I can't write ACLs

I can't write ACLs

NewsGroups | Search | Tools
 comp.dcom.sys.cisco  Post an article  get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content  add this group's latest topics to your Google content  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
I can't write ACLs PL 06-26-2008
Posted by PL on June 26, 2008, 7:12 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Trying to block access from "inside" to "dmz1"...

interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
nameif dmz1
security-level 2
ip address 192.168.2.1 255.255.255.0
!
access-list acl_outgoing extended deny ip any 192.168.2.0
255.255.255.0
access-list acl_outgoing extended permit ip any any
!
access-group acl_outgoing in interface inside

Why am I still able to access host 192.168.2.2 from 192.168.1.7 ??

Posted by Barry Margolin on June 26, 2008, 10:07 pm

> Trying to block access from "inside" to "dmz1"...
>
> interface Ethernet0/1
> nameif inside
> security-level 100
> ip address 192.168.1.1 255.255.255.0
> !
> interface Ethernet0/2
> nameif dmz1
> security-level 2
> ip address 192.168.2.1 255.255.255.0
> !
> access-list acl_outgoing extended deny ip any 192.168.2.0
> 255.255.255.0

That should be 0.0.0.255.

> access-list acl_outgoing extended permit ip any any
> !
> access-group acl_outgoing in interface inside
>
> Why am I still able to access host 192.168.2.2 from 192.168.1.7 ??

Your ACL blocks access to X.X.X.0, not 192.168.2.X, because you used a
netmask instead of a wildcard mask.

--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

Posted by Andrew Lutov on June 26, 2008, 10:21 pm
Hello, Barry!

??>> Trying to block access from "inside" to "dmz1"...
??>>
??>> interface Ethernet0/1
??>> nameif inside
??>> security-level 100
??>> ip address 192.168.1.1 255.255.255.0
??>> !
??>> interface Ethernet0/2
??>> nameif dmz1
??>> security-level 2
??>> ip address 192.168.2.1 255.255.255.0
??>> !
??>> access-list acl_outgoing extended deny ip any 192.168.2.0
??>> 255.255.255.0

BM> That should be 0.0.0.255.

??>> access-list acl_outgoing extended permit ip any any
??>> !
??>> access-group acl_outgoing in interface inside
??>>
??>> Why am I still able to access host 192.168.2.2 from 192.168.1.7 ??

BM> Your ACL blocks access to X.X.X.0, not 192.168.2.X, because you used a
BM> netmask instead of a wildcard mask.


asa5510(config)# access-list FromOutside extended permit tcp 1.1.1.1 ?

configure mode commands/options:
A.B.C.D Netmask for source IP address
asa5510(config)# access-list FromOutside extended permit tcp 1.1.1.1

--



Posted by Barry Margolin on June 26, 2008, 10:30 pm

> Hello, Barry!
>
> ??>> Trying to block access from "inside" to "dmz1"...
> ??>>
> ??>> interface Ethernet0/1
> ??>> nameif inside
> ??>> security-level 100
> ??>> ip address 192.168.1.1 255.255.255.0
> ??>> !
> ??>> interface Ethernet0/2
> ??>> nameif dmz1
> ??>> security-level 2
> ??>> ip address 192.168.2.1 255.255.255.0
> ??>> !
> ??>> access-list acl_outgoing extended deny ip any 192.168.2.0
> ??>> 255.255.255.0
>
> BM> That should be 0.0.0.255.
>
> ??>> access-list acl_outgoing extended permit ip any any
> ??>> !
> ??>> access-group acl_outgoing in interface inside
> ??>>
> ??>> Why am I still able to access host 192.168.2.2 from 192.168.1.7 ??
>
> BM> Your ACL blocks access to X.X.X.0, not 192.168.2.X, because you used a
> BM> netmask instead of a wildcard mask.
>
>
> asa5510(config)# access-list FromOutside extended permit tcp 1.1.1.1 ?
>
> configure mode commands/options:
> A.B.C.D Netmask for source IP address
> asa5510(config)# access-list FromOutside extended permit tcp 1.1.1.1

You didn't say what model it was earlier, I thought it was an IOS
router. IOS uses wildcard masks, which are the complement of netmasks.

--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

Posted by PL on June 27, 2008, 12:13 pm
I'm sorry, I forgot to mention what device this was, it's an ASA.

On Thu, 26 Jun 2008 22:07:14 -0400, Barry Margolin

>
>> Trying to block access from "inside" to "dmz1"...
>>
>> interface Ethernet0/1
>> nameif inside
>> security-level 100
>> ip address 192.168.1.1 255.255.255.0
>> !
>> interface Ethernet0/2
>> nameif dmz1
>> security-level 2
>> ip address 192.168.2.1 255.255.255.0
>> !
>> access-list acl_outgoing extended deny ip any 192.168.2.0
>> 255.255.255.0
>
>That should be 0.0.0.255.
>
>> access-list acl_outgoing extended permit ip any any
>> !
>> access-group acl_outgoing in interface inside
>>
>> Why am I still able to access host 192.168.2.2 from 192.168.1.7 ??
>
>Your ACL blocks access to X.X.X.0, not 192.168.2.X, because you used a
>netmask instead of a wildcard mask.


Similar ThreadsPosted
RANCID show run or write net? October 20, 2006, 4:04 pm
How to write on syslog which users access via RAS. January 5, 2006, 11:12 am
How to write on syslog which users access via RAS. January 5, 2006, 11:46 am
FLASH Write Error #5 on Aironet 350 November 20, 2006, 8:12 pm
After a successfully telnet I always can only write short commands August 7, 2004, 3:14 pm
I require a UK company / Individual to write me a config. - Willing to pay! December 4, 2006, 4:14 am
Typical Read/Write times for a TCAM February 15, 2007, 4:55 pm
cisco firmware images will not write to floppy May 13, 2008, 3:33 pm
Unable to write new file to NVRAM on 2522 June 10, 2008, 6:14 am
AS5350: Main Memory Write Bus Error Interrupt July 23, 2004, 5:04 pm

other useful resources:
The Federal Communications Commission (FCC)
Telecommunications Industry Association
Electronic and Software Security Products and Services
International Telecommunication Union

Custom CGI Perl and PHP programming by 1-Script.com

Contact Us | Privacy Policy
The site map in XML format XML site map