ACL's = clueless

ninjaz · February 2007

I'm having a problem with an ACL that I'm trying to create. I know the "access xxx out" is for traffic going out of the interface and the opposite for the incoming interface, however the only thing that seems to work is if I put it on the outgoing interface. I want to block all traffic going to a server that I have besides allowing the traffic to go to the specific ports, such as Windows RDP, and Windows file sharing. When I create this list it seems to not allow any traffic at all, however when I set it to the outgoing side it seems to block everything just fine and I'm not sure why. This is what I have for my outgoing...

permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.18 eq 3389 (821 matches)
permit udp 10.0.0.0 0.0.0.255 host 10.0.0.18 eq 3389
permit tcp 141.209.0.0 0.0.255.255 host 10.0.0.18 eq 3389 (230 matches)
permit udp 10.0.0.0 0.0.0.255 host 10.0.0.18 eq netbios-ns (74 matches)
permit udp 10.0.0.0 0.0.0.255 host 10.0.0.18 eq netbios-dgm
permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.18 eq 139 (15412466 matches)
permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.18 eq 445 (4889329 matches)
permit tcp 10.0.0.16 0.0.0.7 any eq www
permit tcp 10.0.0.16 0.0.0.7 any eq 443
permit tcp any 10.0.0.16 0.0.0.7 eq www (432 matches)
permit tcp any 10.0.0.16 0.0.0.7 eq 443 (156 matches)
permit udp host 10.0.0.11 host 10.0.0.18 eq snmp (46192 matches)
permit udp host 10.0.0.11 host 10.0.0.18 eq snmptrap
permit tcp host 10.0.0.11 host 10.0.0.18 eq domain
permit tcp host 10.0.0.19 host 10.0.0.18 eq domain
permit udp host 10.0.0.11 host 10.0.0.18 eq domain (51 matches)
permit udp host 10.0.0.19 host 10.0.0.18 eq domain
permit ip host 10.0.0.19 any
permit ip any host 10.0.0.19 (101439 matches)
permit icmp any any (10521 matches)

Thanks in advance.

malcybood · February 2007

ninjaz wrote:

I'm having a problem with an ACL that I'm trying to create. I know the "access xxx out" is for traffic going out of the interface and the opposite for the incoming interface, however the only thing that seems to work is if I put it on the outgoing interface. I want to block all traffic going to a server that I have besides allowing the traffic to go to the specific ports, such as Windows RDP, and Windows file sharing. When I create this list it seems to not allow any traffic at all, however when I set it to the outgoing side it seems to block everything just fine and I'm not sure why. This is what I have for my outgoing...

permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.18 eq 3389 (821 matches)
permit udp 10.0.0.0 0.0.0.255 host 10.0.0.18 eq 3389
permit tcp 141.209.0.0 0.0.255.255 host 10.0.0.18 eq 3389 (230 matches)
permit udp 10.0.0.0 0.0.0.255 host 10.0.0.18 eq netbios-ns (74 matches)
permit udp 10.0.0.0 0.0.0.255 host 10.0.0.18 eq netbios-dgm
permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.18 eq 139 (15412466 matches)
permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.18 eq 445 (4889329 matches)
permit tcp 10.0.0.16 0.0.0.7 any eq www
permit tcp 10.0.0.16 0.0.0.7 any eq 443
permit tcp any 10.0.0.16 0.0.0.7 eq www (432 matches)
permit tcp any 10.0.0.16 0.0.0.7 eq 443 (156 matches)
permit udp host 10.0.0.11 host 10.0.0.18 eq snmp (46192 matches)
permit udp host 10.0.0.11 host 10.0.0.18 eq snmptrap
permit tcp host 10.0.0.11 host 10.0.0.18 eq domain
permit tcp host 10.0.0.19 host 10.0.0.18 eq domain
permit udp host 10.0.0.11 host 10.0.0.18 eq domain (51 matches)
permit udp host 10.0.0.19 host 10.0.0.18 eq domain
permit ip host 10.0.0.19 any
permit ip any host 10.0.0.19 (101439 matches)
permit icmp any any (10521 matches)

Thanks in advance.

Could you list the services you want to allow....is it only RDP and File and Print sharing?
The server address
The network you wish to permit/deny
Which interface you are applying the ACL to

hectorjhrdz · February 2007

how do you know the ACL is blocking the traffic?

it could be a problem not related with the ACL.

more info would be useful

cheers

ninjaz · February 2007

10.0.0.18 = Windows 2003 Server running file/print, RDP, and WINS
10.0.0.19 = VMWare Debian installation running on the same machine.
They are in their own separate VLAN away from the rest of the switches and host machines.

