Announcement

Collapse
No announcement yet.

Problem with IN - OUT ACL on VLAN

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Problem with IN - OUT ACL on VLAN

    Problem with following ACL's applied on VLAN:

    Info:
    VLAN A = 10.0.10.0/24
    VLAN B = 10.0.20.0/24
    VLAN C = 10.0.30.0/24
    VLAN D = 10.0.40.0/24

    ACL's applied on VALN B in & out.

    Rules should be:

    ACL ext. vlan100-out “traffic to the VLAN B”
    1. Host 10.0.10.2 permit IP to VLAN B
    2. Any permit ICMP Echo to VLAN B
    3. Any permit TCP 161 & 9100 to VLAN B
    4. VLAN D permit TCP 23 & 80 & 443 to VLAN B
    5. Deny all other traffic


    ip access-list extended vlan100-out

    remark restrict traffic to the Printer Network
    permit ip host 10.0.10.2 any
    permit icmp any any echo
    permit tcp any any eq 9100
    permit tcp any any eq 161
    permit tcp 10.0.40.0 0.0.0.255 any eq telnet
    permit tcp 10.0.40.0 0.0.0.255 any eq www
    permit tcp 10.0.40.0 0.0.0.255 any eq 443
    deny ip any any


    ACL ext. vlan100-in “traffic from the VLAN B”
    1. VLAN B permit IP to Host 10.0.10.2
    2. VLAN B permit ICMP Echo to ANY
    3. VLAN B permit TCP 161 & 9100 to ANY established
    4. VLAN B permit TCP 23 & 80 & 443 to VLAN D established
    5. Deny all other traffic


    ip access-list extended VLAN100-in

    remark restrict traffic from the Printer Network
    permit ip any host 10.0.10.2
    permit icmp any any echo-reply
    permit tcp any any established eq 9100
    permit tcp any any established eq 161
    permit tcp any 10.0.40.0 0.0.0.255 established eq telnet
    permit tcp any 10.0.40.0 0.0.0.255 established eq www
    permit tcp any 10.0.40.0 0.0.0.255 established eq 443
    deny ip any any


    Problem is after applying those ACL's:

    Any permit TCP 161 & 9100 to VLAN B
    won’t work

    VLAN B permit TCP 23 & 80 & 443 to VLAN D established
    Not restricted anymore, open for ANY

    If I use only the Rule for OUT to the VLAN B, then everything is fine.
    But my Boss wants to have a seperated ACL for incoming traffic.

    And I don’t know why it won't work.

    Any suggestion?

    Thanks

    Martin
    Last edited by Siemens_Thailand; 31st October 2008, 06:03.

  • #2
    Re: Problem with IN - OUT ACL on VLAN

    To debug ACL's, try adding "log" to the end of the "deny ip any any" statement, then enable "term mon" and watch for the denies being printed to the screen. Modify ACL's as needed.

    With regards to your post, I believe you need to change vlan100-in to properly deal with established reply packets source ports. Example: port 9100

    change from:
    Code:
    permit tcp any any established eq 9100
    change to:
    Code:
    permit tcp any eq 9100 any established

    Comment

    Working...
    X