Solved: dACL issue

Steven Williams · ‎10-15-2018

ISE version 2.2.0.470

I am trying to build new dACLs for my VPN users and it doesn't seem to be working and I know its the dACL because when I revert back to the old dACL my VPN is successful. When I try to hit the VPN with the new dACL I get a login failed.

Old dACL:

New dACL:

remark allow newcitrix
permit tcp any host 192.168.254.75 eq 80
permit tcp any host 192.168.254.77 eq 80
permit tcp any host 192.168.254.75 eq 443
permit tcp any host 192.168.254.77 eq 443

remark allow server mgmt
permit ip any 10.20.30.0 255.255.255.0

remark aws
permit ip any 10.150.0.0 255.255.0.0
permit ip any 10.155.0.0 255.255.0.0
permit ip any 10.191.0.0 255.255.0.0

remark allow okta
permit tcp any host 10.20.1.176 eq 80
permit tcp any host 10.20.1.175 eq 80
permit tcp any host 10.81.3.44 eq 80
permit tcp any host 10.81.3.45 eq 80

permit ip any 10.81.0.0 255.255.0.0

remark Allow ping
permit icmp any any

remark BNA Server Networks
permit ip any 10.20.0.0 255.255.255.0
permit ip any 10.20.1.0 255.255.255.0
permit ip any 192.168.1.0 255.255.255.0
permit ip any 10.20.5.0 255.255.255.128
permit ip any 10.20.35.0 255.255.255.0
permit ip any 10.20.1.0 255.255.255.0
permit ip any 10.20.45.0 255.255.255.128

remark BNA DMZ
permit tcp any 192.168.10.0 255.255.255.0 eq 22
permit tcp any 192.168.30.0 255.255.255.0 eq 22
permit tcp any 10.20.26.10 255.255.255.255 eq 443

remark BNA Workstation Networks
permit ip any 192.168.7.0 255.255.255.0
permit ip any 10.20.41.0 255.255.255.0
permit ip any 10.20.42.0 255.255.255.0
permit ip any 10.20.50.0 255.255.255.0
permit ip any 10.20.40.0 255.255.255.0

remark Business Park Workstation Networks
permit ip any 10.22.50.0 255.255.255.0
permit ip any 10.22.42.0 255.255.255.0
permit ip any 10.22.20.0 255.255.255.0

remark BNA Lab Networks
permit ip any 192.168.13.0 255.255.255.0
permit ip any 10.0.1.0 255.255.255.0
permit ip any 10.20.250.0 255.255.255.0
permit ip any 10.20.251.0 255.255.255.0
permit ip any 10.0.10.0 255.255.255.0
permit ip any 10.0.11.0 255.255.255.0
permit ip any 10.20.25.0 255.255.255.0

remark CPI MIdway
permit tcp any host 192.168.2.141 eq 3389

remark CPI Corporate
permit ip any 10.81.3.0 255.255.255.0
permit ip any 10.81.0.0 255.255.255.0
permit ip any 10.81.8.0 255.255.255.0
permit ip any 10.81.1.0 255.255.255.0

remark Block all other internal requests
deny ip any 10.0.0.0 255.0.0.0
deny ip any 172.16.0.0 255.240.0.0
deny ip any 192.168.0.0 255.255.0.0

remark Allow INET
permit ip any any

remark IT User Access
permit ip any 10.20.0.0 255.255.0.0
permit ip any 192.168.1.0 255.255.0.0
permit ip any 192.168.10.0 255.255.255.0
permit ip any 10.81.0.0 255.255.0.0
permit ip any 192.168.7.0 255.255.255.0

remark Lab Access
permit ip any 10.0.1.0 255.255.255.0
permit ip any 10.0.10.0 255.255.255.0
permit ip any 10.0.100.0 255.255.255.0
permit ip any 192.168.13.0 255.255.255.0

remark Deny Internal Segments
deny ip any 192.168.0.0 255.255.0.0
deny ip any 10.0.0.0 255.0.0.0
deny ip any 172.16.0.0 255.240.0.0

remark Allow INET
permit ip any any

The check syntax checks out on the dACL page after checking for syntax errors.

Does anyone see anything weird between the two?

howon · ‎10-15-2018

I think subnet mask on third line is incorrect:

permit ip any 192.168.1.0 255.255.0.0 -> permit ip any 192.168.1.0 255.255.255.0

View solution in original post

howon · ‎10-15-2018

I think subnet mask on third line is incorrect:

permit ip any 192.168.1.0 255.255.0.0 -> permit ip any 192.168.1.0 255.255.255.0