TROUBLESHOOTING ACL EXTEND WITH INTERVLAN

Started by luispolanco, November 29, 2021, 12:23:27 PM

Previous topic - Next topic

luispolanco

greetings to all members of the community

I have several days with this lab and I can't do it correctly

I am a student of networks

THE EXERCISE IS THE ONE WHICH IS GREEN
I have an EXTENDED ACL and two subinterfaces

the requirement is

192.168.3.0 can access the server

192.168.3.0 can access 192.168.1.0

and the negation is that 192.168.3.0

cannot access the 192.168.2.0 network

but it happens that
the 192.168.3.0 network is accessing the 192.168.2.0

when in the ACL I AM DENYING IT

if someone can help me please

and tell me why this problem is happening

Router # sh access-lists
Extended IP access list PRACTICE

10 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
    20 permit tcp 192.168.3.0 0.0.0.255 host 172.19.10.2 eq www
    30 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

THE EXERCISE IS THE ONE WHICH IS GREEN

deanwebb

What about a deny any any all statement after the two permit statements?
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Dieselboy

Hi Luis,

Please check how ACLs are configured and then applied in your case? For a single router, you will have two ingress and two egress locations:

-----(A) router(B)--------

Above diagram shows interface A and interface B only. Traffic can come "in" via interface A or interface B. Same for the reverse, which is the egress.

I'm not sure where those IPs or subnets are located but to make an ACL work you need to apply it to an interface and in a certain direction.  Such as "ip access-group PRACTICE in" or "ip access-group PRACTICE out".



2nd, I'd also place the deny statement at the top. So delete line number 30 and then re-create it at a line number above "10". For example:


conf t
ip access-list extended PRACTICE
no 30
9 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255


Then if you want you can renumber the lines so that they increment in 10's again if you wish (like line 10, line 20, line 30)

ip access-list resequence PRACTICE 10 10

luispolanco

Quote from: Dieselboy on November 29, 2021, 07:31:23 PM
Hi Luis,

Please check how ACLs are configured and then applied in your case? For a single router, you will have two ingress and two egress locations:

-----(A) router(B)--------

Above diagram shows interface A and interface B only. Traffic can come "in" via interface A or interface B. Same for the reverse, which is the egress.

I'm not sure where those IPs or subnets are located but to make an ACL work you need to apply it to an interface and in a certain direction.  Such as "ip access-group PRACTICE in" or "ip access-group PRACTICE out".



2nd, I'd also place the deny statement at the top. So delete line number 30 and then re-create it at a line number above "10". For example:


conf t
ip access-list extended PRACTICE
no 30
9 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255


Then if you want you can renumber the lines so that they increment in 10's again if you wish (like line 10, line 20, line 30)

ip access-list resequence PRACTICE 10 10
sorry to changing the position of the acl as you mentioned the problem was solved

l would like to know why the order i had did not work

when the two options was allowed
and the last choice was to deny

because i thought that if i put deny as a second it would not work for me, permit third party

can you explain to me the why of all that please

l am a student and i don't want to leave empties in my mind

deanwebb

Quick question: is the ACL applied inbound or outbound? Or both? We'd also need to see the interface configuration where the ACL is applied.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Dieselboy

In your case the order of the ACL should not matter. This is because the ACL has specific source and destination network subnets to match:

10 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
20 permit tcp 192.168.3.0 0.0.0.255 host 172.19.10.2 eq www
30 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

The above basically says:
10 = will match packets with source 192.168.3.0/24 and destination 192.168.1.0/24, but if no match then:
20 = will match TCP packets from source 192.168.3.0/24 and destination of a single host with IP/port 172.19.10.2:80. And if this line does not match either then;
30 = will drop packets that match source 192.168.3.0/24 and destination 192.168.2.0/24.

Example; line 10 only matches when source and destination of packets fall within those subnet ranges and is unique and does not overlap with other lines. Since line 30 is also unique, reordering shouldnt have mattered.

Remember ACLs are processed from top to bottom and stop processing when there is a match. So, it would matter if you had like a match "ANY" somewhere and need to make sure that the rules are processed in a specific order. For example, think if this were an internet facing router. You might want to say "deny" any internet source to the router itself, but permit any to the routed public IP block which is handled by the firewall downstream. So in this case you would want to make sure that the deny rules are denying the any IP traffic targeting the router itself but permitting any IP source traffic through the router; where if the permit rule was above the deny rule then it would negate the deny rule and the deny rule would never be matched because the permit rule above it matches the same traffic. Basically, place more specific rules at the top.

We still do not know how your ACLs were applied. If we knew that then it might be more clearer to be able to say why the re-ordering fixed your issue. Did you by any chance re-apply the ACL to the interface after re-ordering? Essentially if the ACL was applied and is only working now then maybe the router did not actually apply the ACL though the config was taken. That might be a software bug on the router, instead of a config issue. I cannot be certain without seeing more, though.

deanwebb

I always put my specific deny rules at the top. Then my specific permits, then the deny any any all.

And if I'm feeling saucy, it's deny any any all log, because if it's logged, it's full security, right? :smug:
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.