Solved

Cisco ACL

Posted on 2009-04-07
29
531 Views
Last Modified: 2012-05-06
I need to figure out what I am doing wrong with the below ACL. I need to permit the hosts listed here, but I also need to block the ones listed also. The catch is that the deny statements are on a 0.0.0.255 subnet, while the 10.10.0.30, 10.10.0.130 and 10.10.1.156 0.0.0.31 range are actually on a 0.0.255.255 subnet.

Also, "deny ip 10.0.2.0 0.0.0.255 10.10.0.0 0.0.255.255" blocks everything on the 0.0.255.255, but if I change it to 0.0.0.255 everything from 10.10.0.0 0.0.255.255 is allowed through.

How can I achieve what I need to do? Unfortunately, I can not change the 10.10.0.0 0.0.255.255 to a 0.0.0.255 subnet.

permit ip host 10.10.0.30 10.0.2.0 0.0.0.255

permit ip host 10.10.0.130 10.0.2.0 0.0.0.255

permit ip 10.10.1.156 0.0.0.31 10.0.2.0 0.0.0.255

deny ip 10.0.2.0 0.0.0.255 10.0.3.0 0.0.0.255

deny ip 10.0.2.0 0.0.0.255 10.10.0.0 0.0.0.255

permit ip any any

Open in new window

0
Comment
Question by:swcrook
  • 13
  • 12
  • 3
  • +1
29 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 24090766
I'm confused, because it appears that sometimes 10.10.0.0/16 is the source with 10.0.2.0/24 as the destination, and sometimes the subnets are reversed.  In a normal routed environment, you wouldn't have both kinds of traffic going through the router in the same direction; it would indicate a routing loop and none of the traffic would ever arrive at its destination.


Can you provide us a brief diagram, and a more thorough description of what you're trying to accomplish?

Example:


10.0.2.0/24 <-> Router F0/0 - Router F0/1 <-> 10.10.0.0/16

All hosts on 10.0.2.0 should communicate with 10.10.0.30, 10.10.0.130, 10.10.1.156/27, all other traffic should between these subnets should be blocked, traffic between other subnets should be allowed.
0
 

Author Comment

by:swcrook
ID: 24090928
Well, I need the 10.0.2.0 network to be able to pass traffic to 10.10.0.30, 10.10.0.130 and 10.10.1.156/27 but those addresses are on a /16 subnet. This traffic passes just fine without any other deny commands. However, I want to block everything on the 10.10.0.0/16 subnet other than the above mentioned IPs.

Your diagram is correct.
I am applying the ACL on the INgress, but I could be doing that wrong. I simply just need to give access to 10.10.0.30/16, 10.10.0.130/16 and 10.10.1.156 - .187/16.
0
 
LVL 10

Expert Comment

by:atlas_shuddered
ID: 24091977
If I am understanding what is asked and written above correctly --

On Router F0/0 In

permit ip 10.0.2.0 0.0.0.255 10.0.0.0 0.0.255.255 established syn
# above statement permits all return traffic from 10.0.0.0 back in ##
permit ip 10.0.2.0 0.0.0.255 host 10.10.0.30
permit ip 10.0.2.0 0.0.0.255 host 10.10.0.130
permit ip 10.0.2.0 0.0.0.255 host 10.10.1.156
permit ip 10.0.2.0 0.0.0.255 host 10.10.1.157
permit ip 10.0.2.0 0.0.0.255 host 10.10.1.158
permit ip 10.0.2.0 0.0.0.255 host 10.10.1.159
permit ip 10.0.2.0 0.0.0.255 10.10.1.160 0.0.0.15
permit ip 10.0.2.0 0.0.0.255 10.10.1.176 0.0.0.7
permit ip 10.0.2.0 0.0.0.255 host 10.10.1.184
permit ip 10.0.2.0 0.0.0.255 host 10.10.1.185
permit ip 10.0.2.0 0.0.0.255 host 10.10.1.186
permit ip 10.0.2.0 0.0.0.255 host 10.10.1.187
## above statements allows traffic from any host on the 10.0.2.0/24 subnet to communicate with the hosts 10.10.0.30, 130, 156, 157, 158, 159, 184, 185, 186, 187 and the ranges 10.10.0.160 - 175 and 10.10.0.176 - 183 ##
deny ip 10.0.2.0 0.0.0.255 10.0.0.0 0.0.255.255 log
# above statement denys all other traffic and logs it to buffer for troubleshooting ##

