cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Can't get ACL's to work

Kind of a big deal

Can't get ACL's to work

Can someone please have a look at the below ACL rule and tell me what I am doing wrong, hopefully its something simple but I would have thought rule number 1 would allow the traffic on port 9191 and the second rule blocking all other traffic....  If I only have the default allow all rule I can access the service on port 9191 so its not a tagging issue. 

 

Screen Shot 2018-04-12 at 2.01.16 PM.png

Meraki CMNO, Ruckus WISE, Sonicwall CSSA, Allied Telesis CASE & CAI
17 REPLIES 17
Kind of a big deal

Re: Can't get ACL's to work

The second rule should be "Any" rather than just "TCP", assuming you want to block all other traffic.

Kind of a big deal

Re: Can't get ACL's to work

@PhilipDAth Yes I changed that shortly after but from the device listed in Rule one I cannot send traffic via port 9191 to the destination subnet. I cant work out why this isn't working.

Meraki CMNO, Ruckus WISE, Sonicwall CSSA, Allied Telesis CASE & CAI
Kind of a big deal

Re: Can't get ACL's to work

Is this an MX or MS?

Kind of a big deal

Re: Can't get ACL's to work

And you are 100% sure the service is using tcp/9191?  A quick capture on the inbound port would help prove that.

Kind of a big deal

Re: Can't get ACL's to work

Screen Shot 2018-04-12 at 3.05.52 PM.png

If I change it to this it works.... The problem is I only want to allow that single IP access. 

Meraki CMNO, Ruckus WISE, Sonicwall CSSA, Allied Telesis CASE & CAI
Kind of a big deal

Re: Can't get ACL's to work

Its an MS unit MS425-32

 

Meraki CMNO, Ruckus WISE, Sonicwall CSSA, Allied Telesis CASE & CAI
Kind of a big deal

Re: Can't get ACL's to work

I'm going to bet it is not using tcp/9191 - or it requires tcp/9191 and something else.

Kind of a big deal

Re: Can't get ACL's to work

If you also make the destination port "any" and leave the source host restriction does it also work?

Kind of a big deal

Re: Can't get ACL's to work

I'll try and get back to you.

Meraki CMNO, Ruckus WISE, Sonicwall CSSA, Allied Telesis CASE & CAI
Kind of a big deal

Re: Can't get ACL's to work

Setting the dest port to any works. The software is PaperCut and I am accessing the server via a webrowser with the URL http://192.168.1.5:9191

 

I tried creating another rule for 9192 which is their HTTPS port but this didnt work either. 

Meraki CMNO, Ruckus WISE, Sonicwall CSSA, Allied Telesis CASE & CAI
Kind of a big deal

Re: Can't get ACL's to work

Google tells me it needs:

tcp/9191

tcp/9192

tcp/9193

 

https://www.papercut.com/kb/Main/FirewallPorts

Kind of a big deal

Re: Can't get ACL's to work

Personally, I would do a packet capture on the port that a user is plugged into, and see what ports it tries to access.

Kind of a big deal

Re: Can't get ACL's to work

Odd, I have done exactly the same setup with a firewall rather than a switch and it worked just using port 9191. Thanks for your help but we might just go down the firewall avenue.

 

As ACL doesn't support adding in ranges and a ton of our services use a range of ports I'd rather not have to add in a rule for every single port. 

 

Thanks again for your help.

Meraki CMNO, Ruckus WISE, Sonicwall CSSA, Allied Telesis CASE & CAI
Head in the Cloud

Re: Can't get ACL's to work

Hi Richard

 

I believe ACLs in switches work  little differently as compared to MX.

 

Did you get a chance to look at the following url

https://documentation.meraki.com/MS/Other_Topics/Switch_ACL_Operation

Cheers
Ajit
ajitsnw@gmail.com
https://www.linkedin.com/in/ajitkumarverma/
dpf
Here to help

Re: Can't get ACL's to work

MS does not support IP range for ACLs; been asking for this feature for awhile

Kind of a big deal

Re: Can't get ACL's to work

@AjitKumar yes I have read that article thanks.

 

 

@dpf Yes this had lead to a decision to use a firewaill instead on using our Core MS unit. 

Meraki CMNO, Ruckus WISE, Sonicwall CSSA, Allied Telesis CASE & CAI
dpf
Here to help

Re: Can't get ACL's to work

there's also a 128 rule limit placed on switches, so if you decide to use l3 routing with completely granular ACLs, be careful. 

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.