ACL help

Non-Technical Threads Chatting over the Back Fence
1

Need some assistance, apparently I’m an idiot with acls anymore. We
have a vlan we need to allow basically only to the internet. A couple
internal servers (for anti-virus updates, dns reponses, etc) need to be
able to get to this vlan without the communication initiated from this
particular vlan, but nothing else.

I have this acl set up, and everything seems to work properly except a
machine on this vlan cannot get to any web page, internal or external,
but email & messenging software work fine. What am I missing?

192.168.10.98 and 10.5.10.98 are our dns servers
192.168.10.39 & 40 are a couple different a/v servers.

ip access-list extended blah_vlan_Out
permit udp host 192.168.10.98 any eq domain
permit udp host 10.5.10.98 any eq domain
permit tcp host 192.168.10.40 any eq 8192
permit tcp host 192.168.10.40 any eq 8193
permit tcp host 192.168.10.40 any eq 8194
permit tcp host 192.168.10.40 any eq 4460
permit tcp host 192.168.10.39 any eq 80
permit tcp host 192.168.10.39 any eq 443
permit tcp host 192.168.10.39 any eq 8081
permit tcp host 192.168.10.39 any eq 8082
permit tcp host 192.168.10.39 any eq 8443
permit tcp host 192.168.10.39 any eq 8444
permit tcp any any established
deny ip any any


Stevo

2

These all look like rules that allow your servers (DNS and antivirus) to
do whatever they want out from themselves, right? Where’s the rule
allowing anything else to get to the outside world to port 80? Maybe this
is an obvious oversight on my part, but I’ve never done Cisco ACLs so if
so feel free to laugh at me.

http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html

By my guessing:
[color=blue]

permit udp host 192.168.10.98 any eq domain
permit udp host 10.5.10.98 any eq domain[/color]

These allow these machines to access UDP 53 anywhere.
[color=blue]

permit tcp host 192.168.10.40 any eq 8192
permit tcp host 192.168.10.40 any eq 8193
permit tcp host 192.168.10.40 any eq 8194
permit tcp host 192.168.10.40 any eq 4460[/color]

These allow this machine to access these four TCP ports anywhere.
[color=blue]

permit tcp host 192.168.10.39 any eq 80
permit tcp host 192.168.10.39 any eq 443
permit tcp host 192.168.10.39 any eq 8081
permit tcp host 192.168.10.39 any eq 8082
permit tcp host 192.168.10.39 any eq 8443
permit tcp host 192.168.10.39 any eq 8444[/color]

These allow this machine to access these six ports anywhere.
[color=blue]

permit tcp any any established[/color]

Allow any established connection to continue.
[color=blue]

deny ip any any[/color]

Block the rest.


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…

3

On 20/03/2014 22:29, Stevo wrote:
[color=blue]

Need some assistance, apparently I’m an idiot with acls anymore. We
have a vlan we need to allow basically only to the internet. A couple
internal servers (for anti-virus updates, dns reponses, etc) need to be
able to get to this vlan without the communication initiated from this
particular vlan, but nothing else.

I have this acl set up, and everything seems to work properly except a
machine on this vlan cannot get to any web page, internal or external,
but email & messenging software work fine. What am I missing?

192.168.10.98 and 10.5.10.98 are our dns servers
192.168.10.39 & 40 are a couple different a/v servers.

ip access-list extended blah_vlan_Out
permit udp host 192.168.10.98 any eq domain
permit udp host 10.5.10.98 any eq domain[/color]
[color=blue]
permit tcp host 192.168.10.40 any eq 8192
permit tcp host 192.168.10.40 any eq 8193
permit tcp host 192.168.10.40 any eq 8194[/color]

The above three lines can be replaced with the the following single rule

permit tcp host 192.168.10.40 any range 8192 8194
[color=blue]

permit tcp host 192.168.10.40 any eq 4460
permit tcp host 192.168.10.39 any eq 80
permit tcp host 192.168.10.39 any eq 443[/color]
[color=blue]
permit tcp host 192.168.10.39 any eq 8081
permit tcp host 192.168.10.39 any eq 8082[/color]

Similarly the above two lines can be replaced with

permit tcp host 192.168.10.39 any range 8081 8082
[color=blue]

permit tcp host 192.168.10.39 any eq 8443
permit tcp host 192.168.10.39 any eq 8444[/color]

and the above two with

permit tcp host 192.168.10.39 any range 8443 8444
[color=blue]

permit tcp any any established
deny ip any any[/color]

The above line isn’t required since everything is implicitly denied
unless otherwise permitted

Is the problem machine on the same VLAN as the two DNS and two A/V
servers referenced above? All connected via the same switch/router port
to which the ACL is applied?

Are other ACLs in effect?

HTH.

Simon
Novell Knowledge Partner

If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.

4

On 21/03/2014 03:23, ab wrote:
[color=blue]

These all look like rules that allow your servers (DNS and antivirus) to
do whatever they want out from themselves, right? Where’s the rule
allowing anything else to get to the outside world to port 80? Maybe this
is an obvious oversight on my part, but I’ve never done Cisco ACLs so if
so feel free to laugh at me.[/color]

Ha ha! Or perhaps I should say “lucky sod” … ? :wink:

Simon
Novell Knowledge Partner

If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.

5

Simon Flood sounds like they ‘said’:
[color=blue]

Is the problem machine on the same VLAN as the two DNS and two A/V
servers referenced above? All connected via the same switch/router
port to which the ACL is applied?

Are other ACLs in effect?[/color]

So my response to Simon’s comment is…

No, problem machine is on a different vlan.

Problem machine connected to the switch on the port where the acl is
applied, the servers are on different ports.


Stevo