Having said that, I have to concur with asavener and go a step further and say that I don't get how in the world you are getting your routing to behave.  Technically you should have a blackhole.  I'd make an ip switch as soon as possible.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 24092006
Another problem is there's no such network as 10.10.1.156/27

It would either have to be 10.10.1.156/30 or 10.10.1.128/27
0
 

Author Comment

by:swcrook
ID: 24097573
Ok, firstyl this is all inherited, so I will start there. After researching the setup more, I was incorrect about the first diagram being correct. Here is what is actually happening:
MPLS Network:
10.0.0.0 /24 --> 10.10.0.1 (Gateway) -->10.10.1.3 (Firewall/Router) <-- 10.10.0.0 /16
10.10.0.1 Forwards all traffic to 10.10.1.3 from 10.0.0.0 and 10.10.0.0 traffic also goes to 10.10.1.3. Does that help?
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 24097605
So you have a 10.10.0.0/24 network AND a 10.10.0.0/16 network???

You can't do that.
0
 
LVL 10

Expert Comment

by:atlas_shuddered
ID: 24097708
Okay

swcrook -

Do us a favor and post the results of the following commands on the devices you have control of from the router out -

show ip interface brief
show ip route

In addition, if you could run:

show run

strip out any compromising information before posting.  I'd like to see what these config points actually return.  If I understand you correctly, traffic is passing without incident, you just want to ACL it but from what you are relating, I agree with don, it should not work.  In fact, the router should be screaming at you in agony.
0
 

Author Comment

by:swcrook
ID: 24097979
I understand that you guys say it shouldn't work, but it does and has for however long the previous guy was here...6 years? To tll you how jacked up this really is:
There are many stores with a store number. The previous Network Admin decided that in order to make it easy on himself, he would subnet the IP addresses to be the store number... so store 3 is 10.0.3.0 /24, store 204 is 10.2.4.0 /24, etc. Well, the backend to all of this is that the corporate office houses everything that the stores communicate to, i.e, SQL databases, email, websites, proxy, etc.

The Corp office is subnetted to 10.10.0.0 /16. I have asked to change this, but management doesn't want the "headache" right now. I am sure you all have been there and done that. So, being as I don't fully know how to ACL a /24 to a /16 without blocking huge chunks of the network and subnet, that is why I have this question.

The MPLS network is what the stores use to connect to a 3XT at Corp. That same router connects a 2XT for Internet access. So, the MPLS and Internet access are contained within the same router. In order to get Internet access, there is a sonicwall device which routes and firewalls the connections. That device is the 10.10.1.3 and sits in-between the 10.10.0.1 router and the 10.10.0.0 /16 network.

My thoughts were to change the 10.10.0.0 to a totally different scheme, but that isn't feasible given managements oppostion at this time. So, can I use this as an excuse to move towards a more stable and "standard" network routing? If so, given the setup of the stores/MPLS network to the 10.10.0.1 router, what would be the ideal setup for the corporate office's routed network settings?
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 24098028
I'm not saying it won't work... Just that it's wrong. "Working" is a whole 'nuther matter. :-)


0
 
LVL 10

Expert Comment

by:atlas_shuddered
ID: 24098722
swcrook

Are all your outlying subnets on /24 networks with your corporate on 10.0.0.0/16?  In addition, none of your store networks reside on anything 10.0 correct?  They all reside on a network of 10.1.0.0 or higher yes?
0
 
LVL 10

Expert Comment

by:atlas_shuddered
ID: 24098880
Correction to above:

Your stores/outlying networks reside on 10.0.0.0/24.

Your corporate sets in a 10.10.0.0/16.

Your MPLS/routing resides inside the 10.10.0.0/16 range as well?
0
 

Author Comment

by:swcrook
ID: 24099875
Correction to above:

Your stores/outlying networks reside on 10.0.0.0/24.

Your corporate sets in a 10.10.0.0/16.

Your MPLS/routing resides inside the 10.10.0.0/16 range as well

Well, almost. THe MPLS network are the stores, so "resides inside the 10.10.0.0/16 range as well" can be taken different ways I guess. Each store is 10.0.0.0 /24. Stores numbered above 100 internally, are instead subnetting as 10.1.0.0, etc. That goes for stores numbered 200 internally, i.e. 10.2.0.0 Anything under 100, is 10.0.1.0.

So, say we are talking about store 112, that would be 10.1.12.0. Store 101 would be 10.1.1.0 (because the octet cant be "01"), etc.

The 10.10.0.1 Gig interface is what allows communication on the Cisco 2821 router to the sonicwall which resides at 10.10.1.3. THe sonic wall then routes everything on the 10.10.0.0 /16 side of things. I hope that helps.

