Help with ACL

Hi, I'm hoping maybe someone can help me out on this one?

I have a single 2514 router that is routing between a 192.168.100.0 /24 network & and 166.79.55.128 /26 network (not a real public IP - just for test).

The routers Ethernet interfaces are configured as follows:

Eth0: 166.79.55.132 /26
Eth1: 192.168.100.5 /24

What I want to do create an ACL on the Eth1 interface that stops all traffic from the 192.168.100.x network from getting into the 166.79.55.132 /26 network (EXCEPT the following ports):
tcp 80
tcp 60010
tcp 5060
tcp 3333
tcp 1525
udp snmp
tcp range 42152 65536

I want to allow all traffic from the 166.79.55.132 network to be able to reach the 192.168.100.x network. Could someone help me out. Does the ACL below look correct for what I'm trying to accomplish? or do I have the IP addresses going the wrong direction?

access-list 102 permit ip 166.41.80.128 0.0.0.63 any
access-list 102 deny ip any any log

access-list 103 permit tcp 192.168.100.0 0.0.0.255 host 166.79.55.132 0.0.0.63 eq www
access-list 103 permit tcp 192.168.100.0 0.0.0.255 host 166.79.55.132 0.0.0.63 eq 60010
access-list 103 permit tcp 192.168.100.0 0.0.0.255 host 166.79.55.132 0.0.0.63 eq 5060
access-list 103 permit tcp 192.168.100.0 0.0.0.255 host 166.79.55.132 0.0.0.63 eq 3333
access-list 103 permit tcp 192.168.100.0 0.0.0.255 host 166.79.55.132 0.0.0.63 eq 1525
access-list 103 permit udp 192.168.100.0 0.0.0.255 host 166.79.55.132 0.0.0.63 eq snmp
access-list 103 permit udp 192.168.100.0 0.0.0.255 host 166.79.55.132 0.0.0.63 eq range 42152 65535
access-list 103 deny ip any any log

int eth1
access-list 102 in
access-list 103 out

THANKS!!!

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

zeus09

Hi,
The acl's seem to be allright, but i think there is no need for acl 102, as all traffic from the 166.79.55.132/26 network is to allowed, moreover try to apply acl 103 as "in", not as "out", on eth1, as network traffice from network 192.168.100.0/24.
Please lemme know if that helps, or if does not solve the purpose.
Regards
Zeus

dtlokee

In access-list 102 you are using the host keyword and a wildcard mask, you don't need the host keyword and in the second to las line you used "udp" instead of tcp so you will be permitting the usp range 42152 to 65535

r_durant

dtlokee wrote:

In access-list 102 you are using the host keyword and a wildcard mask, you don't need the host keyword and in the second to las line you used "udp" instead of tcp so you will be permitting the usp range 42152 to 65535

DT...I don't see the keyword host in the access-list 102, I think you meant access-list 103...:)

skizzer...as DT was saying you don't need the 'host' keyword in access-list 103, you use the 'host' keyword when you're referring to one specific host and not a range of hosts...

skizzer

Thanks the input everyone. I changed the port range statement (42152 to 65535) to TCP instead of UDP. I took out the 102 ACL completely. What seems to be happening is, with only the 103 ACL applied, it IS allowing traffic to pass on the chosen ports (going outbound Eth 1) however, it also seems to be blocking all traffic going going inbound Eth1. I put another line in the 103 ACL to allow port 69 (TFTP) to pass going inbound to Eth, however, when running a sniffer on the 166.x.x.x side it's not getting out. Weird. Do I need to change what interface I have the ACL on?

Thanks again.

r_durant

If you apply the acl to Eth0, I'd specify it as 'in'...

If you apply the acl to Eth1, I'd specify it as 'out'...

I'd say you can do either, but if I remember correctly, the Cisco rule of thumb is normally to apply the extended acl closest to the source (Eth0 in this case)...

You're allowing traffic from 166. to 192. correct?

166.79.55.132/26 --->[Eth0] R2514 [Eth1] ---> 192.168.100.0/24

So I'd apply the acl to Eth0 'in'...

skizzer

well, with the help from everyone and little logic, I think I got it working. At the end of the ACL after the "deny ip any any" statement, I included the "permit ip any any" statement and it's working now.

access-list 103 deny ip any any log
access-list 103 permit ip any any

All of the examples I saw for what what I was trying to accomplish never had the "permit ip any any" statement in it so this one kind of stumped me.

Thanks again for the responses everybody, much appreciated.