Allow machines on the local network to access to Windows Server through RDP along with my machine at work.
permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.18 eq 3389
permit udp 10.0.0.0 0.0.0.255 host 10.0.0.18 eq 3389
permit tcp 141.209.0.0 0.0.255.255 host 10.0.0.18 eq 3389

Only allow local network to access shares
permit udp 10.0.0.0 0.0.0.255 host 10.0.0.18 eq netbios-ns
permit udp 10.0.0.0 0.0.0.255 host 10.0.0.18 eq netbios-dgm
permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.18 eq 139
permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.18 eq 445

Allow web traffic in/out of the ACL for that VLAN
permit tcp 10.0.0.16 0.0.0.7 any eq www
permit tcp 10.0.0.16 0.0.0.7 any eq 443
permit tcp any 10.0.0.16 0.0.0.7 eq www
permit tcp any 10.0.0.16 0.0.0.7 eq 443

Allow SNMP queries from 10.0.0.11 only (even though the security is setup on the Windows box to do that any)
permit udp host 10.0.0.11 host 10.0.0.18 eq snmp
permit udp host 10.0.0.11 host 10.0.0.18 eq snmptrap

Only allow DNS information to be passed from my two DNS servers
permit tcp host 10.0.0.11 host 10.0.0.18 eq domain
permit tcp host 10.0.0.19 host 10.0.0.18 eq domain
permit udp host 10.0.0.11 host 10.0.0.18 eq domain
permit udp host 10.0.0.19 host 10.0.0.18 eq domain

Allow any traffic to go in and come out of the Linux box. I haven't set this one up yet because I have had so many problems with the Windows box.
permit ip host 10.0.0.19 any
permit ip any host 10.0.0.19

Allow Pinging
permit icmp any any

I have the VLAN's set up on the router on interface e0/0.16 and was applying it as so,
ip access 116 out

PostPosted: Thu Feb 15, 2007 5:41 pm Post subject:
how do you know the ACL is blocking the traffic?

it could be a problem not related with the ACL.

more info would be useful

cheers

I know its blocking the traffic because when I first started writing the ACL I would test it out with trying to connect to certain services like RDP and the file server. However, when I apply this ACL as I had previously I would not be able to access anything on the internet (i.e. surf web pages) until I took that ACL off which can be very bothersome when trying to do updates to McAfee or through Windows Update. This is why I think I have written ACL wrong and should be place on the incoming instead. However when I do that nothing works either going out or coming back in.

Thanks.

georgemc · February 2007

ninjaz,
From the description you gave, you DO want this to be an OUTBOUND ACL.
What appears to be missing (IMO) is something like the following placed at the beginning of the ACL:

access-list 116 permit ip any host 10.0.0.18 connected

Allow machines on the local network to access to Windows Server through RDP along with my machine at work.

permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.18 eq 3389
permit udp 10.0.0.0 0.0.0.255 host 10.0.0.18 eq 3389
permit tcp 141.209.0.0 0.0.255.255 host 10.0.0.18 eq 3389

Only allow local network to access shares
permit udp 10.0.0.0 0.0.0.255 host 10.0.0.18 eq netbios-ns
permit udp 10.0.0.0 0.0.0.255 host 10.0.0.18 eq netbios-dgm
permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.18 eq 139
permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.18 eq 445

Allow web traffic in/out of the ACL for that VLAN
permit tcp 10.0.0.16 0.0.0.7 any eq www
permit tcp 10.0.0.16 0.0.0.7 any eq 443
permit tcp any 10.0.0.16 0.0.0.7 eq www
permit tcp any 10.0.0.16 0.0.0.7 eq 443

Allow SNMP queries from 10.0.0.11 only (even though the security is setup on the Windows box to do that any)
permit udp host 10.0.0.11 host 10.0.0.18 eq snmp
permit udp host 10.0.0.11 host 10.0.0.18 eq snmptrap

Only allow DNS information to be passed from my two DNS servers
permit tcp host 10.0.0.11 host 10.0.0.18 eq domain
permit tcp host 10.0.0.19 host 10.0.0.18 eq domain
permit udp host 10.0.0.11 host 10.0.0.18 eq domain
permit udp host 10.0.0.19 host 10.0.0.18 eq domain

Allow any traffic to go in and come out of the Linux box. I haven't set this one up yet because I have had so many problems with the Windows box.
permit ip host 10.0.0.19 any
permit ip any host 10.0.0.19

Someone else can explain why this is required.

If I've misinterpreted you network layout or intentions, please let me know.

georgemc · February 2007

I meant to clean my previous post up a bit more before posting it. I seem to have hit "submit" instead of "preview".

But you should get the gist of it. Just be sure to include the permit any for the Linux machine.

Georgemc

hectorjhrdz · February 2007

mmmm i can't see any problem in your ACL.