0
 
LVL 10

Expert Comment

by:atlas_shuddered
ID: 24099911
And you are trying to set up the ACL on the 2821 interface facing the MPLS correct?
0
 

Author Comment

by:swcrook
ID: 24099975
Actually, I was trying to make each 1721 (at each store) block it from that end. So, going back to the original ACL you saw, I will be blocking every other store from accessing the current store I am on; hence,
deny ip 10.0.2.0 0.0.0.255 10.0.3.0 0.0.0.255
deny ip 10.0.2.0 0.0.0.255 10.10.0.0 0.0.0.255

So, on the 1721 at store 2, on the INgress, I would be blocking 10.0.3.0, 10.0.4.0 --> every store we have. On the 10.10.0.0 /16 network, I have various workstations that need to access all stores. The ideal situation is to segment each store so that they can not see one another, as well as, allowing only certain 10.10.0.0 /16 IP's from the corporate office to have access to each store. Is this not a logical way to do it? At each store router?
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:swcrook
ID: 24100030
Also, I obviously omitted the repeitive deny lines that list each deny statement for everystore, but other than the basic "deny ip 10.0.2.0 0.0.0.255 10.0.3.0 0.0.0.255", each line is the same except the store numebr changing, i.e.
deny ip 10.0.2.0 0.0.0.255 10.0.3.0 0.0.0.255
deny ip 10.0.2.0 0.0.0.255 10.0.4.0 0.0.0.255
deny ip 10.0.2.0 0.0.0.255 10.0.5.0 0.0.0.255
etc...
When I move to store 3, I simply change the deny statement to:
deny ip 10.0.3.0 0.0.0.255 10.0.1.0 0.0.0.255
deny ip 10.0.3.0 0.0.0.255 10.0.2.0 0.0.0.255
deny ip 10.0.3.0 0.0.0.255 10.0.4.0 0.0.0.255
etc...

 If I am thinking about this wrongly, please correct my error in thinking :)
Thanks!
0
 
LVL 10

Expert Comment

by:atlas_shuddered
ID: 24103701
If I'm understanding everything correctly, why not just set the ACL at the store level to:

deny ip 10.x.x.0 0.0.0.255 10.0.0.0 0.7.255.255

This will deny network activity leaving the local subnet (where x is the local subnet address) destined for anything in the range of 10.0.0.0 - 10.7.255.255

if you need higher you could also insert:

deny ip 10.x.x.0 0.0.0.255 10.8.0.0 0.1.255.255

which will cover the range 10.8.0.0 - 10.9.255.255

from there you could put in your individual host lists like we started out above:

permit ip 10.0.2.0 0.0.0.255 host 10.10.0.30
permit ip 10.0.2.0 0.0.0.255 host 10.10.0.130
permit ip 10.0.2.0 0.0.0.255 host 10.10.1.156
permit ip 10.0.2.0 0.0.0.255 host 10.10.1.157
permit ip 10.0.2.0 0.0.0.255 host 10.10.1.158
permit ip 10.0.2.0 0.0.0.255 host 10.10.1.159
permit ip 10.0.2.0 0.0.0.255 10.10.1.160 0.0.0.15
permit ip 10.0.2.0 0.0.0.255 10.10.1.176 0.0.0.7
permit ip 10.0.2.0 0.0.0.255 host 10.10.1.184
permit ip 10.0.2.0 0.0.0.255 host 10.10.1.185
permit ip 10.0.2.0 0.0.0.255 host 10.10.1.186
permit ip 10.0.2.0 0.0.0.255 host 10.10.1.187

So your whole list would look like this if it were on the 2 subnet as above:

10 deny ip 10.0.2.0 0.0.0.255 10.0.0.0 0.7.255.255
20 deny ip 10.0.2.0 0.0.0.255 10.8.0.0 0.1.255.255
30 permit ip 10.0.2.0 0.0.0.255 host 10.10.0.30
40 permit ip 10.0.2.0 0.0.0.255 host 10.10.0.130
50 permit ip 10.0.2.0 0.0.0.255 host 10.10.1.156
60 permit ip 10.0.2.0 0.0.0.255 host 10.10.1.157
70 permit ip 10.0.2.0 0.0.0.255 host 10.10.1.158
80 permit ip 10.0.2.0 0.0.0.255 host 10.10.1.159
90 permit ip 10.0.2.0 0.0.0.255 10.10.1.160 0.0.0.15
100 permit ip 10.0.2.0 0.0.0.255 10.10.1.176 0.0.0.7
110 permit ip 10.0.2.0 0.0.0.255 host 10.10.1.184
120 permit ip 10.0.2.0 0.0.0.255 host 10.10.1.185
130 permit ip 10.0.2.0 0.0.0.255 host 10.10.1.186
140 permit ip 10.0.2.0 0.0.0.255 host 10.10.1.187
150 deny ip 10.0.2.0 0.0.0.255 10.0.0.0 0.255.255.255
160 permit any any

