access-lists aaarrrgh!

Im hoping there will be a lightbulb moment with ACLs like there was with subnets but until then...

Ive got 2 lans/2 routers with serial connection in a sim lab and for 2 days now ive not been able to figure out how to do something which I think is simple.

Host 1 (172.16.64.2/20) on LanA is not allowed outside its network apart from to access SERVER1 (172.16.16.2/20) on LanB

Whatever I do I either block everything from LanA from getting outside the router or I permit everything and its getting frustrating.

heres what i thought would work on the router closest to the router...
access-list 102 permit ip 172.16.64.2 0.0.0.0 172.16.16.2 0.0.0.0

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

Drakonblayde

which interface are you applying the access list to and in what direction?

Drakonblayde

Ok, I tossed together a quick lab to test this. Your command should work.... so your error is probably in the way you're setting it on the interface.

What I did was this..

Host computer, 172.16.64.2 connected to router1 via ethernet interface 172.16.64.1

Router1 connected to router2 via WIC serial connection, 172.16.16.1 to 172.16.16.2 (didn't have another host to stick on the other side of the router, but for all intents and purposes this works just as well). Setup RIP on router 1 and router 2, routing for all networks just to make sure their weren't any router issues.

I also setup a loopback on router 1, 10.0.0.1.

I added your access-list command, and then applied to router 1's ethernet interface for inbound packets.. command

ip access-group 102 in

The effect of this was that I was able to ping 172.16.16.2, but pings to 172.16.16.1 and 10.0.0.1 failed.... which is exactly describing the conditions you wanted, it can't touch ANYTHING outside it's subnet except for that one specific IP address. When I removed the access list, everything was pingable

I suspect you may be getting confused with what's in and whats out. Keep in mind that you have to look at it from the router interfaces point of view. Inbound packets would be those coming from the subnet, and outbound would be those going to the subnet.

If you're still running into problems, post your configs and I'll see what I can do.

Alien

I'm assuming host1 with address 172.16.64.2 is connected to Router1 on interface e 0.

Router1(config)#access-list 101 permit ip 172.16.64.2 0.0.0.0 172.16.16.2 0.0.0.0

Router1(config)#access-list 101 deny ip host 172.16.64.2 any

Router1(config)#access-list 101 permit ip any any

Router1(config)#int e 0
Router1(config-if)#ip access-group 101 in

Yankee

At a quick glance I prefer Alien's response because he didn't kill all other traffic from other hosts.

I think the router will change the command to "permit ip host 172.16.64.2 host 172.16.16.2" but it is 0500 and I ain't awake yet

Yankee

Drakonblayde

Hehe when an access-list question comes up, I try to work within the parameters that the poster specifies.

That and the fact that I was answering with 10 minutes until quitting time hehe

My point was, his command *will* work if it's implemented properly, but he didn't seem to get why it was failing.

If I were designing this network, I'd make the assumption that the entire subnet is supposed to be denied traffic to the outside except for that one server, in which case I'd just change the wildcard mask to reflect that subnet.

The reason I *wouldn't* use Alien's command set is that the host could get around the ACL simply by changing it's IP. That's bad security practice and defeats the purpose of the ACL in the first place. Leaving out the permit ip any any keeps traffic confined to the subnet except that which is explicitly allowed outside. The way he's got it setup locks that one host to that one ip if he wants to get to that server, which is better security practice and a more effective use of an ACL.

rentaghost

Thanks for the help so far, I seem to have got a handle on it now i've applied the list to the ethernet interface rather than a serial interface on the router.

Ive got a working list that I can play about with and get more complex.

To be honest i'm not 100% sure that Boson Router Sim behaves in exactly the same way as the routers in class.

Drakonblayde

Yeah, as a general rule, you want to keep traffic that's going to be blocked from traversing as little of the network as possible. So if you're going to deny traffic from a specific subnet, you should do it as close to the source as possible.

Alien

The reason I *wouldn't* use Alien's command set is that the host could get around the ACL simply by changing it's IP. That's bad security practice and defeats the purpose of the ACL in the first place. Leaving out the permit ip any any keeps traffic confined to the subnet except that which is explicitly allowed outside. The way he's got it setup locks that one host to that one ip if he wants to get to that server, which is better security practice and a more effective use of an ACL.

From my understanding rentaghost wanted to block only those traffic from host1 to any other network apart from those directed to 172.16.16.2 and permit all other traffic hence my reason for adding the permit any statements. Otherwise Drakonblayde has a good point on security which happens to be the main purpose for creating an ACL in the first place. Nice to hear you now got a handle on it.

Cheers!

shadown7

rentaghost wrote:

To be honest i'm not 100% sure that Boson Router Sim behaves in exactly the same way as the routers in class.

I know for a fact they don't. When I was working on my Cisco II case study I used the Boson Sim. After I got the ACL's up I tried them out and they never worked right. This, at first made me think I was doing something wrong. So I asked for help here and at school and I found out that I wasn't doing anything wrong at all. The same ACL's I made in the Sim worked on the real routers. I like Boson but I'm not going to trust them for ACL's again.