This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
We have a Auth Policy for Noncompliant devices. Usually this means that their AV defs or Windows Updates are not up-to-date. In that Auth policy we assign a dACL. This dACL allows the client PC to talk to both of our ISE servers, Symantec server and WSUS.
permit udp any eq bootpc any eq bootps permit udp any any eq 53 permit ip any host <primary-ISE> permit ip any host <secondary-ISE> permit ip any host <dns-server> permit ip any host <dns-server> permit ip any host <AV-server> permit ip any host <wsus-server> deny ip any 192.168.0.0 0.0.255.255 deny ip any 10.0.0.0 0.255.255.255 permit ip any any
I was wondering if there is a way to allow VNC traffic to this client from our HQ's subnet (*10.100.0.0). But, it appears that with these dACLs only the client PC receiving the dACL can be the source. So I can't do:
permit tcp 10.100.0.0 0.0.255.255 any eq 5900
Which would allow a PC in our HQ to VNC to the connected "Non-Compliant" PC in the remote office. It seems like if I did this in reverse so the dACL would be accepted, where the client PC is the source, then that wouldn't do what I want...
Is there anyway to do what I'm trying to do with a dACL?
Thanks in Advance,
Solved! Go to Solution.
You may also consider assign a scalable group (aka TrustSec security group) and then enforce that using our segmentation solution. See Segmentation Strategy - Cisco Community