The above list will provide for the following:

Denies traffic to any network or host between 10.0.0.0 - 10.9.255.255.  This line is not completely necessary and can be removed as line 150 will catch this traffic as well, I only place it here as it provides a quick filter for any destined for these points immediately and doesn't allow them to burn through another 13 lines of processing/memory.  The next 12 lines allow traffic to the desired hosts on the 10.10.0.0 network.  Line 15 denies any other traffic destined for any other host on the 10.0.0.0/8 range.  Line 16 allows all remaining traffic out for internet etc.

One other note.  Before you being inputing the above commands be sure to perform a write mem or copy run start, which ever you are most comfortable with, then issue the reload command with a designated time limit:

reload in 20

This way, if you lose connectivity to the remote router you only have to sit with bated breath for 22 minutes or so.  When it comes back up it will boot to the  start config you just saved prior to beginning your changes.  If it doesn't come back up you have a high likelyhood of being able to blame it on a hardware failure!!

After you have performed the changes and have confirmed you still have connectivity cancel the reload:

reload cancel

And with that, you are off to the races and on your own....

Let us know how it works out.

Cheers

Atlas
0
 

Author Comment

by:swcrook
ID: 24106305
Ok, just so I am clear, I want to ask a few questions.
1) It appears I had the right train of thought with wanting to put an ACL (listed above) on each router at the store level while only changing the local subnet information. I think that is where you refer to 10.x.x.0.
2) Is it line 15 that will catch anything else on 10.10.x.0 so that only those hosts permitted can talk to 10.0.2.0 in our example above?
Thanks for this help. It really is very much appreciated!
0
 
LVL 10

Expert Comment

by:atlas_shuddered
ID: 24107665
On question:

1.  If you are trying to quench traffic that is leaving the store subnet and heading to corporate yes.  And,

2.  If you are attempting to stop the traffic from the local store subnet from being about to initiate traffic to the corporate subnet yes, if you want to limit traffic from the corporate network down to the local store level as well then let me know, you'll need to build another ACL to quench that traffic at the corporate level with a few additional lines.

No problem

Cheers
0
 

Author Comment

by:swcrook
ID: 24107801
Well, my understnading might be lacking, but since the traffic coming from the stores is blocked via the ACL there, even though the corp office can initiate traffic, the corp office shouldn't get an ACK back (unless it is a permitted host/IP), correct? Traffic can get there, but there shouldn't be a response?

If I want to be certain, I assume I would be placing the ACL on the 10.10.0.1 router?
0
 
LVL 10

Expert Comment

by:atlas_shuddered
ID: 24107948
Okay - if the traffic is initiated from the corporate side (only using th ACL as it is set up right now) return traffic should be permitted back.  Sometimes this function doesn't work correctly and you will need to use a permit established ack/syn but you want to avoid this if you can as it introduces security concerns.

Yes, if you are trying to block traffic from the corporate to the stores you would want to place it at the 10.10.0.1 router so that you quench the traffic prior to it crossing the MPLS circuit.  It is for this same reason that you are placing the ACL above correctly.
0
 

Author Comment

by:swcrook
ID: 24108148
The traffic that is permitted back is only for he hosts that are permitted with the above ACL, correct? I do want to block traffic going from the corp office to the stores unless I specifically allow that traffic to the stores via a permit ip host in the ACL. So, I still need another ACL at corp.

Also, couldn't I edit the above ACL to reflect less lines of code by:
10 deny ip 10.0.2.0 0.0.0.255 10.0.0.0 0.7.255.255
20 deny ip 10.0.2.0 0.0.0.255 10.8.0.0 0.1.255.255
30 permit ip 10.0.2.0 0.0.0.255 host 10.10.0.30
40 permit ip 10.0.2.0 0.0.0.255 host 10.10.0.130
50 permit ip 10.0.2.0 0.0.0.255 10.10.1.152 0.0.0.7