Did you apply the ACL in the right way? i mean, remember that you can block the interface if you change some aCL lines and forget to perform the
no ip access-group at the interface in question.

set the ACL while the Interface is shutdown in order to ensure that there is no traffic flow yet and then perform the ip access-group.

that's what i think.

good luck

ninjaz · February 2007

Ok, so it must be ignorance on my part then because from I had understood as applying the ACL to the inbound/outbound interface was that the inbound is traffic coming into the interface and the outbound was traffic coming out of the computers behind the interface. The thing that was confusing me was that when I applied to to the outbound interface I was not allowing the computers to make the outgoing connection as opposed to applying it to the inbound interface and allow outside computers to make that connection in the first place.

I hope that made sense!

:

georgemc · February 2007

ninjaz wrote:

Ok, so it must be ignorance on my part then because from I had understood as applying the ACL to the inbound/outbound interface was that the inbound is traffic coming into the interface and the outbound was traffic coming out of the computers behind the interface. The thing that was confusing me was that when I applied to to the outbound interface I was not allowing the computers to make the outgoing connection as opposed to applying it to the inbound interface and allow outside computers to make that connection in the first place.

I hope that made sense! :

ninjaz,

Everything is in relation to the router and the port(s) on the router
OUTBOUND = apply acl as traffic is leaving router (acts as a filter)
INBOUND = apply acl as traffic in entering router (policy routing or possibly prevent
machines from communicating with network/machines/ports, etc.)

You don't much care about filtering data from your server going to the router, as you're
trying to prevent unwanted connections to the server. The reason updates, web
browsing, etc. wasn't working is because your acl was preventing the responses from
coming back to you.

If you add the line I mentioned in my earlier post it should fix the problem of server
not being able to connect for updates/etc.

Georgemc

ninjaz · February 2007

Is that version specific cause I don't have that option. What I have for that is:
dscp Match packets with given dscp value
fragments Check non-initial fragments
log Log matches against this entry
log-input Log matches against this entry, including input interface
precedence Match packets with given precedence value
time-range Specify a time-range
tos Match packets with given TOS value
<cr>

I did try: access-l 116 perm tcp any host 10.0.0.18 est
And still does not seem to allow outbound traffic.

Im using 12.2(40).

georgemc · February 2007

My bad.

The correct switch is "established".

Correct access-list line should be:

access-list 116 permit tcp any host 10.0.0.18 est

As you've said you already configured.
If you want to be able to ping out add:

access-list 116 permit icmp any host 10.0.0.18 echo-reply

This will allow the responses to your ping to come back.
I know it's confusing, but if your access-list is applied to the interface
attached to host 10.0.0.18, then is does not affect traffic leaving 10.0.0.18.
Only traffic going through the router to 10.0.0.18 is affected.
What did you do to test that traffic wasn't allowed outbound from 10.0.0.18? (ping, browser, etc.)

I forgot how difficult long distance troubleshooting can be.

I'll keep thinking about it until you say you've got it working correctly.

Georgemc

ninjaz · February 2007

access-l 116 perm tcp 10.0.0.0 0.0.0.255 host 10.0.0.18 eq 3389
access-l 116 perm udp 10.0.0.0 0.0.0.255 host 10.0.0.18 eq 3389
access-l 116 perm tcp 141.209.0.0 0.0.255.255 host 10.0.0.18 eq 3389
access-l 116 perm udp 10.0.0.0 0.0.0.255 host 10.0.0.18 eq 137
access-l 116 perm udp 10.0.0.0 0.0.0.255 host 10.0.0.18 eq 138
access-l 116 perm tcp 10.0.0.0 0.0.0.255 host 10.0.0.18 eq 139
access-l 116 perm tcp 10.0.0.0 0.0.0.255 host 10.0.0.18 eq 445
access-l 116 perm tcp host 10.0.0.10 host 10.0.0.18 eq 53 est
access-l 116 perm tcp host 10.0.0.10 host 10.0.0.18 eq 53 est
access-l 116 perm udp host 10.0.0.19 host 10.0.0.18 eq 53
access-l 116 perm udp host 10.0.0.19 host 10.0.0.18 eq 53
access-l 116 perm tcp 10.0.0.16 0.0.0.7 any eq 80 est
access-l 116 perm tcp 10.0.0.16 0.0.0.7 any eq 443 est
access-l 116 perm udp host 10.0.0.11 host 10.0.0.18 eq 161
access-l 116 perm udp host 10.0.0.11 host 10.0.0.18 eq 162
access-l 116 perm ip any host 10.0.0.19
access-l 116 perm icmp any any

Well... I can ping an outside webserver however I can't get to it through the web browser or resolve DNS names. I wouldn't think that this is that hard but for some reason this is the last section that I really need to work on before going to take the test.

Even with something as simple as:
access-l 116 perm tcp host 10.0.0.10 host 10.0.0.18 eq 53
access-l 116 perm udp host 10.0.0.10 host 10.0.0.18 eq 53
access-l 116 perm tcp any host 10.0.0.18 eq 80
access-l 116 perm tcp any host 10.0.0.18 eq 443
access-l 116 perm icmp any any

Still does not allow traffic going out.

ACL's = clueless

Comments