https://community.cisco.com/t5/network-security/need-help-with-an-acl/m-p/3299884#M1007067 <P>Hi,</P> <P>&nbsp;</P> <P>You will need two access lists, one for each direction. The access-list applied in the "out" direction will contain the traffic that is going to your new vlan and the access-list applied in the "in"will contain traffic going to you servers.</P> <P>&nbsp;</P> <P>Thanks</P> <P>John</P> Thu, 21 Dec 2017 07:35:03 GMT johnd2310 2017-12-21T07:35:03Z https://community.cisco.com/t5/network-security/need-help-with-an-acl/m-p/3299634#M1007064 <P>&nbsp;</P> <DIV class="usertext-body may-blank-within md-container "> <DIV class="md"> <P>Hi all,</P> <P>I am trying to make an ACL on my layer 3 switches (in HSRP) that would allow a new VLAN on my network to be accessible via RDP and ICMP from all other user VLAN's. Also, the server VLAN needs to do ICMP as well as TCP and UDP 445 to this new VLAN. And the new VLAN needs to access the following on the server VLAN:</P> <P>UDP Port 88 for Kerberos authentication UDP and TCP 135 for domain controllers-to-domain controller and client to domain controller operations. UDP 389 for LDAP to handle normal queries from client computers to the domain controllers. TCP and UDP Port 464 for Kerberos Password Change TCP Port 3268 and 3269 for Global Catalog from client to domain controller. TCP and UDP Port 53 for DNS from client to domain controller and domain controller to domain controller. TCP &amp; UDP 49152-65535 the ephemeral ports are required ICMP (Echo)</P> <P>The following are the VLAN id's with the co-responding names:&nbsp;</P> <UL> <LI>vlan 20 - Servers - 10.10.20.0/22</LI> <LI>vlan 30 - User 1 - 10.10.30.0/24</LI> <LI>vlan 31 - User 2 - 10.10.31.0/24</LI> <LI>vlan 32 - User 3 - 10.10.32.0/24</LI> <LI>vlan 33 - User 4 - 10.10.33.0/24</LI> <LI>vlan 34 - User 5 - 10.10.34.0/24</LI> <LI>vlan 35 - User 6 - 10.10.35.0/24</LI> <LI>vlan 36 - User 7 - 10.10.36.0/24</LI> <LI>vlan 37 - User 8 - 10.10.30.0/24</LI> <LI>vlan 38 - User 9 - 10.10.30.0/24</LI> <LI>vlan 39 - User 10 - 10.10.30.0/24</LI> <LI>vlan 40 - User 11 - 10.10.40.0/24</LI> <LI>vlan 184 - Restricted user - 10.10.184.0/25</LI> </UL> <P>&nbsp;</P> <P>The following is what I have currently in my ACL but its not working properly.&nbsp;I am not able to RDP into my test system on the new vlan from anywhere.&nbsp;I am also not able to authenticate with Active directory to log into windows with the domain account.</P> <PRE><CODE>ip access-list extended RESTRICT-VLAN184-IN remark Allow ICMP permit icmp any any echo-reply remark Allow RDP permit tcp any any eq 3389 permit udp any any eq 3389 remark Allow VLAN20 permit tcp any 10.10.20.0 0.0.3.255 eq www permit tcp any 10.10.20.0 0.0.3.255 eq domain permit tcp any 10.10.20.0 0.0.3.255 eq 443 permit tcp any 10.10.20.0 0.0.3.255 eq 52230 permit tcp any 10.10.20.0 0.0.3.255 eq 135 permit tcp any 10.10.20.0 0.0.3.255 eq 464 permit tcp any 10.10.20.0 0.0.3.255 range 3268 3269 permit tcp any 10.10.20.0 0.0.3.255 range 49152 65535 permit udp any 10.10.20.0 0.0.3.255 eq domain permit udp any 10.10.20.0 0.0.3.255 eq 88 permit udp any 10.10.20.0 0.0.3.255 eq 135 permit udp any 10.10.20.0 0.0.3.255 eq 389 permit udp any 10.10.20.0 0.0.3.255 eq 464 permit udp any 10.10.20.0 0.0.3.255 range 49152 65535 remark Deny all other VLANS deny ip any 10.10.0.0 0.0.255.255 remark Allow internet permit ip any any </CODE></PRE> <P>Applying the ACL inbound to the layer 3 vlan</P> <PRE><CODE>interface vlan184 ip access-group RESTRICT-VLAN184-IN in </CODE></PRE> <P>If anyone can help with this, it would be very much appreciated. Thanks in advance.</P> </DIV> </DIV> Fri, 21 Feb 2020 14:59:57 GMT https://community.cisco.com/t5/network-security/need-help-with-an-acl/m-p/3299634#M1007064 thegreatone 2020-02-21T14:59:57Z https://community.cisco.com/t5/network-security/need-help-with-an-acl/m-p/3299884#M1007067 <P>Hi,</P> <P>&nbsp;</P> <P>You will need two access lists, one for each direction. The access-list applied in the "out" direction will contain the traffic that is going to your new vlan and the access-list applied in the "in"will contain traffic going to you servers.</P> <P>&nbsp;</P> <P>Thanks</P> <P>John</P> Thu, 21 Dec 2017 07:35:03 GMT https://community.cisco.com/t5/network-security/need-help-with-an-acl/m-p/3299884#M1007067 johnd2310 2017-12-21T07:35:03Z https://community.cisco.com/t5/network-security/need-help-with-an-acl/m-p/3300252#M1007070 <P>Hi,</P> <P>&nbsp;</P> <P>Thanks for your reply. Do I apply both ACL's to the new VLAN? And also, do you think something is missing from my ACL or does something need to be added to make it work like I want it to?</P> Thu, 21 Dec 2017 17:08:24 GMT https://community.cisco.com/t5/network-security/need-help-with-an-acl/m-p/3300252#M1007070 thegreatone 2017-12-21T17:08:24Z https://community.cisco.com/t5/network-security/need-help-with-an-acl/m-p/3300322#M1007072 <BLOCKQUOTE><HR /><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/282553">@johnd2310</a> wrote:<BR /> <P>Hi,</P> <P>&nbsp;</P> <P>You will need two access lists, one for each direction. The access-list applied in the "out" direction will contain the traffic that is going to your new vlan and the access-list applied in the "in"will contain traffic going to you servers.</P> <P>&nbsp;</P> <P>Thanks</P> <P>John</P> <HR /></BLOCKQUOTE> <P>I just tried applying another access-list in the out direction and now I am unable to get to anywhere from the restricted network to the other vlan's, even to stuff that I have applied to the "In" access-list</P> Thu, 21 Dec 2017 18:39:33 GMT https://community.cisco.com/t5/network-security/need-help-with-an-acl/m-p/3300322#M1007072 thegreatone 2017-12-21T18:39:33Z https://community.cisco.com/t5/network-security/need-help-with-an-acl/m-p/3300782#M1007073 <P>Hi,</P> <P>can you show ACL, that you applied for VLAN 20? You have to write in the ACL back rules.</P> <P>&nbsp;</P> <P>Best regards</P> Fri, 22 Dec 2017 12:59:07 GMT https://community.cisco.com/t5/network-security/need-help-with-an-acl/m-p/3300782#M1007073 Jewgeni Uschegow 2017-12-22T12:59:07Z