60 permit ip 10.0.2.0 0.0.0.255 10.10.1.160 0.0.0.15

70 permit ip 10.0.2.0 0.0.0.255 10.10.1.176 0.0.0.15

80 permit ip 10.0.2.0 0.0.0.255 host 10.10.1.184
90 permit ip 10.0.2.0 0.0.0.255 host 10.10.1.185
100 permit ip 10.0.2.0 0.0.0.255 host 10.10.1.186
110 permit ip 10.0.2.0 0.0.0.255 host 10.10.1.187
120 deny ip 10.0.2.0 0.0.0.255 10.0.0.0 0.255.255.255
130 permit any any
I assume the 10 - 130 numbering at the beginning of each line is for ease of reference as we discuss and not for the actual router?
0
 

Author Comment

by:swcrook
ID: 24108208
Oops, I meant:
10 deny ip 10.0.2.0 0.0.0.255 10.0.0.0 0.7.255.255
20 deny ip 10.0.2.0 0.0.0.255 10.8.0.0 0.1.255.255
30 permit ip 10.0.2.0 0.0.0.255 host 10.10.0.30
40 permit ip 10.0.2.0 0.0.0.255 host 10.10.0.130

50 permit ip 10.0.2.0 0.0.0.255 10.10.1.152 0.0.0.7

60 permit ip 10.0.2.0 0.0.0.255 10.10.1.160 0.0.0.15

70 permit ip 10.0.2.0 0.0.0.255 10.10.1.176 0.0.0.15

80 deny ip 10.0.2.0 0.0.0.255 10.0.0.0 0.255.255.255
90 permit any any
 
0
 
LVL 10

Expert Comment

by:atlas_shuddered
ID: 24108565
You can definitely truncate like that if you are okay with blocking the additional addresses.

In fact you could truncate one more line by dropping line 70 and changing 60 to -

70 permit ip 10.0.2.0 0.0.0.255 10.10.1.160 0.0.0.31

This will mask out from 160 - 191 with one line versus the 2 lines above.

Don't know why I got stuck on the ranges that I had above.

So then the only point left is the Corporate router ACL correct?
0
 
LVL 10

Expert Comment

by:atlas_shuddered
ID: 24108589
Add note:  The number does make it easier, and no you don't have to input it at build but if you run a show access-list after you have built it you will see the numbers show up.  You can use these to insert lines versus ripping and replacing the whole ACL at a later update.
0
 

Author Comment

by:swcrook
ID: 24108672
Nice, increments of 10 only? I always thought you had to delete the whole ACL then just add it again with the corrections. I am learning a lot fomr this question :) I assume you can delete the line too, which is also nice!
Yes, I would like to implement a ACL at the corp router so that only hosts which have permission could get to any store.
0
 
LVL 10

Expert Comment

by:atlas_shuddered
ID: 24108712
Try this for your corporate ACL
permit ip host 10.10.0.30 10.0.0.0 0.7.255.255

permit ip host 10.10.0.30 10.0.0.0 0.1.255.255

permit ip host 10.10.0.130 10.0.0.0 0.7.255.255

permit ip host 10.10.0.130 10.0.0.0 0.1.255.255

permit ip 10.10.0.152 0.0.0.7 10.0.0.0 0.7.255.255

permit ip 10.10.0.152 0.0.0.7 10.0.0.0 0.1.255.255

permit ip 10.10.0.160 0.0.0.31 10.0.0.0 0.7.255.255

permit ip 10.10.0.160 0.0.0.31 10.0.0.0 0.1.255.255

deny ip 10.10.0.0 0.0.255.255 10.0.0.0 0.7.255.255

deny ip 10.10.0.0 0.0.255.255 10.0.0.0 0.7.255.255

permit any any

Open in new window

0
 
LVL 10

Expert Comment

by:atlas_shuddered
ID: 24108728
You can change the incrementation as needed, it just dumps in incrementing at 10 as a default.

With the ACL above you can change it up a bit for performance issues, but it will make it longer.
0
 

Author Comment

by:swcrook
ID: 24108850
Thanks for all the help! I wish I could give you 500 points x 3 :) Anyhow, I am going to leave this open for a few days while I implement this so that if I have any more questions about this, I can just post it here. Otherwise, I'll be awarding the points to you after that. Thanks again!
0
 
LVL 10

Accepted Solution

by:
atlas_shuddered earned 500 total points
ID: 24108894
No worries

Post back if you have trouble.  Just remember to use the reload command at before you start with any of the remote routers.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Website Routing Issue 3 33
How to use a IP block on cisco 877 3 26
NSD FAIL 2 21
Native Vlans, Tagged & untagged annnd Trunks 6 25
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now