[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 556
  • Last Modified:

Cisco Router Access List

I have a Cisco Router where gig0/0 is connected to the internet and Vlan1 is also using a public ip address with an ACL applied to it.  I want to allow a specific IP range to port 80 on a server connected to the VLAN interface on the router at ip address: 199.199.199.2

interface GigabitEthernet0/0
 ip address 71.x.x.x 255.255.255.252
 ip accounting output-packets
 ip accounting precedence input
 ip accounting precedence output
 ip nat outside
 ip virtual-reassembly

Open in new window


interface Vlan1
 ip address 199.199.199.1 255.255.252.0
 ip access-group acl-inbound in

Open in new window


ip access-list extended acl-inbound in
 permit tcp 87.87.87.0 0.0.0.255 199.199.199.2 0.0.0.0 eq 80
 deny ip any any

Open in new window


That's really the only unique code in the config. I do a sh access-list and it doesn't even show me a hit count on the ACL.  What am I doing wrong?
0
lconnell
Asked:
lconnell
  • 6
  • 4
1 Solution
 
Don JohnstonInstructorCommented:
Either reverse the source and destination address or apply the ACL outbound
0
 
lconnellAuthor Commented:
That doesn't seem to work, plus the traffic is coming in to that interface correct?
0
 
lconnellAuthor Commented:
Can you explain the traffic flow? I see any traffic coming into the interface from the Gig0/0 to the Vlan1 and anything out is Vlan1 to Gig0/0.

Am I seeing this incorrectly?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Don JohnstonInstructorCommented:
interface Vlan1
 ip address 199.199.199.1 255.255.252.0
 ip access-group acl-inbound in
 
 ip access-list extended acl-inbound in
 permit tcp 87.87.87.0 0.0.0.255 199.199.199.2 0.0.0.0 eq 80
 deny ip any any

Open in new window


What this config does is:

1) Any traffic entering the VLAN 1 interface (which means traffic on VLAN1 going to a different network) is subject to the ACL named "acl-inbound".
2) The first line of the ACL says: If it's coming from IP address 87.87.87.??? and it's going to 199.199.199.2, TCP port 80, then permit it.
3) If it doesn't match the first line, then the second line says: if it's using IP and it's coming from anywhere and going anywhere, deny it.

So the bottom line is that unless the traffic coming off VLAN1 is originating from the 87.87.87.0 network and going to 199.199.199.1, TCP port 80, it's not getting through.
0
 
lconnellAuthor Commented:
Ok thank you. That makes sense now.

So if I want to block all hosts except for 87.87.87.5 to access host 199.199.199.2:80 on VLAN1 wouldn't I want to stop the traffic before it even reached that host, instead of blocking the traffic coming from 199.199.199.2?

Should I be applying an ACL on Gig0/0?

Can you give me an example and your recommendation, explanation?

Thanks a lot!
0
 
Don JohnstonInstructorCommented:
Where is the host 87.87.87.5 located and where is the host 199.199.199.2 located?
0
 
lconnellAuthor Commented:
87.87.87.5 is a host on a completely different network. Say my home office.

199.199.199.2 is connected to VLAN1 at a Data Center.

(87.87.87.5 Client) -> (71.x.x.x Gig0/0) -> (199.199.199.1 VLAN1) -> (199.199.199.2 VLAN1)
0
 
Don JohnstonInstructorCommented:
There are four basic approaches to this type of task:

1) Stop the traffic from entering at the outside interface.
2) Stop the traffic from exiting the inside interface.
3) Stop the traffic from entering the inside interface.
4) Stop the traffic from exiting the outside interface.

Every one of these will work.  The questions are; which one is the most efficient and which one is easiest.

For example, If you go with approach 1, Every single packet coming in off the internet will have to be checked. With approach 4, the traffic will have entered the network, gone through the router, hit the server, and gone through the router again before being discarded before exiting.

Personally, I would use approach 2.

access-list 101 permit tcp 87.87.87.5 0.0.0.0 199.199.199.2 0.0.0.0 eq 80
int vlan 1
 access-group 101 out

I didn't see a "ip nat inside" on the VLAN1 interface.  But there's a "ip nat ouside" on the gig 0/0 interface.  is this an omission?
0
 
lconnellAuthor Commented:
There is not a 'nat inside' on VLAN1. No nat needs to happen, public IP's are being used.

The only inside nat is shown below, but that is for a different subnet.

interface GigabitEthernet0/1.3001
 description Route To SW1
 encapsulation dot1Q 3001
 ip address 172.31.x.x 255.255.255.0
 ip nat inside
 ip virtual-reassembly

ip nat inside source list nat-outbound interface GigabitEthernet0/0 overload

ip access-list extended nat-outbound
 permit ip 172.31.x.x 0.0.0.255 any
0
 
lconnellAuthor Commented:
That worked btw, thank you very much.  I just was looking at outside and inside backwards. I was seeing it as traffic going outside and traffic coming in, instead of traffic hitting the outside and traffic hitting the inside... if that makes sense :)
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now