[139872] in North American Network Operators' Group
RE: Stupid Cisco ACL question
daemon@ATHENA.MIT.EDU (Jeff Saxe)
Thu Apr 21 15:28:29 2011
From: Jeff Saxe <jsaxe@briworks.com>
To: "up@3.am" <up@3.am>
Date: Thu, 21 Apr 2011 19:26:33 +0000
In-Reply-To: <85917f6e53edcd7cb06c4f2b18770dbc.squirrel@ssl.pil.net>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
If this is applied inbound from the Internet, then the first two permits ar=
e permitting reply traffic from the far-end Web server's ports 80 or 443 ba=
ck toward your surfing workstations or servers. You should think of those a=
s=0A=
=0A=
permit=0A=
- just TCP=0A=
-- where the SOURCE is any IP address, but source PORT of 80=0A=
-- and where the DESTINATION is any IP, any port=0A=
=0A=
This is more applicable as a "poor man's firewall" where you're trying to p=
ermit inside workstations to get to certain services on the outside, and pe=
rmit return traffic, but not have anyone outside reach services inside. But=
without a real stateful firewall it doesn't work too well.=0A=
=0A=
Probably what you want is for the outside public to be able to reach just p=
orts 80 and 443 on host 2.2.3.4, but no other services on that host, and ot=
her than those special cases, to be unrestricted through this interface. In=
that case, as Dorn Hetzel just chimed in, you probably want (spaced out to=
be clearer than the syntax naturally prints out)=0A=
=0A=
permit tcp any host 2.2.3.4 eq 80=0A=
permit tcp any host 2.2.3.4 eq 443=0A=
deny ip any host 2.2.3.4=0A=
permit ip any any=0A=
=0A=
=0A=
-- Jeff Saxe=0A=
=0A=
=0A=
________________________________________=0A=
From: up@3.am [up@3.am]=0A=
Sent: Thursday, April 21, 2011 3:13 PM=0A=
To: nanog@nanog.org=0A=
Subject: Stupid Cisco ACL question=0A=
=0A=
Ok, I've done a lot of Cisco standard and extended ACLs, but I do not=0A=
understand why the following does not work the way I think it should.=0A=
Near the end of this extended named ACL, I have the following:=0A=
=0A=
permit tcp any eq 443 any=0A=
permit tcp any eq 80 any=0A=
deny ip any host 2.2.3.4=0A=
permit ip any any=0A=
=0A=
This is applied to an inbound interface(s). We want anybody outside to be=
=0A=
able to reach ports 80 and 443 of any host on our network, no matter what,=
=0A=
then block ALL other access to select hosts, such as 2.2.3.4, even ICMP.=0A=
However, as soon as I apply this rule to the interface, ports 80 and 443=0A=
of that host become unreachable. A telnet to 2.2.3.4 443 gets "Connection=
=0A=
refused" until I tear out the deny ACL above. I even tried adding udp for=
=0A=
both ports, to no avail.=0A=
=0A=
I had always thought that these ACLs were processed in order, so that the=
=0A=
explicit permit statement, though limited to a specific protocol but for=0A=
all hosts, gets considered before the explicit deny statement for all IP=0A=
to a particular host. What did I forget to consider?=0A=
=0A=
TIA,=0A=
=0A=
