Cisco Access List Help

nuttybugger · 6 Nov 2008 at 09:21

Right, i've got to put an access list on a cisco switch at work.
The acl i have on there at the moment is blocking all traffic rather than just the traffic i want.

Its meant to only allow traffic from one pc to a proxy server on port 8080 just to surf the net. Its got a static ip address outside of the dhcp scope so dont need access to a dhcp server. And i've included access to the dns server, but the only part of the acl that gets hits is the deny all statement.

acl-public-access
deny tcp any any eq 445 #active directory
deny tcp any any eq 137 #netbios
deny tcp any any eq 138 #netbios
deny tcp any any eq 139 #netbios

permit tcp host <pc ip> any established
permit udp host <pc ip> host <dns ip> eq domain
permit udp host <pc ip> host <other dns> eq domain
permit tcp host <pc ip> host <proxy ip> eq 8080
deny ip any any

Any cisco people give any help as to why the hell this isnt working, cos i havent got a clue!

thanks

Bakedgoods · 6 Nov 2008 at 09:31

First of all, i'd scrap all the top deny statements, the deny all at the end of the ACL will block anything you haven't allowed, so there's no point in the first few commands

Skidilliplop · 6 Nov 2008 at 10:37

Just a hunch, have you applied it to the correct interface?
If you turn on ACLs on cisco kit implicit deny enables by default. Make sure that you apply it to the right interface and in the right direction.
And as above, lose the deny statements, just add what you want to get through and leave it be. Also don't actually put Deny ip any any on the end, cisco kit does this automatically if none of the conditions are met.

growse · 6 Nov 2008 at 10:58

Skidilliplop said:
Just a hunch, have you applied it to the correct interface?
If you turn on ACLs on cisco kit implicit deny enables by default. Make sure that you apply it to the right interface and in the right direction.
And as above, lose the deny statements, just add what you want to get through and leave it be. Also don't actually put Deny ip any any on the end, cisco kit does this automatically if none of the conditions are met.

Slightly OT - is this true on all cisco kit? The 877 router I have needs to have the "deny ip any any" statement at the end of it's access-list otherwise it lets in all traffic.

Skidilliplop · 6 Nov 2008 at 12:14

Never heard of it before unless there's a command in general config to turn off the implicit deny. I've never tried it on SOHO kit only really Enterprise stuff (2600/2800 series and above) but if it runs the standard IOS I'd have expected it to be the same regardless of hardware. What version do you run on the 877?

For the sake of keeping this on Topic:

The reason for me asking the question re interface and direction is that if it's on a host facing interface/Vlan and set as outbound then the communication from Proxy back to client is being blocked as this won't reply on 8080 it'll reply on a randomly assigned dynamic port and thus won't match your permit criteria.
ACLs are really anal the order and placement have to be perfect else they don't work.

nuttybugger · 6 Nov 2008 at 14:18

yeah its set inbound on the interface. So it applies to traffic going from pc to the switch port.

about the first deny statements, they are there just for reference in case someone edits the config too much, those statements will prevent any file sharing between computers.

and i know there is an implicit deny all at the end but i've been told its always good practise to add your own, for debugging purposes ie sh ip access-list results

either way i cant test it now cos the IT tech at the other end has unplugged the pc and is off sick today....doh!

Skidilliplop · 6 Nov 2008 at 15:38

Just a crazy hunch can you ping the proxy IP address? DNS can use both UDP and TCP so I'm wondering if you need to allow TCP DNS traffic too.

And generally as a neatness rule I always use port numbers rather than "HTTP" "domain" "FTP" as it's clearer at a glance what's going on.

I'd still remove the deny statements. ACLs are always best kept basic and if the ACL gets more complex it's a lot easier to troubleshoot without them. Not to mention they might interfere with things later on.

Tui · 6 Nov 2008 at 20:09

It would be clearer to see what the problem is if you copy and paste the relevant ACL and interface running configuration bits with modified IP address details if necessary.

You won't necessarily see hits on some rules since the kit may do this in hardware for speed, unless you force them to be processed, by logging for example.

ACLs are handled from the top down until the first match is found so it's more efficient to have the highest expected hit matches at the top and any specific denys at the bottom. nbname (137) and nbdatagram (138) are UDP by the way.

nuttybugger · 11 Nov 2008 at 11:49

well problem solved. i went to look at the pc and firstly our IT technician who had set up the pc had plugged it into the wrong switch port (possibly to get it working but who knows).
Secondly he was meant to set up the pc with a static ip address and manually set the DNS servers then freeze the config so any changes would reset with a reboot. He didnt.... the pc was frozen... but it must have been after he made any changes because they were not set when i looked at it.

The ip address and dns were both picked up from dhcp, both of which were different to the addresses i had given him and obviously wouldnt work with the access list in place.

thanks for all the help though, i changed the order a little, made it a little less restrictive and removed the denys that werent needed.

Skidilliplop · 11 Nov 2008 at 15:38

I did originally scratch my head a lot as the ACL you posted looked pretty servicable.

Oh well, next time don't be so quick to assume YOU are wrong

Cisco Access List Help

More options

nuttybugger

nuttybugger

Bakedgoods

Bakedgoods

Capodecina

Skidilliplop

Skidilliplop

growse

growse

Skidilliplop

Skidilliplop

nuttybugger

nuttybugger

Skidilliplop

Skidilliplop

Tui

Tui

nuttybugger

nuttybugger

Skidilliplop

Skidilliplop