443
> permit tcp host 192.168.10.39 any eq 8081
> permit tcp host 192.168.10.39 any eq 8082
> permit tcp host 192.168.10.39 any eq 8443
> permit tcp host 192.168.10.39 any eq 8444

These allow this machine to access these six ports anywhere.

> permit tcp any any established

Allow any established connection to continue.

> deny ip any any

Block the rest.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...

Simon Flood
21-Mar-2014, 14:00
On 20/03/2014 22:29, Stevo wrote:

> Need some assistance, apparently I'm an idiot with acls anymore. We
> have a vlan we need to allow basically only to the internet. A couple
> internal servers (for anti-virus updates, dns reponses, etc) need to be
> able to get to this vlan without the communication initiated from this
> particular vlan, but nothing else.
>
> I have this acl set up, and everything seems to work properly except a
> machine on this vlan cannot get to any web page, internal or external,
> but email & messenging software work fine. What am I missing?
>
> 192.168.10.98 and 10.5.10.98 are our dns servers
> 192.168.10.39 & 40 are a couple different a/v servers.
>
> ip access-list extended blah_vlan_Out
> permit udp host 192.168.10.98 any eq domain
> permit udp host 10.5.10.98 any eq domain

> permit tcp host 192.168.10.40 any eq 8192
> permit tcp host 192.168.10.40 any eq 8193
> permit tcp host 192.168.10.40 any eq 8194

The above three lines can be replaced with the the following single rule

permit tcp host 192.168.10.40 any range 8192 8194

> permit tcp host 192.168.10.40 any eq 4460
> permit tcp host 192.168.10.39 any eq 80
> permit tcp host 192.168.10.39 any eq 443

> permit tcp host 192.168.10.39 any eq 8081
> permit tcp host 192.168.10.39 any eq 8082

Similarly the above two lines can be replaced with

permit tcp host 192.168.10.39 any range 8081 8082

> permit tcp host 192.168.10.39 any eq 8443
> permit tcp host 192.168.10.39 any eq 8444

and the above two with

permit tcp host 192.168.10.39 any range 8443 8444

> permit tcp any any established
> deny ip any any

The above line isn't required since everything is implicitly denied
unless otherwise permitted

Is the problem machine on the same VLAN as the two DNS and two A/V
servers referenced above? All connected via the same switch/router port
to which the ACL is applied?

Are other ACLs in effect?

HTH.
--
Simon
Novell Knowledge Partner

------------------------------------------------------------------------
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.
------------------------------------------------------------------------

Simon Flood
21-Mar-2014, 14:01
On 21/03/2014 03:23, ab wrote:

> These all look like rules that allow your servers (DNS and antivirus) to
> do whatever they want out from themselves, right? Where's the rule
> allowing anything else to get to the outside world to port 80? Maybe this
> is an obvious oversight on my part, but I've never done Cisco ACLs so if
> so feel free to laugh at me.

Ha ha! Or perhaps I should say "lucky sod" ... ? ;-)
--
Simon
Novell Knowledge Partner

------------------------------------------------------------------------
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.
------------------------------------------------------------------------

Stevo
21-Mar-2014, 19:02
Simon Flood sounds like they 'said':

> Is the problem machine on the same VLAN as the two DNS and two A/V
> servers referenced above? All connected via the same switch/router
> port to which the ACL is applied?
>
> Are other ACLs in effect?

So my response to Simon's comment is...

No, problem machine is on a different vlan.

Problem machine connected to the switch on the port where the acl is
applied, the servers are on different ports.

--
Stevo