Petri.co.il forums Home Forums Start Page Forums Frequently Asked Questions FAQ Member List Members List
Go Back   Petri IT Knowledgebase Forums > Networking > Cisco Routers & Switches How-to
Petri.co.il is happy to award RicklesP the title of Most Valuable Member !!!
Register Calendar Calendar Search Petri IT Knowledgebase Forums Search Todays Posts Today's Posts Mark Forums Read
Notices

Problem with IN - OUT ACL on VLAN

Problem with IN - OUT ACL on VLAN

this thread has 1 replies and has been viewed 6111 times

Closed Thread
 
Thread Tools Search this Thread Display Modes
  #1  
Old 31st October 2008, 07:57
Siemens_Thailand Siemens_Thailand is offline
Casual
Casual
 
 Join Date: Oct 2008
  6 month star 12 month star
 Posts: 2
 Reputation: Siemens_Thailand is on a distinguished road (10)
Unhappy Problem with IN - OUT ACL on VLAN

Problem with following ACL's applied on VLAN:

Info:
VLAN A = 10.0.10.0/24
VLAN B = 10.0.20.0/24
VLAN C = 10.0.30.0/24
VLAN D = 10.0.40.0/24

ACL's applied on VALN B in & out.

Rules should be:

ACL ext. vlan100-out “traffic to the VLAN B”
1. Host 10.0.10.2 permit IP to VLAN B
2. Any permit ICMP Echo to VLAN B
3. Any permit TCP 161 & 9100 to VLAN B
4. VLAN D permit TCP 23 & 80 & 443 to VLAN B
5. Deny all other traffic


ip access-list extended vlan100-out

remark restrict traffic to the Printer Network
permit ip host 10.0.10.2 any
permit icmp any any echo
permit tcp any any eq 9100
permit tcp any any eq 161
permit tcp 10.0.40.0 0.0.0.255 any eq telnet
permit tcp 10.0.40.0 0.0.0.255 any eq www
permit tcp 10.0.40.0 0.0.0.255 any eq 443
deny ip any any


ACL ext. vlan100-in “traffic from the VLAN B”
1. VLAN B permit IP to Host 10.0.10.2
2. VLAN B permit ICMP Echo to ANY
3. VLAN B permit TCP 161 & 9100 to ANY established
4. VLAN B permit TCP 23 & 80 & 443 to VLAN D established
5. Deny all other traffic


ip access-list extended VLAN100-in

remark restrict traffic from the Printer Network
permit ip any host 10.0.10.2
permit icmp any any echo-reply
permit tcp any any established eq 9100
permit tcp any any established eq 161
permit tcp any 10.0.40.0 0.0.0.255 established eq telnet
permit tcp any 10.0.40.0 0.0.0.255 established eq www
permit tcp any 10.0.40.0 0.0.0.255 established eq 443
deny ip any any


Problem is after applying those ACL's:

Any permit TCP 161 & 9100 to VLAN B
won’t work

VLAN B permit TCP 23 & 80 & 443 to VLAN D established
Not restricted anymore, open for ANY

If I use only the Rule for OUT to the VLAN B, then everything is fine.
But my Boss wants to have a seperated ACL for incoming traffic.

And I don’t know why it won't work.

Any suggestion?

Thanks

Martin

Last edited by Siemens_Thailand; 31st October 2008 at 08:03..
  #2  
Old 31st October 2008, 14:42
scowles scowles is offline
Junior Member
It's not a coincidence
 
 Join Date: Jul 2008
  6 month star 12 month star
 Location: Texas/USA
 Posts: 122
 Reputation: scowles is on a distinguished road (45)
Default Re: Problem with IN - OUT ACL on VLAN

To debug ACL's, try adding "log" to the end of the "deny ip any any" statement, then enable "term mon" and watch for the denies being printed to the screen. Modify ACL's as needed.

With regards to your post, I believe you need to change vlan100-in to properly deal with established reply packets source ports. Example: port 9100

change from:
Code:
permit tcp any any established eq 9100
change to:
Code:
permit tcp any eq 9100 any established
Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Inter VLAN routing problem with sisco 1800 series router (fixed) configuration ramthods Cisco Routers & Switches How-to 3 7th July 2008 15:42
ACL configuration Problem on Router tsignal32 Cisco Routers & Switches How-to 3 20th May 2008 18:39
Problem with host computer connecting to Internet on a different VLAN tsignal32 Cisco Routers & Switches How-to 4 23rd November 2007 20:06
VLAN to VLAN trunking ssckrp Cisco Routers & Switches How-to 2 26th May 2007 08:14
Cisco ACL help... dvtestguy Cisco Security PIX/ASA/VPN 1 17th October 2006 01:34


All times are GMT +3. The time now is 18:27.

Steel Blue 3.5.4 vBulletin Style ©2006 vBEnhanced
Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
 

Valid XHTML 1.0!   Valid CSS!

Copyright 2005 Daniel Petri