Home page logo

nanog logo nanog mailing list archives

Re: Stupid Cisco ACL question
From: William Herrin <bill () herrin us>
Date: Thu, 21 Apr 2011 15:51:11 -0400

On Thu, Apr 21, 2011 at 3:13 PM,  <up () 3 am> wrote:
Ok, I've done a lot of Cisco standard and extended ACLs, but I do not
understand why the following does not work the way I think it should.
Near the end of this extended named ACL, I have the following:

 permit tcp any eq 443 any
 permit tcp any eq 80 any
 deny ip any host
 permit ip any any

This is applied to an inbound interface(s).

Many many problems with this ACL.

1. In the inbound (from the Internet) interface you want the
destination port, not the source port. I.e. permit tcp any any eq 443.
The above would only make sense if your web server was and the
ACL was applied to outbound traffic entering the interior router
interface (facing the web server). That's a back-assward way to do
things since you probably want to limit packets from reaching the web
server, not limit the web server's packets from exiting.

2. TCP packets go both ways and the ones you initiate tend to do so on
random ports. Implication: the destination port on this packet is the
source port on the reply. Your probably meant to block only the
connection establishment packet. I.e. permit tcp any any eq 443;
permit tcp any any established

3. ICMP destination unreachable messages are MANDATORY for TCP PMTUD
function. You didn't disable PMTUD on your server (it's on by default)
and we'd beat you up if you did. Your ACL breaks the protocol by
blocking those ICMP messages. Add "permit icmp any any unreachable"
prior to "deny ip any host"

4. Several other ICMP messages help you and your customers figure out
what's wrong when things don't work.  This includes echo-request and
echo-reply. Strongly advise you to enable them.

5. Is your DNS resolver inside your network? If not, you'll need to
enable UDP *and* TCP packets to and from the DNS resolver.

Bill Herrin

William D. Herrin ................ herrin () dirtside com  bill () herrin us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]