A little ACL help

  • 0
  • 1
  • Question
  • Updated 8 months ago
  • Answered
  • (Edited)
I'm developing an ACL to allow guest use of certian resources on my network.  In the end, the guest network will be its own subnet.  So, I want to apply this ACL at the VLAN level.  I've got the ACL working at the port level, but when I apply it to the VLAN nothing works...

Where might I be messing this up?

entry allowswitchcom  {
    if  {
source-address 10.0.99.200/32;
        }  then  {
    permit;}
}

entry allowswitchcom2  {
    if  {
        source-address 10.0.99.254/32;
        }  then  {
    permit;}
}

entry denyswitch  {
    if  {
destination-address 10.0.99.200/32;
source-address 10.0.99.0/24;
}  then  {
    deny;}
}

entry denyswitch2  {
    if {
        source-address 10.0.99.0/24;
        destination-address 10.0.99.254/32;
        }  then  {
            deny;}
}

entry denylocalssh  {
    if  {
        source-address 10.0.99.0/24;
        protocol tcp;
        destination-port 22;
        }  then  {
            deny;}
}

entry sshmgmt  {
    if  {
        destination-address 10.0.99.0/24;
        protocol tcp;
        destination-port 22;
        }  then  {
            deny;}
}

entry allowmakerlab  {
    if  {
    source-address 10.0.99.0/24;
destination-address 10.0.99.0/24;
}  then  {
    permit;}
}

entry allowdhcp  {
    if  {
    source-address 0.0.0.0/0;
protocol udp;
destination-port 67-68;
}  then  {
    permit;}
}

entry allowdns  {
    if  {
    source-address 0.0.0.0/0;
protocol udp;
destination-port 53;
}  then  {
    permit;}
}

entry allowntp  {
    if  {
    source-address 0.0.0.0/0;
protocol udp;
destination-port 123;
}  then  {
    permit;}
}

entry allowvncmgmt  {
    if  {
source-address 0.0.0.0/0;
        protocol tcp;
source-port 5900-5910;
        }  then {
    permit;}
}

entry allowwinlogon  {
    if  {
    source-address 10.0.99.0/24;
protocol tcp;
destination-port > 1024;
destination-address 10.0.66.220/32;
}  then  {
    permit;}
}

#entry allowprint515  {
#    if  {
#     destination-address *printerIP/32;
# protocol tcp;
# destination-port 515;
# }  then {
#     permit;}
#}

#entry allowprint631  {
#    if  {
#     destination-address *printerIP/32;
# protocol tcp;
# destination-port 631;
# }  then {
#     permit;}
#}

#entry allowprint9100  {
#    if  {
#     destination-address *printerIP/32;
# protocol tcp;
# destination-port 9100;
# }  then {
#     permit;}
#}

entry denyHTTPinternal10 {
    if  {
    destination-address 10.0.0.0/8;
protocol tcp;
destination-port 80;
}  then  {
    deny;}
}

entry denyHTTPinternal192 {
    if  {
    destination-address 192.168.0.0/16;
protocol tcp;
destination-port 80;
}  then  {
    deny;}
}

entry denyHTTPinternal172 {
    if  {
    destination-address 172.16.0.0/12;
protocol tcp;
destination-port 80;
}  then  {
    deny;}
}

entry denyHTTPsinternal10 {
    if  {
    destination-address 10.0.0.0/8;
protocol tcp;
destination-port 443;
}  then  {
    deny;}
}

entry denyHTTPsinternal192 {
    if  {
    destination-address 192.168.0.0/16;
protocol tcp;
destination-port 443;
}  then  {
    deny;}
}

entry denyHTTPsinternal172 {
    if  {
    destination-address 172.16.0.0/12;
protocol tcp;
destination-port 443;
}  then  {
    deny;}
}

entry allowhttpinternet  {
    if  {
    protocol tcp;
destination-port 80;
}  then  {
    permit;}
}

entry allowhttpsinternet  {
    if  {
    protocol tcp;
destination-port 443;
}  then  {
    permit;}
}

entry denyall  {
    if  {
        source-address 0.0.0.0/0;
        }  then  {
            deny;}
}
Photo of Terren Crider

Terren Crider

  • 1,564 Points 1k badge 2x thumb
  • braindead

Posted 8 months ago

  • 0
  • 1
Photo of Terren Crider

Terren Crider

  • 1,564 Points 1k badge 2x thumb
Tried to make some code tags... but that didn't work for me, either.
Photo of George Smith

George Smith, Employee

  • 110 Points 100 badge 2x thumb

Maybe in the

 

entry denyswitch  {
    if  {
destination-address 10.0.99.200/32;
source-address 10.0.99.0/24;
}  then  {
    d eny;}
}

There is a space in the “deny” that should not be there?

