cancel
Showing results for 
Search instead for 
Did you mean: 

A little ACL help

A little ACL help

Terren_Crider
Contributor
I'm developing an ACL to allow guest use of certian resources on my network. In the end, the guest network will be its own subnet. So, I want to apply this ACL at the VLAN level. I've got the ACL working at the port level, but when I apply it to the VLAN nothing works...

Where might I be messing this up?

entry allowswitchcom {
if {
source-address 10.0.99.200/32;
} then {
permit;}
}

entry allowswitchcom2 {
if {
source-address 10.0.99.254/32;
} then {
permit;}
}

entry denyswitch {
if {
destination-address 10.0.99.200/32;
source-address 10.0.99.0/24;
} then {
deny;}
}

entry denyswitch2 {
if {
source-address 10.0.99.0/24;
destination-address 10.0.99.254/32;
} then {
deny;}
}

entry denylocalssh {
if {
source-address 10.0.99.0/24;
protocol tcp;
destination-port 22;
} then {
deny;}
}

entry sshmgmt {
if {
destination-address 10.0.99.0/24;
protocol tcp;
destination-port 22;
} then {
deny;}
}

entry allowmakerlab {
if {
source-address 10.0.99.0/24;
destination-address 10.0.99.0/24;
} then {
permit;}
}

entry allowdhcp {
if {
source-address 0.0.0.0/0;
protocol udp;
destination-port 67-68;
} then {
permit;}
}

entry allowdns {
if {
source-address 0.0.0.0/0;
protocol udp;
destination-port 53;
} then {
permit;}
}

entry allowntp {
if {
source-address 0.0.0.0/0;
protocol udp;
destination-port 123;
} then {
permit;}
}

entry allowvncmgmt {
if {
source-address 0.0.0.0/0;
protocol tcp;
source-port 5900-5910;
} then {
permit;}
}

entry allowwinlogon {
if {
source-address 10.0.99.0/24;
protocol tcp;
destination-port > 1024;
destination-address 10.0.66.220/32;
} then {
permit;}
}

#entry allowprint515 {
# if {
# destination-address *printerIP/32;
# protocol tcp;
# destination-port 515;
# } then {
# permit;}
#}

#entry allowprint631 {
# if {
# destination-address *printerIP/32;
# protocol tcp;
# destination-port 631;
# } then {
# permit;}
#}

#entry allowprint9100 {
# if {
# destination-address *printerIP/32;
# protocol tcp;
# destination-port 9100;
# } then {
# permit;}
#}

entry denyHTTPinternal10 {
if {
destination-address 10.0.0.0/8;
protocol tcp;
destination-port 80;
} then {
deny;}
}

entry denyHTTPinternal192 {
if {
destination-address 192.168.0.0/16;
protocol tcp;
destination-port 80;
} then {
deny;}
}

entry denyHTTPinternal172 {
if {
destination-address 172.16.0.0/12;
protocol tcp;
destination-port 80;
} then {
deny;}
}

entry denyHTTPsinternal10 {
if {
destination-address 10.0.0.0/8;
protocol tcp;
destination-port 443;
} then {
deny;}
}

entry denyHTTPsinternal192 {
if {
destination-address 192.168.0.0/16;
protocol tcp;
destination-port 443;
} then {
deny;}
}

entry denyHTTPsinternal172 {
if {
destination-address 172.16.0.0/12;
protocol tcp;
destination-port 443;
} then {
deny;}
}

entry allowhttpinternet {
if {
protocol tcp;
destination-port 80;
} then {
permit;}
}

entry allowhttpsinternet {
if {
protocol tcp;
destination-port 443;
} then {
permit;}
}

entry denyall {
if {
source-address 0.0.0.0/0;
} then {
deny;}
}
10 REPLIES 10

Terren_Crider
Contributor
I have it working now. I'm still not sure what was getting blocked, but I added an entry to allow bidirectional traffic to my VLAN.

entry allowbidirectional {
if {
destination-address 10.0.99.0/24;
} then {
permit;}
}

This was added as the second to last entry, right above the denyall rule.

Edit: I also changed the order of some things. Like allowing DNS, DHCP, NTP at the top rather than in the middle.

Thank you very much. I think a packet (to/from 10.0.0.0/8) is not match below should be permit. entry denylocalSSH { if { source-address 10.0.99.0/24; protocol tcp; destination-port 22; } then { deny;} } entry denyHTTPswitch { if { source-address 10.0.99.0/24; destination-address 10.0.99.200/32; protocol tcp; destination-port 80; } then { deny;} } entry denyHTTPswitch2 { if { source-address 10.0.99.0/24; destination-address 10.0.99.254/32; protocol tcp; destination-port 80; } then { deny;} } entry denyICMP { if { source-address 10.0.99.0/24; protocol icmp; } then { deny;} } entry denyHTTPinternal10 { if { destination-address 10.0.0.0/8; protocol tcp; destination-port 80; } then { deny;} } entry denyHTTPSinternal10 { if { destination-address 10.0.0.0/8; protocol tcp; destination-port 443; } then { deny;} } Please let me know if my understanding is wrong.
Can you share the packet that should be permitted but denied?

