Can't get ACL's to work

BlakeRichardson
Kind of a big deal
Kind of a big deal

Can't get ACL's to work

Can someone please have a look at the below ACL rule and tell me what I am doing wrong, hopefully its something simple but I would have thought rule number 1 would allow the traffic on port 9191 and the second rule blocking all other traffic....  If I only have the default allow all rule I can access the service on port 9191 so its not a tagging issue. 

 

Screen Shot 2018-04-12 at 2.01.16 PM.png

17 Replies 17
PhilipDAth
Kind of a big deal
Kind of a big deal

The second rule should be "Any" rather than just "TCP", assuming you want to block all other traffic.

BlakeRichardson
Kind of a big deal
Kind of a big deal

@PhilipDAth Yes I changed that shortly after but from the device listed in Rule one I cannot send traffic via port 9191 to the destination subnet. I cant work out why this isn't working.

PhilipDAth
Kind of a big deal
Kind of a big deal

Is this an MX or MS?

BlakeRichardson
Kind of a big deal
Kind of a big deal

Screen Shot 2018-04-12 at 3.05.52 PM.png

If I change it to this it works.... The problem is I only want to allow that single IP access. 

BlakeRichardson
Kind of a big deal
Kind of a big deal

Its an MS unit MS425-32

 

PhilipDAth
Kind of a big deal
Kind of a big deal

I'm going to bet it is not using tcp/9191 - or it requires tcp/9191 and something else.

PhilipDAth
Kind of a big deal
Kind of a big deal

If you also make the destination port "any" and leave the source host restriction does it also work?

BlakeRichardson
Kind of a big deal
Kind of a big deal

I'll try and get back to you.

BlakeRichardson
Kind of a big deal
Kind of a big deal

Setting the dest port to any works. The software is PaperCut and I am accessing the server via a webrowser with the URL http://192.168.1.5:9191

 

I tried creating another rule for 9192 which is their HTTPS port but this didnt work either. 

PhilipDAth
Kind of a big deal
Kind of a big deal

Google tells me it needs:

tcp/9191

tcp/9192

tcp/9193

 

https://www.papercut.com/kb/Main/FirewallPorts

PhilipDAth
Kind of a big deal
Kind of a big deal

Personally, I would do a packet capture on the port that a user is plugged into, and see what ports it tries to access.

BlakeRichardson
Kind of a big deal
Kind of a big deal

Odd, I have done exactly the same setup with a firewall rather than a switch and it worked just using port 9191. Thanks for your help but we might just go down the firewall avenue.

 

As ACL doesn't support adding in ranges and a ton of our services use a range of ports I'd rather not have to add in a rule for every single port. 

 

Thanks again for your help.

AjitKumar
Head in the Cloud

Hi Richard

 

I believe ACLs in switches work  little differently as compared to MX.

 

Did you get a chance to look at the following url

https://documentation.meraki.com/MS/Other_Topics/Switch_ACL_Operation

Regards,
Ajit
AjitsNW@gmail.com
www.ajit.network
PhilipDAth
Kind of a big deal
Kind of a big deal

And you are 100% sure the service is using tcp/9191?  A quick capture on the inbound port would help prove that.

dpf
Here to help

MS does not support IP range for ACLs; been asking for this feature for awhile

BlakeRichardson
Kind of a big deal
Kind of a big deal

@AjitKumar yes I have read that article thanks.

 

 

@dpf Yes this had lead to a decision to use a firewaill instead on using our Core MS unit. 

dpf
Here to help

there's also a 128 rule limit placed on switches, so if you decide to use l3 routing with completely granular ACLs, be careful. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels