Home page logo
/

nanog logo nanog mailing list archives

RE: Stupid Cisco ACL question
From: Jeff Saxe <jsaxe () briworks com>
Date: Thu, 21 Apr 2011 19:26:33 +0000

If this is applied inbound from the Internet, then the first two permits are permitting reply traffic from the far-end 
Web server's ports 80 or 443 back toward your surfing workstations or servers. You should think of those as

permit
- just TCP
-- where the SOURCE is any IP address, but source PORT of 80
-- and where the DESTINATION is any IP, any port

This is more applicable as a "poor man's firewall" where you're trying to permit inside workstations to get to certain 
services on the outside, and permit return traffic, but not have anyone outside reach services inside. But without a 
real stateful firewall it doesn't work too well.

Probably what you want is for the outside public to be able to reach just ports 80 and 443 on host 2.2.3.4, but no 
other services on that host, and other than those special cases, to be unrestricted through this interface. In that 
case, as Dorn Hetzel just chimed in, you probably want (spaced out to be clearer than the syntax naturally prints out)

permit    tcp    any    host 2.2.3.4 eq 80
permit    tcp    any    host 2.2.3.4 eq 443
deny   ip    any     host 2.2.3.4
permit ip any any


-- Jeff Saxe


________________________________________
From: up () 3 am [up () 3 am]
Sent: Thursday, April 21, 2011 3:13 PM
To: nanog () nanog org
Subject: Stupid Cisco ACL question

Ok, I've done a lot of Cisco standard and extended ACLs, but I do not
understand why the following does not work the way I think it should.
Near the end of this extended named ACL, I have the following:

 permit tcp any eq 443 any
 permit tcp any eq 80 any
 deny ip any host 2.2.3.4
 permit ip any any

This is applied to an inbound interface(s).  We want anybody outside to be
able to reach ports 80 and 443 of any host on our network, no matter what,
then block ALL other access to select hosts, such as 2.2.3.4, even ICMP.
However, as soon as I apply this rule to the interface, ports 80 and 443
of that host become unreachable.  A telnet to 2.2.3.4 443 gets "Connection
refused" until I tear out the deny ACL above.  I even tried adding udp for
both ports, to no avail.

I had always thought that these ACLs were processed in order, so that the
explicit permit statement, though limited to a specific protocol but for
all hosts, gets considered before the explicit deny statement for all IP
to a particular host.  What did I forget to consider?

TIA,



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault