firewallToday I came across an interesting case when troubleshooting an access list. The device was a Cisco 1921 which had an access list defined to permit certain hosts’ incoming traffic from the outside to an FTP server. What was interesting is that the access list only contained permit statements (apart from the implicit deny at the end), but traffic from the outside was being blocked at lines 1-10, before any deny statements. The access list looked something like this;

ip access-list extended OUTSIDE-IN
1 permit host 8.8.8.8 host 202.124.42.24 eq ftp
2 permit host 8.8.8.8 host 202.124.42.24 eq ftp-data
10 permit x.x.x.x host 202.124.42.24 eq ftp
20 permit x.x.x.x host 202.124.42.24 eq ftp-data

If I moved lines 1 and 2 to line 3 and 4, the traffic was matching correctly and was permitted, but not when the rules were located at line 1 and 2.

ip access-list extended OUTSIDE-IN
3 permit tcp host 8.8.8.8 host 202.124.42.24 eq ftp (Matches 6)
4 permit tcp host 8.8.8.8 host 202.124.42.24 eq ftp-data
10 permit tcp x.x.x.x host 202.124.42.24 eq ftp
20 permit tcp x.x.x.x host 202.124.42.24 eq ftp-data

A permit statement on line 1 from any host to the outside address permitted traffic as you’d imagine. When removing the any host to outside address eq ftp, traffic should have been matching the lines at 3 and 4, but were not.

I ended up recreating the access list as I figured the router may be having an issue with the spacing of the access list as it had been altered quite a bit which required use of ranges 1-9, 11-19 etc.

The end result looked something like this and all source hosts were able to access the FTP server without any issues.

ip access-list extended OUTSIDE-IN
10 permit tcp host 8.8.8.8 host 202.124.42.24 eq ftp
20 permit tcp host 8.8.8.8 host 202.124.42.24 eq ftp-data
30 permit tcp x.x.x.x host 202.124.42.24 eq ftp
40 permit tcp x.x.x.x host 202.124.42.24 eq ftp-data

This was my first hiccup with a Cisco device not behaving as it should, and I’m sure it’s not going to be the last. I just hope something finicky doesn’t occur with something like a complex VPN or god forbid, NAT.

About The Author

Timothy started his networking career in 2014, working for one of the largest telecommunication operators in Australia. He has a passion for networking and cyber security. When he's not working, he's obsessing over German Shepherd Dogs.