cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

76
Views
5
Helpful
3
Replies
Contributor

dACL to Allow VNC to Client Device

Hello All,

ISE v2.3

We have a Auth Policy for Noncompliant devices. Usually this means that their AV defs or Windows Updates are not up-to-date. In that Auth policy we assign a dACL. This dACL allows the client PC to talk to both of our ISE servers, Symantec server and WSUS.

permit udp any eq bootpc any eq bootps
permit udp any any eq 53
permit ip any host <primary-ISE>
permit ip any host <secondary-ISE>
permit ip any host <dns-server>
permit ip any host <dns-server>
permit ip any host <AV-server>
permit ip any host <wsus-server>
deny ip any 192.168.0.0 0.0.255.255
deny ip any 10.0.0.0 0.255.255.255
permit ip any any

I was wondering if there is a way to allow VNC traffic to this client from our HQ's subnet (*10.100.0.0). But, it appears that with these dACLs only the client PC receiving the dACL can be the source. So I can't do:

permit tcp 10.100.0.0 0.0.255.255 any eq 5900

Which would allow a PC in our HQ to VNC to the connected "Non-Compliant" PC in the remote office. It seems like if I did this in reverse so the dACL would be accepted, where the client PC is the source, then that wouldn't do what I want...

Is there anyway to do what I'm trying to do with a dACL?

Thanks in Advance,

Matt

 

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advisor

Re: dACL to Allow VNC to Client Device

You have you dacl as follow:

permit tcp any eq 5900 10.100.0.0 0.0.255.255

this will allow your hq to access vnc on the non-comp clients. The forward
traffic should be allowed on forward interface acl which is the wan link
receiving traffic from hq and this dacl will allow the reverse traffic from
client to hq. Remaining traffic from hq will be blocked by dacl. Overall
you get what you want,

*** remember to rate useful posts
3 REPLIES 3
Cisco Employee

Re: dACL to Allow VNC to Client Device

See Solved: Inbound outbound or both with ISE dACL'... - Cisco Community

You may also consider assign a scalable group (aka TrustSec security group) and then enforce that using our segmentation solution. See Segmentation Strategy - Cisco Community

VIP Advisor

Re: dACL to Allow VNC to Client Device

You have you dacl as follow:

permit tcp any eq 5900 10.100.0.0 0.0.255.255

this will allow your hq to access vnc on the non-comp clients. The forward
traffic should be allowed on forward interface acl which is the wan link
receiving traffic from hq and this dacl will allow the reverse traffic from
client to hq. Remaining traffic from hq will be blocked by dacl. Overall
you get what you want,

*** remember to rate useful posts
Contributor

Re: dACL to Allow VNC to Client Device

Thanks Mohammed much appreciated, that appears to have worked!

Thanks Again,
Matt