Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
846
Views
5
Helpful
3
Replies

dACL to Allow VNC to Client Device

Go to solution
Matthew Martin
Level 5
Level 5

‎07-02-2019 09:49 AM

Hello All,

ISE v2.3

We have a Auth Policy for Noncompliant devices. Usually this means that their AV defs or Windows Updates are not up-to-date. In that Auth policy we assign a dACL. This dACL allows the client PC to talk to both of our ISE servers, Symantec server and WSUS.

permit udp any eq bootpc any eq bootps
permit udp any any eq 53
permit ip any host <primary-ISE>
permit ip any host <secondary-ISE>
permit ip any host <dns-server>
permit ip any host <dns-server>
permit ip any host <AV-server>
permit ip any host <wsus-server>
deny ip any 192.168.0.0 0.0.255.255
deny ip any 10.0.0.0 0.255.255.255
permit ip any any

I was wondering if there is a way to allow VNC traffic to this client from our HQ's subnet (*10.100.0.0). But, it appears that with these dACLs only the client PC receiving the dACL can be the source. So I can't do:

permit tcp 10.100.0.0 0.0.255.255 any eq 5900

Which would allow a PC in our HQ to VNC to the connected "Non-Compliant" PC in the remote office. It seems like if I did this in reverse so the dACL would be accepted, where the client PC is the source, then that wouldn't do what I want...

Is there anyway to do what I'm trying to do with a dACL?

Thanks in Advance,

Matt

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎07-02-2019 11:05 AM

You have you dacl as follow:

permit tcp any eq 5900 10.100.0.0 0.0.255.255

this will allow your hq to access vnc on the non-comp clients. The forward
traffic should be allowed on forward interface acl which is the wan link
receiving traffic from hq and this dacl will allow the reverse traffic from
client to hq. Remaining traffic from hq will be blocked by dacl. Overall
you get what you want,

*** remember to rate useful posts

View solution in original post

3 Replies 3

Go to solution
hslai
Cisco Employee
Cisco Employee

‎07-02-2019 10:17 AM

See Solved: Inbound outbound or both with ISE dACL'... - Cisco Community

You may also consider assign a scalable group (aka TrustSec security group) and then enforce that using our segmentation solution. See Segmentation Strategy - Cisco Community

0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎07-02-2019 11:05 AM

You have you dacl as follow:

permit tcp any eq 5900 10.100.0.0 0.0.255.255

this will allow your hq to access vnc on the non-comp clients. The forward
traffic should be allowed on forward interface acl which is the wan link
receiving traffic from hq and this dacl will allow the reverse traffic from
client to hq. Remaining traffic from hq will be blocked by dacl. Overall
you get what you want,

*** remember to rate useful posts

Go to solution
Matthew Martin
Level 5
Level 5
In response to Mohammed al Baqari

‎07-02-2019 11:28 AM

Thanks Mohammed much appreciated, that appears to have worked!

Thanks Again,
Matt
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents