Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Cisco: NSP

FWSM ACL présidence ? ACL not blocking traffic

 

 

Cisco nsp RSS feed   Index | Next | Previous | View Threaded


jfitz at princeton

Apr 25, 2012, 8:24 AM

Post #1 of 3 (426 views)
Permalink
FWSM ACL présidence ? ACL not blocking traffic

We have tried the following on our test FWSM setup and it appears to break our original ACL used for blocking hosts.
Nothing in the docs I have read states one ACL overrides the other.


I have FWSM with OUTSIDE interface that has ACL-1 that is applied to both inbound and outbound traffic to DENY certain SRC hosts. (DENY IP HOST x.x.x.x)

If I now apply an INSIDE ACL-2 to the outbound traffic with a permit IP any any ACE, will ACL-2 now supersede ACL-1 and PERMIT the DENIED traffic?



The ACL-2 was intended for future use and has an permit IP any any for now.

We are running FWSM 4.0(6) with IOS 12.2.SXI7





ACL-1 = deny ip host x.x.x.x ACL-2 = permit ip any any




Stumped ??

Thanks for any info.
Not sure if anybody still using FWSMs.




Jeff Fitzwater
Princeton University


ryan.landry at gmail

Apr 25, 2012, 8:54 AM

Post #2 of 3 (421 views)
Permalink
Re: FWSM ACL présidence ? ACL not blocking traffic [In reply to]

what access-list commit mode are you using?

my preferred practice is manual commit mode, but make changes on tftp
server to acl and then upload entire acl with copy tftp running. at the
start of the script is access-list mode manual and clear configure
access-list blah. at the end of the script is access-list commit. the
changes only get applied at commit.

On Wednesday, April 25, 2012, Jeffrey G. Fitzwater wrote:

>
> We have tried the following on our test FWSM setup and it appears to break
> our original ACL used for blocking hosts.
> Nothing in the docs I have read states one ACL overrides the other.
>
>
> I have FWSM with OUTSIDE interface that has ACL-1 that is applied to both
> inbound and outbound traffic to DENY certain SRC hosts. (DENY IP HOST
> x.x.x.x)
>
> If I now apply an INSIDE ACL-2 to the outbound traffic with a permit IP
> any any ACE, will ACL-2 now supersede ACL-1 and PERMIT the DENIED traffic?
>
>
>
> The ACL-2 was intended for future use and has an permit IP any any for now.
>
> We are running FWSM 4.0(6) with IOS 12.2.SXI7
>
>
>
>
>
> ACL-1 = deny ip host x.x.x.x ACL-2 = permit ip any any
>
>
>
>
> Stumped ??
>
> Thanks for any info.
> Not sure if anybody still using FWSMs.
>
>
>
>
> Jeff Fitzwater
> Princeton University
>
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


jfitz at princeton

Apr 25, 2012, 9:04 AM

Post #3 of 3 (434 views)
Permalink
Re: FWSM ACL présidence ? ACL not blocking traffic [In reply to]

I am using MANUAL, so I then run the "access-list commit" config command.



On Apr 25, 2012, at 11:24 , Jeffrey G. Fitzwater wrote:

>
> We have tried the following on our test FWSM setup and it appears to break our original ACL used for blocking hosts.
> Nothing in the docs I have read states one ACL overrides the other.
>
>
> I have FWSM with OUTSIDE interface that has ACL-1 that is applied to both inbound and outbound traffic to DENY certain SRC hosts. (DENY IP HOST x.x.x.x)
>
> If I now apply an INSIDE ACL-2 to the outbound traffic with a permit IP any any ACE, will ACL-2 now supersede ACL-1 and PERMIT the DENIED traffic?
>
>
>
> The ACL-2 was intended for future use and has an permit IP any any for now.
>
> We are running FWSM 4.0(6) with IOS 12.2.SXI7
>
>
>
>
>
> ACL-1 = deny ip host x.x.x.x ACL-2 = permit ip any any
>
>
>
>
> Stumped ??
>
> Thanks for any info.
> Not sure if anybody still using FWSMs.
>
>
>
>
> Jeff Fitzwater
> Princeton University
> _______________________________________________
> cisco-nsp mailing list cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Cisco nsp RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.