Home page logo
/

basics logo Security Basics mailing list archives

Re: ACL router problem
From: <grendel () marslander org>
Date: Sat, 9 Oct 2010 14:08:10 +0200

Hello,

First time I respond on this list I think. So here goes. I will explain the logic of the ACL instead of giving you just the answer ;).

1) if you put a permit tcp you are actually telling the acl to work on tcp level. This means that ports are taken into account. Suppose you have a http proxy server ( 192.168.1.2 )connecting to the internet you would put something like:
example: access-list 111 permit tcp host 192.168.1.2 any eq 80
Notice that a port is specified after the eq. Also notice the host argument and no wildcard mask is given.

2) if you put ip it will not check any further. This is commonly used in nat's and to permit traffic from one subnet to another. example: access-list 111 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
no port is specified here.

3) ACL's read from top to bottom and first match wins.

4) explicit deny any any in the end of an ACL. If you put deny any any in a numberred ACL you are actually reducing the scalabilty of the ACL.

5) named ACL's are easier to manage. Command is "ip access-list"

6) watch out with wildcard masks. If you are not sure do not hesitate to use a tool to calculate it. There are some free ones on the net just google them.


So what you need is something like
access-list 111 permit ip 192.168.0.0 0.0.255.255 host 192.168.1.15
and make sure no other sequence matches before this line.

On a side note this looks a bit weird as your destination host lies inside the subnet of your LAN it seems? Than again I do not know your topology.

cheers,




----- Original Message ----- From: "Juan B" <juanbabi () yahoo com>
To: "Shain Singh" <shain.singh () gmail com>
Cc: "security basics" <security-basics () securityfocus com>
Sent: Friday, October 08, 2010 4:11 AM
Subject: Re: ACL router problem


hi Shain!

thanks a lot the command you told me:

access-list 111 permit ip host 192.168.8.139 192.168.1.15 255.255.255.255

worked !!!

now I need to enable all the lan to connect tho this host 192.168.1.15 so I tried to add insted of the command you wrote this command:

access-list 111 permit tcp 192.168.0.0 0.0.255.255 192.168.1.15 255.255.255.255

or this one access-list 111 permit IP 192.168.0.0 0.0.255.255 192.168.1.15 255.255.255.255

but both didnt worked !!

any ideas??

thanks a lot !!

marco

--- On Thu, 10/7/10, Shain Singh <shain.singh () gmail com> wrote:

From: Shain Singh <shain.singh () gmail com>
Subject: Re: ACL router problem
To: "Juan B" <juanbabi () yahoo com>
Cc: "security basics" <security-basics () securityfocus com>
Date: Thursday, October 7, 2010, 7:38 PM
There are a few things that you would
need to look into.

You have the "deny" entry at the bottom logged, when you
try and
connect, do you see it in the logs? If so, it means you're
not
matching your ACL entry up the top.

Depending on how secure this network needs to be, did you
try allowing
all IP related traffic from your host instead of just TCP?

something like this could be where you would see a match.

access-list 111 permit ip host 192.168.8.139 192.168.1.15
255.255.255.255



On 8 October 2010 08:40, Juan B <juanbabi () yahoo com>
wrote:
> Hi ALL !!
>
> I need to connect from a host (192.168.8.139)in the
lan to host
> 192.168.1.15 so I put acl like this: ( I added the
first line )
>
> access-list 111 permit tcp host 192.168.8.139 any
> access-list 111 permit tcp 192.168.0.0 0.0.255.255
host 192.168.8.2 eq
> telnet
> access-list 111 permit tcp host 192.168.8.7 any
> access-list 111 permit tcp 192.168.0.0 0.0.255.255 any
eq www
> access-list 111 permit udp 192.168.0.0 0.0.255.255 any
eq domain
> access-list 111 permit tcp 192.168.0.0 0.0.255.255 any
eq 443
> access-list 111 permit tcp 192.168.0.0 0.0.255.255 any
eq 5900
> access-list 111 permit ip host 192.168.8.198 any
> access-list 111 permit ip host 192.168.8.199 any
> access-list 111 permit icmp any any echo-reply
> access-list 111 permit icmp any any echo
> access-list 111 permit icmp any any source-quench
> access-list 111 permit icmp any any time-exceeded
> access-list 111 deny icmp any any
> access-list 111 permit tcp any any established
> access-list 111 deny ip any any log
>
> take a look also at line 3 of the acl this host is the
internal mail
> server, from that mail server when I try to connect to
host
> 192.168.1.15 there is no problem !!! so I made a
similar entry to
> enable connection from my host (192.168.8.139) but It
doesnt work !! I
> know its a problem of the ACL beacuse when I remove
this ACL (which is
> applied to vlan 1 BTW) the connection works!!
>
> please help !
> marco
>
>
>
>
>
>
------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital
Certificate
> In this guide we examine the importance of Apache-SSL
and who needs an SSL certificate. We look at how SSL
works, how it benefits your company and how your customers
can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on
your Apache web server. Throughout, best practices for
set-up are highlighted to help you ensure efficient ongoing
management of your encryption keys and digital
certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
>
------------------------------------------------------------------------
>
>



--
Shaineel Singh
e: shain.singh () gmail com
p: +61 422 921 951 begin_of_the_skype_highlighting +61 422 921 951 end_of_the_skype_highlighting
w: http://buffet.shainsingh.com

--
"Too many have dispensed with generosity to practice
charity" - Albert Camus

thanks




------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault