HPE Community
HPE Aruba Networking & ProVision-based
1832610 Members
2454 Online
110043 Solutions
New Discussion

Re: ProCurve 6600 extended access list

 
SOLVED
Go to solution
BradV
Esteemed Contributor

‎09-20-2012 09:10 AM

‎09-20-2012 09:10 AM

ProCurve 6600 extended access list

I'm trying to configure a ProCurve 6600 with an extended access list to
control access to some Tomcat ports on a group of servers behind the
6600.  I want to allow all servers in a given ip range access to tcp
port 8080 and deny all others.

Here is a depiction of the network setup:

                                       +--------------------+
+-----------------+                    |                    |   +----------------+
| 7.210.93.190/25 +--7.212.253.121/25--+  company network   +---+ 7.215.96.32/27 |
+-----------------+                    |                    |   +----------------+
                  ^                    +--------------------+
                  |
                ProCurve 6600
                 here

Host in the 7.210.93.190 enclave we are trying to restrict connection to are:

7.210.93.181 - 7.210.93.185

Here are the VLANs:

vlan 734
   name "uplink"
   ip address 7.212.253.121 255.255.255.248
vlan 998
   name "enclave"
   ip address 7.210.93.190 255.255.255.128

Here is the access list I tried to create:

ip access-list extended VLAN734-in
remark "Allow Windows 2008 servers to the Tomcat Search Indexes"
permit tcp 7.215.96.32/27 eq 8080 host 7.210.93.181
permit tcp 7.215.96.32/27 eq 8080      7.210.93.182/30
permit tcp 7.215.96.32/27 eq 8080      7.210.93.184/30
deny   tcp any            eq 8080 host 7.210.93.181
deny   tcp any            eq 8080      7.210.93.182/30
deny   tcp any            eq 8080      7.210.93.184/30
permit ip  any                         any

vlan 734 ip access-group VLAN734-in in

After installing it, I was still able to access tcp port 8080
from a workstation outside the 7.215.96.32/27 network.  Any suggestions
about what I may have wrong?

 

Thanks!

0 Kudos
8 REPLIES 8
Mohammed Faiz
Honored Contributor

‎09-20-2012 09:36 AM

‎09-20-2012 09:36 AM

Re: ProCurve 6600 extended access list

On a quick glance.. the address range on the enclave vlan doesn't match your server addresses, is that correct?

Also, it's probably more efficient to apply the ACL outbound to vlan 998 rather than inbound on the switch uplink.

0 Kudos
BradV
Esteemed Contributor

‎09-20-2012 09:42 AM

‎09-20-2012 09:42 AM

Re: ProCurve 6600 extended access list

Ah, typo on my part.  The network is 7.210.93.128/25.  Not sure where I got the .190  :)

 

So,

 

vlan 998 ip access-group VLAN734-in out

 

instead?  I'll give that a try in the morning.

 

Thanks!

0 Kudos
BradV
Esteemed Contributor

‎09-24-2012 06:52 AM

‎09-24-2012 06:52 AM

Re: ProCurve 6600 extended access list

Rats, putting it on vlan 998 outbound didn't make any difference either.  It can't be this difficult.  :(

 

I was putting it on vlan 734 in the in-bound direction because that is where the 6600 will first encounter the packets.  That is, all packets outside of the enclave behind the 6600 come in through this vlan.  So, I thought that would make the most sense to allow incoming traffic to tcp port 8080 only from a given group of ips and block it from all others?  I guess I need to go back and read the manual again.  :)

0 Kudos
Mohammed Faiz
Honored Contributor

‎09-24-2012 07:38 AM

‎09-24-2012 07:38 AM

Re: ProCurve 6600 extended access list

Oh, should have also spotted that you've got the port as a source port rather then a dest port. What a difference a weekend makes :)
0 Kudos
BradV
Esteemed Contributor

‎09-24-2012 07:51 AM

‎09-24-2012 07:51 AM

Re: ProCurve 6600 extended access list

I was looking at the Access Security Guide for K.15.01.  Page 399 shows the syntax to be:

 

permit tcp SA/<mask-length> [comparison operator] DA/<mask-length>

 

which is why I came up with:

 

permit tcp 7.215.96.32/27 eq 8080      7.210.93.182/30

for example.  However, on page 421, it shows a deny statement as:

 

deny tcp 10.11.11.101 0.0.0.0 0.0.0.0 255.255.255.255 eq 23

 

which shows the comparison operator at the end.  The switch OS doesn't complain about either syntax.  I would assume it would say one is incorrect.  Does anyone know which is correct, or does it matter?

 

Thanks!

0 Kudos
Mohammed Faiz
Honored Contributor

‎09-24-2012 08:17 AM - edited ‎09-24-2012 08:18 AM

‎09-24-2012 08:17 AM - edited ‎09-24-2012 08:18 AM

Solution

Re: ProCurve 6600 extended access list

permit tcp 7.215.96.32/27 eq 8080 7.210.93.182/30

This statement denies access to connections from the subnet 7.215.96.32/27 with a source port of 8080 to the subnet 7.210.92.182/30

deny tcp 10.11.11.101 0.0.0.0 0.0.0.0 255.255.255.255 eq 23

This statement denies access to the host 10.11.11.101 to any host with a destination port of 23 (telnet).

You want:

permit tcp 7.215.96.32/27 7.210.93.182/30 eq 8080
and
deny tcp any 7.210.93.182/30 eq 8080

0 Kudos
BradV
Esteemed Contributor

‎09-24-2012 10:19 AM

‎09-24-2012 10:19 AM

Re: ProCurve 6600 extended access list

That is what I thought.  I'm going to give it a try in the morning.

 

Thanks!

0 Kudos
BradV
Esteemed Contributor

‎09-25-2012 04:48 AM

‎09-25-2012 04:48 AM

Re: ProCurve 6600 extended access list

It seems to be working.  :)

 

Thanks everyone for your help!

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.