cancel
Showing results for 
Search instead for 
Did you mean: 

acl issue Protocol needs to be set to TCP or UDP, before setting "destination-port".

acl issue Protocol needs to be set to TCP or UDP, before setting "destination-port".

Keith9
Contributor III

I’m getting this error on an exos switch when trying to refresh a policy

Line 29 : Protocol needs to be set to TCP or UDP, before setting "destination-port".

 

Here’s an example what I added.

entry acl1_deny36 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.16/32; destination-port 80;} then { count acl1_http_deny; deny;}}

 

 

Here is an example of some lines that work:

entry acl1_deny28 { if { protocol udp; source-address 0.0.0.0/0; destination-address 10.80.2.28/32; destination-port snmp;} then { count acl1_snmp_deny; deny;}}

entry acl1_denyr1 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.4.0/24; destination-port 873;} then { count acl1_rsync_deny; deny;}}
 

Can anyone tell me why I can’t deny port 80 the same why I deny port 873 or snmp?

6 REPLIES 6

Keith9
Contributor III

Hey can I put comments in an acl file? 

If so whats the escape character ?  
Example
// Allow only IT access to idrac

entry (something defining IT)  permit

entry (everyone else) deny

 

Keith9
Contributor III

I got it to work by putting my permit above the denies.

 

entry acl1_perm80 { if { protocol tcp; source-address 10.7.0.0/16; destination-address 0.0.0.0/0; destination-port 80;} then { permit;}}
entry acl1_deny36 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.16/32; destination-port 80;} then { count acl1_http_deny; deny;}}
entry acl1_deny37 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.17/32; destination-port 80;} then { count acl1_http_deny; deny;}}
entry acl1_deny38 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.18/32; destination-port 80;} then { count acl1_http_deny; deny;}}
entry acl1_deny39 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.19/32; destination-port 80;} then { count acl1_http_deny; deny;}}
entry acl1_deny40 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.20/32; destination-port 80;} then { count acl1_http_deny; deny;}}
entry acl1_deny41 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.21/32; destination-port 80;} then { count acl1_http_deny; deny;}}
entry acl1_deny42 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.22/32; destination-port 80;} then { count acl1_http_deny; deny;}}
entry acl1_deny43 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.23/32; destination-port 80;} then { count acl1_http_deny; deny;}}
entry acl1_deny44 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.24/32; destination-port 80;} then { count acl1_http_deny; deny;}}
entry acl1_deny45 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.25/32; destination-port 80;} then { count acl1_http_deny; deny;}}
entry acl1_deny46 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.26/32; destination-port 80;} then { count acl1_http_deny; deny;}}
entry acl1_deny47 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.27/32; destination-port 80;} then { count acl1_http_deny; deny;}}
entry acl1_deny48 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.28/32; destination-port 80;} then { count acl1_http_deny; deny;}}
 

 

Keith9
Contributor III

oh shoot it was the bottom line to allow just IT subnet access to that device.

 

I pasted the whole group in and though it was the start of the newest line.

 

entry acl1_permit { if { protocol tcp; source-address 10.7.0.0/16; destination-address 0.0.0.0/0; destination-port 80;} then { permit;}}
 

It blocks it completely though.  So the last permit is not allowed anyway.  Though I’m RDPing so I dont know what the system sees me as, the pc i’m RDP’d to in that subnet, or my VPN IP address which is in the 192.168 range.

OscarK
Extreme Employee

That entry just works if I try it.

I think there is something else wrong in your policy.

Do  a check policy <ACL> and see what it returns.

GTM-P2G8KFN