Cisco router access list not working as expected

access-controlaclciscorouting

I'm trying to set up a network in packet tracer with inter-VLAN routing. I need to restrict one of the VLANs to only accept traffic from the 172.25.30.0/24 network.

To do this I am using an access list:

access-list 1 permit 172.25.30.0 0.0.0.255

I have 5 subinterfaces for the different VLANs on the network, and have applied the access list to f0/0.50:

interface FastEthernet0/0.10
 encapsulation dot1Q 10
 ip address 172.25.10.254 255.255.255.0
!
interface FastEthernet0/0.20
 encapsulation dot1Q 20
 ip address 172.25.20.254 255.255.255.0
!
interface FastEthernet0/0.30
 encapsulation dot1Q 30
 ip address 172.25.30.254 255.255.255.0
!
interface FastEthernet0/0.40
 encapsulation dot1Q 40
 ip address 172.25.40.254 255.255.255.0
!
interface FastEthernet0/0.50
 encapsulation dot1Q 50
 ip address 172.25.50.254 255.255.255.0
 ip access-group 1 in
!

As far as I can tell this should now only allow devices on the 172.25.30.0/24 network to communicate with devices on the 172.25.50.0/24 network (my management network). However, as soon as I apply the access list to the sub-interface I can no longer ping the 172.25.50.0/24 network from any devices, including ones on the 172.25.30.0/24 network.

Can anyone see why this would be?

Best Answer

Change the direction of the ACL to out.

ip access-group 1 out

The direction is from the perspective of the router interface. Out means out of the interface, towards the devices.

Related Solutions

Cisco router – deny access to host on port 8080, allow on 80

You should craft an ACL for one direction. Don't put the same ACL on every interface in both directions.

The general ACL rules:

An extended ACL has both the source and destination addresses. It should be placed inbound on the source interface where the source address is. This prevents the denied traffic from being routed at all.
A standard ACL doesn't have the destination address, only the source address. It should be placed outbound on the interface where the destination address is. This means the traffic will be routed, but it prevents the ACL from affecting too much traffic.

Your extended ACL 100 should only be on the router's interface for the VLAN with 192.168.1.0 (per your comment, VLAN 20) as an inbound ACL:

interface Vlan20
 ip access-group 100 in

This will immediately drop any TCP traffic coming into the router from 192.168.1.0/24 destined to 192.168.0.2:8080, preventing the router from having to route that traffic. It will allow ICMP echos and other TCP traffic to 192.168.0.2, but it will deny all other traffic (ACLs have an implicit deny any any as the last statement. You should probably change the ACL so that it will permit all other traffic, unless you really only want to allow hosts on that VLAN to ping and use all other TCP only with 192.168.0.2. The hosts on that VLAN will not be able to get to any other VLAN, except with ping.

Cisco extended ACL not permitting traffic according to rules

ACL's on routers are not state-full as on Firewall's. What this means is that you need rules to allow traffic in both directions.
TCP connections uses a well known port on the server side and normally selects a random port for the source of the connection.

Your requirements.

host 192.168.2.2 --> host 192.168.1.2:2016
and 
host 192.168.1.2 --> host 192.168.2.2:2014

Your Setup

int fa0/1.30 !Assume 192.168.2.0/24 subnet
  ip access-group 100 in
!
int fa0/1.20 !Assume 192.168.1.0/24 subnet
  ip access-group 101 in

ACL's:

Extended IP access list 100
10 permit tcp host 192.168.2.2         host 192.168.1.2 eq 2016 
20 permit tcp host 192.168.2.2 eq 2014 host 192.168.1.2 
30 permit icmp any any

Extended IP access list 101
10 permit tcp host 192.168.1.2 eq 2016 host 192.168.2.2
20 permit tcp host 192.168.1.2         host 192.168.2.2 eq 2014
30 permit icmp any any

Notes: Remember that the return traffic will also traverse the ACL on the interface where it enters.

Best Answer

Related Solutions

Cisco router – deny access to host on port 8080, allow on 80

Cisco extended ACL not permitting traffic according to rules

Related Topic