cancel
Showing results for 
Search instead for 
Did you mean: 

Can't get ACL's to work

Kind of a big deal

Can't get ACL's to work

Can someone please have a look at the below ACL rule and tell me what I am doing wrong, hopefully its something simple but I would have thought rule number 1 would allow the traffic on port 9191 and the second rule blocking all other traffic....  If I only have the default allow all rule I can access the service on port 9191 so its not a tagging issue. 

 

Screen Shot 2018-04-12 at 2.01.16 PM.png

Meraki CMNO, Ruckus WISE, Sonicwall CSSA, Allied Telesis CASE & CAI
17 REPLIES
Kind of a big deal

Re: Can't get ACL's to work

The second rule should be "Any" rather than just "TCP", assuming you want to block all other traffic.

Kind of a big deal

Re: Can't get ACL's to work

@PhilipDAth Yes I changed that shortly after but from the device listed in Rule one I cannot send traffic via port 9191 to the destination subnet. I cant work out why this isn't working.

Meraki CMNO, Ruckus WISE, Sonicwall CSSA, Allied Telesis CASE & CAI
Kind of a big deal

Re: Can't get ACL's to work

Is this an MX or MS?

Kind of a big deal

Re: Can't get ACL's to work

And you are 100% sure the service is using tcp/9191?  A quick capture on the inbound port would help prove that.

Kind of a big deal

Re: Can't get ACL's to work

Screen Shot 2018-04-12 at 3.05.52 PM.png

If I change it to this it works.... The problem is I only want to allow that single IP access. 

Meraki CMNO, Ruckus WISE, Sonicwall CSSA, Allied Telesis CASE & CAI
Kind of a big deal

Re: Can't get ACL's to work

Its an MS unit MS425-32

 

Meraki CMNO, Ruckus WISE, Sonicwall CSSA, Allied Telesis CASE & CAI
Kind of a big deal

Re: Can't get ACL's to work

I'm going to bet it is not using tcp/9191 - or it requires tcp/9191 and something else.

Kind of a big deal

Re: Can't get ACL's to work

If you also make the destination port "any" and leave the source host restriction does it also work?

Kind of a big deal

Re: Can't get ACL's to work

I'll try and get back to you.

Meraki CMNO, Ruckus WISE, Sonicwall CSSA, Allied Telesis CASE & CAI
Kind of a big deal

Re: Can't get ACL's to work

Setting the dest port to any works. The software is PaperCut and I am accessing the server via a webrowser with the URL http://192.168.1.5:9191

 

I tried creating another rule for 9192 which is their HTTPS port but this didnt work either. 

Meraki CMNO, Ruckus WISE, Sonicwall CSSA, Allied Telesis CASE & CAI
Kind of a big deal

Re: Can't get ACL's to work

Google tells me it needs:

tcp/9191

tcp/9192

tcp/9193

 

https://www.papercut.com/kb/Main/FirewallPorts

Kind of a big deal

Re: Can't get ACL's to work

Personally, I would do a packet capture on the port that a user is plugged into, and see what ports it tries to access.

Kind of a big deal

Re: Can't get ACL's to work

Odd, I have done exactly the same setup with a firewall rather than a switch and it worked just using port 9191. Thanks for your help but we might just go down the firewall avenue.

 

As ACL doesn't support adding in ranges and a ton of our services use a range of ports I'd rather not have to add in a rule for every single port. 

 

Thanks again for your help.

Meraki CMNO, Ruckus WISE, Sonicwall CSSA, Allied Telesis CASE & CAI
A model citizen

Re: Can't get ACL's to work

Hi Richard

 

I believe ACLs in switches work  little differently as compared to MX.

 

Did you get a chance to look at the following url

https://documentation.meraki.com/MS/Other_Topics/Switch_ACL_Operation

Cheers
Ajit
ajitsnw@gmail.com
dpf
Here to help

Re: Can't get ACL's to work

MS does not support IP range for ACLs; been asking for this feature for awhile

Kind of a big deal

Re: Can't get ACL's to work

@AjitKumar yes I have read that article thanks.

 

 

@dpf Yes this had lead to a decision to use a firewaill instead on using our Core MS unit. 

Meraki CMNO, Ruckus WISE, Sonicwall CSSA, Allied Telesis CASE & CAI
dpf
Here to help

Re: Can't get ACL's to work

there's also a 128 rule limit placed on switches, so if you decide to use l3 routing with completely granular ACLs, be careful. 

Labels