Here's the current working ACL. Without the second to last entry "allowbidirectional" it does not work.

entry allowDHCP {
if {
source-address 0.0.0.0/0;
pr otocol udp;
destination-port 67-68;
} then {
permit;}
}

entry allowDNS {
if {
source-address 0.0.0.0/0;
protocol udp;
destination-port 53;
} then {
permit;}
}

entry allowNTP {
if {
source-address 0.0.0.0/0;
protocol udp;
destination-port 123;
} then {
permit;}
}

entry allowVNCmgmt {
if {
source-address 0.0.0.0/0;
protocol tcp;
source-port 5900-5910;
} then {
permit;}
}

entry denylocalSSH {
if {
source-address 10.0.99.0/24;
protocol tcp;
destination-port 22;
} then {
deny;}
}

entry SSHmgmt {
if {
destination-address 10.0.99.0/24;
protocol tcp;
destination-port 22;
} then {
permit;}
}

entry allowNetSightin {
if {
source-address 10.0.200.216/32;
destination-address 10.0.99.200/32;
} then {
permit;}
}

entry allowNetSightout {
if {
source-address 10.0.99.200/32;
destination-address 10.0.200.216/32;
} then {
permit;}
}

entry allowswitchcom {
if {
source-address 10.0.99.200/32;
} then {
permit;}
}

entry allowswitchcom2 {
if {
source-address 10.0.99.254/32;
} then {
permit;}
}

entry denyHTTPswitch {
if {
source-address 10.0.99.0/24;
destination-address 10.0.99.200/32;
protocol tcp;
destination-port 80;
} then {
deny;}
}

entry denyHTTPswitch2 {
if {
source-address 10.0.99.0/24;
destination-address 10.0.99.254/32;
protocol tcp;
destination-port 80;
} then {
deny;}
}

entry allowmakerlab {
if {
source-address 10.0.99.0/24;
destination-address 10.0.99.0/24;
} then {
permit;}
}

entry denyICMP {
if {
source-address 10.0.99.0/24;
protocol icmp;
} then {
deny;}
}

#entry allowwinlogon {
# if {
# source-address 10.0.99.0/24;
# protocol tcp;
# destination-port > 1024;
# destination-address 10.0.66.220/32;
# } then {
# permit;}
#}

#entry allowprint515 {
# if {
# destination-address *printerIP/32;
# protocol tcp;
# destination-port 515;
# } then {
# permit;}
#}

#entry allowprint631 {
# if {
# destination-address *printerIP/32;
# protocol tcp;
# destination-port 631;
# } then {
# permit;}
#}

#entry allowprint9100 {
# if {
# destination-address *printerIP/32;
# protocol tcp;
# destination-port 9100;
# } then {
# permit;}
#}

entry denyHTTPinternal10 {
if {
destination-address 10.0.0.0/8;
protocol tcp;
destination-port 80;
} then {
deny;}
}

entry denyHTTPinternal192 {
if {
destination-address 192.168.0.0/16;
protocol tcp;
destination-port 80;
} then {
deny;}
}

entry denyHTTPinternal172 {
if {
destination-address 172.16.0.0/12;
protocol tcp;
destination-port 80;
} then {
deny;}
}

entry denyHTTPSinternal10 {
if {
destination-address 10.0.0.0/8;
protocol tcp;
destination-port 443;
} then {
deny;}
}

entry denyHTTPSinternal192 {
if {
destination-address 192.168.0.0/16;
protocol tcp;
destination-port 443;
} then {
deny;}
}

entry denyHTTPSinternal172 {
if {
destination-address 172.16.0.0/12;
protocol tcp;
destination-port 443;
} then {
deny;}
}

entry allowHTTPinternet {
if {
protocol tcp;
destination-port 80;
} then {
permit;}
}

entry allowHTTPSinternet {
if {
protocol tcp;
destination-port 443;
} then {
permit;}
}

entry allowbidirectional {
if {
destination-address 10.0.99.0/24;
} then {
permit;}
}

entry denyall {
if {
source-address 0.0.0.0/0;
} then {
deny;}
}

not sure if it applied here, but the difference when using VLAN for ACL is that it applies only to traffic entering the VLAN (not exiting it).
GTM-P2G8KFN