1. Home
  2. Cisco Systems
  3. ACL 2 access groups on 1 interface

ACL 2 access groups on 1 interface

Hi,

I have a Cisco 2612 router with IOS Version 12.3(19). I believe I have most of the router configured correctly but I am having trouble with my ACLs. When I have just one access group applied everything seems to work fine. But when I try to apply both access groups on e1/0, everything is denied.

I've been working on this for the last week to no prevail. I have spent many hours searching for the solution, which I'm sure I'm making this harder than what it is. Any help or pointers in the right direction will be very much appreciated.

Building configuration...

Current configuration : 2404 bytes ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname router ! boot-start-marker boot-end-marker ! enable secret 5 $1$Pkga$fnM8qg2ikzQllQ7Dcffbb. ! memory-size iomem 15 no aaa new-model ip subnet-zero ip cef ! ! ip domain name company.com ip host company 10.0.0.3 172.16.0.1 ip name-server 10.0.0.2 ! ! ! ! ! interface Ethernet0/0 description 10.0.0.0 Network ip address 10.0.0.3 255.255.255.0 full-duplex ! interface TokenRing0/0 no ip address shutdown ring-speed 16 ! interface Ethernet1/0 description 172.16.0.0 Network ip address 172.16.0.1 255.255.255.0 ip access-group 100 in ip access-group 101 out full-duplex ! router rip network 10.0.0.0 network 172.16.0.0 ! no ip http server ip classless ip route 0.0.0.0 0.0.0.0 10.0.0.1 ! ! access-list 100 permit tcp any any eq www access-list 100 permit tcp any any eq smtp access-list 100 permit udp any any eq domain access-list 100 permit udp any eq domain any access-list 100 permit tcp any any eq domain access-list 100 permit tcp any eq domain any access-list 101 permit tcp host x.x.58.16 host 172.16.0.2 eq 22 access-list 101 permit tcp host x.x.2.229 host 172.16.0.2 eq 22 access-list 101 permit tcp host x.x.234.77 host 172.16.0.2 eq 22 access-list 101 permit tcp host x.x.204.13 host 172.16.0.2 eq 22 access-list 101 permit tcp host x.x.19.50 host 172.16.0.2 eq 22 access-list 101 permit tcp host x.x.69.239 host 172.16.0.2 eq 22 access-list 101 permit tcp host x.x.82.71 host 172.16.0.2 eq 22 access-list 101 permit tcp host x.x.212.93 host 172.16.0.2 eq 22 access-list 101 permit tcp host x.x.212.194 host 172.16.0.2 eq 22 access-list 101 permit tcp host x.x.98.114 host 172.16.0.2 eq 22 access-list 101 permit tcp host x.x.210.155 host 172.16.0.2 eq 22 access-list 101 permit tcp host x.x.38.205 host 172.16.0.2 eq 22 access-list 101 permit tcp host x.x.88.20 host 172.16.0.2 eq 22 access-list 101 permit tcp host x.x.254.100 host 172.16.0.2 eq 22 access-list 101 permit tcp host x.x.133.150 host 172.16.0.2 eq 22 access-list 101 permit tcp any any established no cdp run banner motd ^C This is a secure system, authorized access ONLY! ^C ! line con 0 password pass login line aux 0 password pass line vty 0 4 password pass login ! ! end

Thanks,

Dustin

Reply to
Dustin.Seeger
Loading thread data ...

First and foremost, you have to remember that traffic goes in and out of that interface. For example, if a host is SSHing to 0.2, the out list will allow the traffic out, but you don't have a rule that will allow the SSH return packets back in? There is an implicit deny at the end of each ACL, and since your rules are completely different, only one side of your transmissions are going to go through. Just because you apply an ACL on 'in' or 'out', doesn't mean that there isn't return traffic that is going against your opposite ACL. Forgive me if you understand all this, but I see some major issues here since your lists do not match whatsoever, while www and smtp will be allowed IN, they are not allowed back out. Same with SSH, SSH is allowed out, but not back in?

Reply to
Trendkill

Trendkill,

As you can tell I didn't understand that completely. Thanks for taking your time to point me in the right direction.

Dustin

Reply to
Dustin.Seeger

Your best bet is to apply a single ACL in one direction or the other, and if you combine those ACLs, I would think you would be ok. You really only need to block traffic in one direction to stop the majority of unwanted traffic. This should meet all your requirements as I see them.

Reply to
Trendkill

Also, if you have the firewall feature set, combine that with the access list and it should be all you need.

Reply to
Scooby

At the end he has 'access-list 101 permit tcp any any established' which should allow established tcp connections, ssh, http, smtp etc... What he's not allowing back in is DNS replies. ACL 101 allows no UDP traffic at all!

Chris.

Reply to
chris

You can't establish a tcp session without bi-directional commucation (syn, ack), so that won't do him any good until he allows the traffic in both directions in the first place.

Reply to
Trendkill

The 'established' keyword matches syn/ack & ack so yes, it does work. I'm using it right now. As I said, his problem is DNS related. No UDP53 .. no DNS.

access-list 101 permit tcp host x.x.58.16 host 172.16.0.2 eq 22 access-list 101 permit tcp host x.x.2.229 host 172.16.0.2 eq 22 access-list 101 permit tcp host x.x.234.77 host 172.16.0.2 eq 22 access-list 101 permit tcp host x.x.204.13 host 172.16.0.2 eq 22 access-list 101 permit tcp host x.x.19.50 host 172.16.0.2 eq 22 access-list 101 permit tcp host x.x.69.239 host 172.16.0.2 eq 22 access-list 101 permit tcp host x.x.82.71 host 172.16.0.2 eq 22 access-list 101 permit tcp host x.x.212.93 host 172.16.0.2 eq 22 access-list 101 permit tcp host x.x.212.194 host 172.16.0.2 eq 22 access-list 101 permit tcp host x.x.98.114 host 172.16.0.2 eq 22 access-list 101 permit tcp host x.x.210.155 host 172.16.0.2 eq 22 access-list 101 permit tcp host x.x.38.205 host 172.16.0.2 eq 22 access-list 101 permit tcp host x.x.88.20 host 172.16.0.2 eq 22 access-list 101 permit tcp host x.x.254.100 host 172.16.0.2 eq 22 access-list 101 permit tcp host x.x.133.150 host 172.16.0.2 eq 22 access-list 101 permit tcp any any established

Chris.

Reply to
chris

He doesn't have the same ACL on both in and out of the interface. It will not work. When the traffic comes one way, itll be allowed, and itll be blocked as it goes the other direction on the interface. I agree with you if he had one ACL, applied to one direction, or the same ACL applied to both directions...but not as currently configured.

Reply to
Trendkill

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.