 

 

 

 

 

 

 

 

 

   
Photo of Terren Crider

Terren Crider

  • 1,564 Points 1k badge 2x thumb
I don't have any undue spaces in the .pol file itself.  
Photo of Terren Crider

Terren Crider

  • 1,564 Points 1k badge 2x thumb
Is it possible to apply an ACL to a VLAN but exclude one port?

Edit:  My thought here is that the VLAN in question in my lab setup is also on the uplink port of the switch.
(Edited)
Photo of tknv

tknv, Employee

  • 382 Points 250 badge 2x thumb
Hi Terren,

I am not certain problems, but if early permit condition contain deny condition and earlier than the deny condition, that would be permitted. Thus deny first (better all deny condition) more safer.
If yet problem, please let us share exactly which packet should be deny/permit with us.  
Photo of Terren Crider

Terren Crider

  • 1,564 Points 1k badge 2x thumb
I have it working now.  I'm still not sure what was getting blocked, but I added an entry to allow bidirectional traffic to my VLAN.

entry allowbidirectional  {
    if  {
        destination-address 10.0.99.0/24;
        }  then  {
            permit;}
}

This was added as the second to last entry, right above the denyall rule.

Edit:  I also changed the order of some things.  Like allowing DNS, DHCP, NTP at the top rather than in the middle.
(Edited)
Photo of tknv

tknv, Employee

  • 382 Points 250 badge 2x thumb
Probably earlier entry blocked it. Can you share whole ACL .pol?
Photo of Grosjean, Stephane

Grosjean, Stephane, Employee

  • 13,516 Points 10k badge 2x thumb
not sure if it applied here, but the difference when using VLAN for ACL is that it applies only to traffic entering the VLAN (not exiting it).
Photo of Terren Crider

Terren Crider

  • 1,564 Points 1k badge 2x thumb
Here's the current working ACL.  Without the second to last entry "allowbidirectional" it does not work.


entry allowDHCP  {
    if  {
    source-address 0.0.0.0/0;
pr otocol udp;
destination-port 67-68;
}  then  {
    permit;}
}

entry allowDNS {
    if  {
    source-address 0.0.0.0/0;
protocol udp;
destination-port 53;
}  then  {
    permit;}
}

entry allowNTP  {
    if  {
    source-address 0.0.0.0/0;
protocol udp;
destination-port 123;
}  then  {
    permit;}
}

entry allowVNCmgmt  {
    if  {
source-address 0.0.0.0/0;
        protocol tcp;
source-port 5900-5910;
        }  then  {
permit;}
}

entry denylocalSSH  {
    if  {
        source-address 10.0.99.0/24;
        protocol tcp;
        destination-port 22;
        }  then  {
            deny;}
}

entry SSHmgmt  {
    if  {
        destination-address 10.0.99.0/24;
        protocol tcp;
        destination-port 22;
        }  then  {
            permit;}
}

entry allowNetSightin  {
    if  {
        source-address 10.0.200.216/32;
destination-address 10.0.99.200/32;
        }  then  {
            permit;}
}

entry allowNetSightout  {
    if  {
        source-address 10.0.99.200/32;
destination-address 10.0.200.216/32;
        }  then  {
            permit;}
}

entry allowswitchcom  {
    if  {
source-address 10.0.99.200/32;
        }  then  {
permit;}
}

entry allowswitchcom2  {
    if  {
        source-address 10.0.99.254/32;
        }  then  {
permit;}
}

entry denyHTTPswitch  {
    if  {
source-address 10.0.99.0/24;
destination-address 10.0.99.200/32;
protocol tcp;
destination-port 80;
}  then  {
deny;}
}

entry denyHTTPswitch2  {
    if {
        source-address 10.0.99.0/24;
        destination-address 10.0.99.254/32;
protocol tcp;
destination-port 80;
}  then  {
            deny;}
}

entry allowmakerlab  {
    if  {
    source-address 10.0.99.0/24;
destination-address 10.0.99.0/24;
}  then  {
    permit;}
}

entry denyICMP  {
    if  {
        source-address 10.0.99.0/24;
        protocol icmp;
        }  then  {
            deny;}
}

