[c-nsp] ACL making me insane

Enno Rey erey at ernw.de
Tue Jun 3 13:57:22 EDT 2008


Hi,

first: I do not have a consitent explanation for the observed behaviour.
two things come to mind however:

a) why have that "deny ip any any" rule at all? Everything not explicitly permitted is denied anyway.

b) did you try adding a "log" statement to the deny-rules and watch the logs? [or debug by other means (debug commands)... which might not be possible given the production state of the box]

c) just an idea... did you try the same on a physical if? in the past I sometimes encountered strange packet handling stuff on sub-ifs.

thanks,

Enno


On Wed, Jun 04, 2008 at 03:23:05AM +1000, Skeeve Stevens wrote:
> 
> Hey all,
> 
> Got an issue with the below ACL.  The inbound to the PROTECTEDSERVER is
> working ok.. port 80 is allowed, RDP from one trusted machine.
> But. on the outbound, with the deny ip any any active (notice the !), the
> inbound wont work, nor can the server get out.
> 
> What am I missing?
> 
> Basically what I want to do is deny all, allow only certain things.. 
> 
> .Skeeve
> 
> !
> no ip access-list extended FWCUST_XXX_IN
> ip access-list extended FWCUST_XXX_IN
>  remark Inbound Firewall rules for XXX Services
>  permit tcp any host PROTECTEDSERVER established
>  permit tcp host ALLOWEDREMOTE host PROTECTEDSERVER eq 3389
>  permit tcp any host PROTECTEDSERVER eq 80
>  permit icmp any any
>  deny   ip any any
> !
> no ip access-list extended FWCUST_XXX_OUT
> ip access-list extended FWCUST_XXX_OUT
>  remark Outbound Firewall rules for XXX Services
> permit tcp any any established
>  permit tcp PROTECTEDSERVER host SAFEMAIL eq smtp
>  permit tcp host PROTECTEDSERVER host SAFEMAIL eq pop3
>  permit icmp any any
>  permit tcp host PROTECTEDSERVER any eq domain
>  permit udp host PROTECTEDSERVER any eq domain
>  permit tcp host PROTECTEDSERVER any eq 80
>  permit tcp host PROTECTEDSERVER any eq 21
>  permit udp host PROTECTEDSERVER any eq 20
> ! deny   ip any any
> !
> !
> !
> interface GigabitEthernet0/2.402
>  ip access-group FWCUST_XXX_OUT in
>  ip access-group FWCUST_XXX_IN out
> !
> end
> !
> 
> --
> Skeeve Stevens, RHCE
> skeeve at skeeve.org / www.skeeve.org
> Cell +61 (0)414 753 383 / skype://skeeve
> 
> eintellego - skeeve at eintellego.net - www.eintellego.net 
> --
> I'm a groove licked love child king of the verse 
> Si vis pacem, para bellum
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Enno Rey

ERNW GmbH - Breslauer Str. 28 - 69124 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902
PGP FP 055F B3F3 FE9D 71DD C0D5  444E C611 033E 3296 1CC1

Handelsregister Heidelberg: HRB 7135
Geschaeftsfuehrer: Roland Fiege, Enno Rey


More information about the cisco-nsp mailing list