Cisco ACL not working as expected

access-controlaclciscorouter

I've a client to which I want to deny access so that he cannot access my network host. There is this specified port that he scanned on my network host which I want to block (Port 137).

Using NMAP, the client is able to find my open port on my network host(137). So I implemented an ACL on my router using the command.

access-list 111 deny udp (insert client ip) any eq 137
access-list 111 permit udp any any

What I wanted to do is to make sure that the moment the client uses NMAP to scan my network host for the port, port 137 will be filtered instead of open because of the ACL configured, however, the client is unable to even ping my network host now unless I add another command, permit ICMP any any, in the ACL.

Why is this so? Can any experts shed light about this?

Best Answer

There is an implicit "deny" at the end of every access-list. So your current access-list actually says:

access-list 111 deny udp (insert client ip) any eq 137
access-list 111 permit udp any any
access-list 111 deny ip any any

This means any UDP traffic (except from the client to port 137) is allowed, but all other traffic on that interface (including TCP and ICMP) is dropped. What you're looking for is this:

access-list 111 deny udp (insert client ip) any eq 137
access-list 111 permit ip any any

Related Solutions

HP Procurve 5406zl – ACL issue

According to the Access Security Guide for your device, the first address and mask of an ACE is source and the second address and mask is the destination. (Just in case, an ACE is an Access Control Entry; that is any line an access-list is made of)

ACE 20 of your ACL states source 192.168.50.0/24 and destination 192.168.101.0/24, then you apply the ACL at VLAN 101 input; however, your VLAN 101 is 192.168.101.0/24, so any input traffic at VLAN 101 would have source address in 192.168.101.0/24. So ACE 20 in your ACL is wrong, you need an ACE with action permit, source 192.168.101.0/24 and destination 192.168.50.0/24.

ip access-list extended "SecureContent"
    10 permit ip 192.168.101.0 0.0.0.255 192.168.50.0 0.0.0.255

Regarding the way back for this traffic, it will cross VLAN 101 outbound, so ACL should not be applied to this traffic and it should be allowed.

If traffic back is not allowed then you need to add the way back in your ACL.

ip access-list extended "SecureContent"
    10 permit ip 192.168.101.0 0.0.0.255 192.168.50.0 0.0.0.255
    20 permit ip 192.168.50.0 0.0.0.255 192.168.101.0 0.0.0.255

EDITED to change the line above to reflect proper ACL structure of numbered entries. (10, 20, etc).

Correct ACL Rule to Open UDP Ports for VoIP

You should not need an outbound ACL, based on the configuration shown the outbound path is not restricted.

You quote two lines of the inbound ACL:

access-list 101 permit udp host x.x.x.x any eq 5060
access-list 101 permit udp host x.x.x.x any range 10000 20000

I assume the external IP X.X.X.X can reach any internal IP, using 5060 or 10000-20000 as the internal destination's port.

If that's correct then that's fine (it's not clear to me from the question). However, if it's the source port (on the external server) that's using 5060 or 10000 to 20000 and the destination port doesn't happen to be the same then you'd need something like:

access-list 101 permit udp host x.x.x.x eq 5060 any
access-list 101 permit udp host x.x.x.x  range 10000 20000 any

Also, I would refer to the hosted PBX's instructions on NAT because if they are trying to reach into VoIP devices on your network without them first reaching out, then there may be issues.

Best Answer

Related Solutions

HP Procurve 5406zl – ACL issue

Correct ACL Rule to Open UDP Ports for VoIP

Related Topic