Cisco Access List Help

Associate
Joined
23 Aug 2004
Posts
31
Right, i've got to put an access list on a cisco switch at work.
The acl i have on there at the moment is blocking all traffic rather than just the traffic i want.

Its meant to only allow traffic from one pc to a proxy server on port 8080 just to surf the net. Its got a static ip address outside of the dhcp scope so dont need access to a dhcp server. And i've included access to the dns server, but the only part of the acl that gets hits is the deny all statement.

acl-public-access
deny tcp any any eq 445 #active directory
deny tcp any any eq 137 #netbios
deny tcp any any eq 138 #netbios
deny tcp any any eq 139 #netbios

permit tcp host <pc ip> any established
permit udp host <pc ip> host <dns ip> eq domain
permit udp host <pc ip> host <other dns> eq domain
permit tcp host <pc ip> host <proxy ip> eq 8080
deny ip any any

Any cisco people give any help as to why the hell this isnt working, cos i havent got a clue!

thanks
 
First of all, i'd scrap all the top deny statements, the deny all at the end of the ACL will block anything you haven't allowed, so there's no point in the first few commands
 
Just a hunch, have you applied it to the correct interface?
If you turn on ACLs on cisco kit implicit deny enables by default. Make sure that you apply it to the right interface and in the right direction.
And as above, lose the deny statements, just add what you want to get through and leave it be. Also don't actually put Deny ip any any on the end, cisco kit does this automatically if none of the conditions are met.
 
Just a hunch, have you applied it to the correct interface?
If you turn on ACLs on cisco kit implicit deny enables by default. Make sure that you apply it to the right interface and in the right direction.
And as above, lose the deny statements, just add what you want to get through and leave it be. Also don't actually put Deny ip any any on the end, cisco kit does this automatically if none of the conditions are met.

Slightly OT - is this true on all cisco kit? The 877 router I have needs to have the "deny ip any any" statement at the end of it's access-list otherwise it lets in all traffic.
 
Never heard of it before unless there's a command in general config to turn off the implicit deny. I've never tried it on SOHO kit only really Enterprise stuff (2600/2800 series and above) but if it runs the standard IOS I'd have expected it to be the same regardless of hardware. What version do you run on the 877?

For the sake of keeping this on Topic:

The reason for me asking the question re interface and direction is that if it's on a host facing interface/Vlan and set as outbound then the communication from Proxy back to client is being blocked as this won't reply on 8080 it'll reply on a randomly assigned dynamic port and thus won't match your permit criteria.
ACLs are really anal the order and placement have to be perfect else they don't work.
 
yeah its set inbound on the interface. So it applies to traffic going from pc to the switch port.

about the first deny statements, they are there just for reference in case someone edits the config too much, those statements will prevent any file sharing between computers.

and i know there is an implicit deny all at the end but i've been told its always good practise to add your own, for debugging purposes ie sh ip access-list results

either way i cant test it now cos the IT tech at the other end has unplugged the pc and is off sick today....doh!
 
Just a crazy hunch can you ping the proxy IP address? DNS can use both UDP and TCP so I'm wondering if you need to allow TCP DNS traffic too.

And generally as a neatness rule I always use port numbers rather than "HTTP" "domain" "FTP" as it's clearer at a glance what's going on.

I'd still remove the deny statements. ACLs are always best kept basic and if the ACL gets more complex it's a lot easier to troubleshoot without them. Not to mention they might interfere with things later on.
 
It would be clearer to see what the problem is if you copy and paste the relevant ACL and interface running configuration bits with modified IP address details if necessary.

You won't necessarily see hits on some rules since the kit may do this in hardware for speed, unless you force them to be processed, by logging for example.

ACLs are handled from the top down until the first match is found so it's more efficient to have the highest expected hit matches at the top and any specific denys at the bottom. nbname (137) and nbdatagram (138) are UDP by the way.
 
well problem solved. i went to look at the pc and firstly our IT technician who had set up the pc had plugged it into the wrong switch port (possibly to get it working but who knows).
Secondly he was meant to set up the pc with a static ip address and manually set the DNS servers then freeze the config so any changes would reset with a reboot. He didnt.... the pc was frozen... but it must have been after he made any changes because they were not set when i looked at it.

The ip address and dns were both picked up from dhcp, both of which were different to the addresses i had given him and obviously wouldnt work with the access list in place.

thanks for all the help though, i changed the order a little, made it a little less restrictive and removed the denys that werent needed.
 
Back
Top Bottom