Security Basics mailing list archives
Re: ACL router problem
From: <grendel () marslander org>
Date: Sat, 9 Oct 2010 14:08:10 +0200
Hello,First time I respond on this list I think. So here goes. I will explain the logic of the ACL instead of giving you just the answer ;).
1) if you put a permit tcp you are actually telling the acl to work on tcp level. This means that ports are taken into account. Suppose you have a http proxy server ( 192.168.1.2 )connecting to the internet you would put something like:
example: access-list 111 permit tcp host 192.168.1.2 any eq 80Notice that a port is specified after the eq. Also notice the host argument and no wildcard mask is given.
2) if you put ip it will not check any further. This is commonly used in nat's and to permit traffic from one subnet to another. example: access-list 111 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
no port is specified here. 3) ACL's read from top to bottom and first match wins.4) explicit deny any any in the end of an ACL. If you put deny any any in a numberred ACL you are actually reducing the scalabilty of the ACL.
5) named ACL's are easier to manage. Command is "ip access-list"6) watch out with wildcard masks. If you are not sure do not hesitate to use a tool to calculate it. There are some free ones on the net just google them.
So what you need is something like access-list 111 permit ip 192.168.0.0 0.0.255.255 host 192.168.1.15 and make sure no other sequence matches before this line.On a side note this looks a bit weird as your destination host lies inside the subnet of your LAN it seems? Than again I do not know your topology.
cheers,----- Original Message ----- From: "Juan B" <juanbabi () yahoo com>
To: "Shain Singh" <shain.singh () gmail com> Cc: "security basics" <security-basics () securityfocus com> Sent: Friday, October 08, 2010 4:11 AM Subject: Re: ACL router problem hi Shain! thanks a lot the command you told me: access-list 111 permit ip host 192.168.8.139 192.168.1.15 255.255.255.255 worked !!!now I need to enable all the lan to connect tho this host 192.168.1.15 so I tried to add insted of the command you wrote this command:
access-list 111 permit tcp 192.168.0.0 0.0.255.255 192.168.1.15 255.255.255.255
or this one access-list 111 permit IP 192.168.0.0 0.0.255.255 192.168.1.15 255.255.255.255
but both didnt worked !! any ideas?? thanks a lot !! marco --- On Thu, 10/7/10, Shain Singh <shain.singh () gmail com> wrote:
From: Shain Singh <shain.singh () gmail com> Subject: Re: ACL router problem To: "Juan B" <juanbabi () yahoo com> Cc: "security basics" <security-basics () securityfocus com> Date: Thursday, October 7, 2010, 7:38 PM There are a few things that you would need to look into. You have the "deny" entry at the bottom logged, when you try and connect, do you see it in the logs? If so, it means you're not matching your ACL entry up the top. Depending on how secure this network needs to be, did you try allowing all IP related traffic from your host instead of just TCP? something like this could be where you would see a match. access-list 111 permit ip host 192.168.8.139 192.168.1.15 255.255.255.255 On 8 October 2010 08:40, Juan B <juanbabi () yahoo com> wrote: > Hi ALL !! > > I need to connect from a host (192.168.8.139)in the lan to host > 192.168.1.15 so I put acl like this: ( I added the first line ) > > access-list 111 permit tcp host 192.168.8.139 any > access-list 111 permit tcp 192.168.0.0 0.0.255.255 host 192.168.8.2 eq > telnet > access-list 111 permit tcp host 192.168.8.7 any > access-list 111 permit tcp 192.168.0.0 0.0.255.255 any eq www > access-list 111 permit udp 192.168.0.0 0.0.255.255 any eq domain > access-list 111 permit tcp 192.168.0.0 0.0.255.255 any eq 443 > access-list 111 permit tcp 192.168.0.0 0.0.255.255 any eq 5900 > access-list 111 permit ip host 192.168.8.198 any > access-list 111 permit ip host 192.168.8.199 any > access-list 111 permit icmp any any echo-reply > access-list 111 permit icmp any any echo > access-list 111 permit icmp any any source-quench > access-list 111 permit icmp any any time-exceeded > access-list 111 deny icmp any any > access-list 111 permit tcp any any established > access-list 111 deny ip any any log > > take a look also at line 3 of the acl this host is the internal mail > server, from that mail server when I try to connect to host > 192.168.1.15 there is no problem !!! so I made a similar entry to > enable connection from my host (192.168.8.139) but It doesnt work !! I > know its a problem of the ACL beacuse when I remove this ACL (which is > applied to vlan 1 BTW) the connection works!! > > please help ! > marco > > > > > > ------------------------------------------------------------------------ > Securing Apache Web Server with thawte Digital Certificate > In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. > > http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 > ------------------------------------------------------------------------ > > -- Shaineel Singh e: shain.singh () gmail comp: +61 422 921 951 begin_of_the_skype_highlighting +61 422 921 951 end_of_the_skype_highlightingw: http://buffet.shainsingh.com -- "Too many have dispensed with generosity to practice charity" - Albert Camus
thanks ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital CertificateIn this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- ACL router problem Juan B (Oct 07)
- RE: ACL router problem David Gillett (Oct 08)
- RE: ACL router problem Juan B (Oct 08)
- Re: ACL router problem Shain Singh (Oct 08)
- Re: ACL router problem Juan B (Oct 08)
- RE: ACL router problem David Gillett (Oct 13)
- RE: ACL router problem David Gillett (Oct 19)
- Re: ACL router problem grendel (Oct 13)
- Re: ACL router problem Juan B (Oct 08)
- RE: ACL router problem David Gillett (Oct 08)
- Re: ACL router problem Dan Vultur (Oct 08)