#entry allowwinlogon  {
#    if  {
#     source-address 10.0.99.0/24;
# protocol tcp;
# destination-port > 1024;
# destination-address 10.0.66.220/32;
# }  then  {
#     permit;}
#}

#entry allowprint515  {
#    if  {
#     destination-address *printerIP/32;
# protocol tcp;
# destination-port 515;
# }  then {
#     permit;}
#}

#entry allowprint631  {
#    if  {
#     destination-address *printerIP/32;
# protocol tcp;
# destination-port 631;
# }  then {
#     permit;}
#}

#entry allowprint9100  {
#    if  {
#     destination-address *printerIP/32;
# protocol tcp;
# destination-port 9100;
# }  then {
#     permit;}
#}

entry denyHTTPinternal10 {
    if  {
    destination-address 10.0.0.0/8;
protocol tcp;
destination-port 80;
}  then  {
    deny;}
}

entry denyHTTPinternal192 {
    if  {
    destination-address 192.168.0.0/16;
protocol tcp;
destination-port 80;
}  then  {
    deny;}
}

entry denyHTTPinternal172 {
    if  {
    destination-address 172.16.0.0/12;
protocol tcp;
destination-port 80;
}  then  {
    deny;}
}

entry denyHTTPSinternal10 {
    if  {
    destination-address 10.0.0.0/8;
protocol tcp;
destination-port 443;
}  then  {
    deny;}
}

entry denyHTTPSinternal192 {
    if  {
    destination-address 192.168.0.0/16;
protocol tcp;
destination-port 443;
}  then  {
    deny;}
}

entry denyHTTPSinternal172 {
    if  {
    destination-address 172.16.0.0/12;
protocol tcp;
destination-port 443;
}  then  {
    deny;}
}

entry allowHTTPinternet  {
    if  {
    protocol tcp;
destination-port 80;
}  then  {
    permit;}
}

entry allowHTTPSinternet  {
    if  {
    protocol tcp;
destination-port 443;
}  then  {
    permit;}
}

entry allowbidirectional  {
    if  {
        destination-address 10.0.99.0/24;
        }  then  {
            permit;}
}

entry denyall  {
    if  {
        source-address 0.0.0.0/0;
       }  then  {
            deny;}
}
Photo of tknv

tknv, Employee

  • 382 Points 250 badge 2x thumb
Thank you very much. I think a packet (to/from 10.0.0.0/8) is not match below should be permit.
entry denylocalSSH  {
	if  {
		source-address 10.0.99.0/24;
		protocol tcp;
		destination-port 22;
	}  then  {
		deny;}
}

entry denyHTTPswitch  {
	if  {
		source-address 10.0.99.0/24;
		destination-address 10.0.99.200/32;
		protocol tcp;
		destination-port 80;
	}  then  {
		deny;}
}

entry denyHTTPswitch2  {
	if {
		source-address 10.0.99.0/24;
		destination-address 10.0.99.254/32;
		protocol tcp;
		destination-port 80;
	}  then  {
		deny;}
}

entry denyICMP  {
	if  {
		source-address 10.0.99.0/24;
		protocol icmp;
	}  then  {
		deny;}
}

entry denyHTTPinternal10 {
	if  {
		destination-address 10.0.0.0/8;
		protocol tcp;
		destination-port 80;
	}  then  {
		deny;}
}

entry denyHTTPSinternal10 {
	if  {
		destination-address 10.0.0.0/8;
		protocol tcp;
		destination-port 443;
	}  then  {
		deny;}
}


Please let me know if my understanding is wrong.
Can you share the packet that should be permitted but denied?