Problema access list

[ManuelHd]

Ciao a tutti,

ho un problema con le access-list: vorrei inibire l'accesso da parte di un sever a 2 vlan, escluso l'host A, che fa parte della VLAN1.
Inoltre voglio che il server risponda alle richieste HTTP che arrivano da fuori.

Il tutto con un cisco 877w.

Diciamo che ho capito a grandi linee cosa bisogna fare, la mia config nei dettagli è questa (vlan4 è dove sta il server):

Codice: Seleziona tutto

interface FastEthernet3
 switchport access vlan 4
!
interface Vlan1
 description internal Vlan
 no ip address
 ip inspect lyraToVLAN1 in
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface Vlan3
 description guest wireless Vlan
 no ip address
 ip access-group 130 in
 ip tcp adjust-mss 1452
 bridge-group 3
!
interface Vlan4
 description lyra's Vlan
 ip address 192.168.4.221 255.255.255.0
 ip access-group 141 out
 ip verify unicast reverse-path 140
 ip nat inside
 ip virtual-reassembly
 rate-limit output access-group 140 16000 8000 8000 conform-action continue exceed-action drop
 ip tcp adjust-mss 1452
!
interface Dialer0
 ip address negotiated
 ip access-group 101 in
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap chap callin
 ppp chap hostname benvenuto
 ppp chap password 7 0209174B02120A
!
ip nat translation tcp-timeout 3600
ip nat translation udp-timeout 1200
ip nat translation finrst-timeout 300
ip nat translation syn-timeout 120
ip nat translation dns-timeout 300
ip nat translation icmp-timeout 120
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.4.10 80 interface Dialer0 80
ip nat inside source static tcp 192.168.4.10 4222 interface Dialer0 4222
ip nat inside source static tcp 192.168.0.10 9889 interface Dialer0 9889
ip nat inside source static udp 192.168.0.10 9898 interface Dialer0 9898
ip nat inside source static tcp 192.168.0.6 8998 interface Dialer0 8998
ip nat inside source static udp 192.168.0.6 8989 interface Dialer0 8989
!
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 192.168.3.0 0.0.0.255
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 101 permit tcp any any eq 22 log
access-list 101 permit tcp any any eq 4222 log
access-list 101 deny   tcp any any eq telnet
access-list 101 permit ip any any
access-list 140 permit tcp any any eq www
access-list 140 permit tcp any any eq 4222
access-list 140 permit icmp any any
access-list 141 permit tcp any host 192.168.0.10 eq 4222
access-list 141 permit tcp any host 192.168.0.10 eq www
access-list 141 deny   ip any 192.168.0.0 0.0.0.255
access-list 141 deny   ip any 192.168.3.0 0.0.0.255 
access-list 141 permit ip any any

L'access-list che mi da problemi è la 141.
Da quello che ho capito, avendola applicata sull'interfaccia vlan4 come 'out', dovrebbe matchare con tutto il traffico in uscita dalla vlan4, ma guardando i log vedo che tutto il traffico che esce verso la subnet 192.168.0.0 o 192.168.3.0 matcha con l'ultima regola dell'acl, ovvero access-list 141 permit ip any any.
La mia idea ovviamente, era che dovesse fermarsi prima, dove c'è il deny.
Le prime regole della 141 sono per permettere la comunicazione con l'unico host della vlan1 a cui è concessa.

Sapete dirmi dove sbaglio?

Manuel

[EDIT]: anche se mi viene qualche dubbio sull'efficacia di applicare le acl sulle vlan... ma dove le posso applicare? sulle fastethernet non posso.

[ManuelHd]

Ok, la config è questa:

Codice: Seleziona tutto

access-list 141 permit tcp host 192.168.0.10 any eq 4222
access-list 141 permit tcp host 192.168.0.10 any eq www
access-list 141 deny icmp 192.168.0.0 0.0.0.255 any
access-list 141 deny icmp 192.168.3.0 0.0.0.255 any
access-list 141 deny ip 192.168.0.0 0.0.0.255 any
access-list 141 deny ip 192.168.3.0 0.0.0.255 any
access-list 141 permit ip any any

e su vlan 4

Codice: Seleziona tutto

ip access-group 141 out

Quello che non capivo era:

come mai devo specificare out sulla vlan 4 quando applico l'access list?
E soprattutto perchè quando specifico invece in tutto funziona lo stesso, solo che devo invertire tutti gli indirizzi source e destination sulle acl?

Guardando nei manuali cisco scrivono che:

The router uses the terms in, out, source, and destination as references. Traffic on the router can be compared
to traffic on the highway. If you were a law enforcement officer in Pennsylvania and wanted to stop a truck
going from Maryland to New York, the source of the truck is Maryland and the destination of the truck is
New York. The roadblock could be applied at the PennsylvaniaNew York border (out) or the
MarylandPennsylvania border (in).

When you refer to a router, these terms have these meanings.

• OutTraffic that has already been through the router and leaves the interface. The source is where it
has been, on the other side of the router, and the destination is where it goes.
• InTraffic that arrives on the interface and then goes through the router. The source is where it has
been and the destination is where it goes, on the other side of the router.
• Inbound If the access list is inbound, when the router receives a packet, the Cisco IOS software
checks the criteria statements of the access list for a match. If the packet is permitted, the software
continues to process the packet. If the packet is denied, the software discards the packet.
• OutboundIf the access list is outbound, after the software receives and routes a packet to the
outbound interface, the software checks the criteria statements of the access list for a match. If the
packet is permitted, the software transmits the packet. If the packet is denied, the software discards
the packet.

The in ACL has a source on a segment of the interface to which it is applied and a destination off of any other
interface. The out ACL has a source on a segment of any interface other than the interface to which it is
applied and a destination off of the interface to which it is applied.

Ciao