07-02-2019 09:49 AM
Hello All,
ISE v2.3
We have a Auth Policy for Noncompliant devices. Usually this means that their AV defs or Windows Updates are not up-to-date. In that Auth policy we assign a dACL. This dACL allows the client PC to talk to both of our ISE servers, Symantec server and WSUS.
permit udp any eq bootpc any eq bootps permit udp any any eq 53 permit ip any host <primary-ISE> permit ip any host <secondary-ISE> permit ip any host <dns-server> permit ip any host <dns-server> permit ip any host <AV-server> permit ip any host <wsus-server> deny ip any 192.168.0.0 0.0.255.255 deny ip any 10.0.0.0 0.255.255.255 permit ip any any
I was wondering if there is a way to allow VNC traffic to this client from our HQ's subnet (*10.100.0.0). But, it appears that with these dACLs only the client PC receiving the dACL can be the source. So I can't do:
permit tcp 10.100.0.0 0.0.255.255 any eq 5900
Which would allow a PC in our HQ to VNC to the connected "Non-Compliant" PC in the remote office. It seems like if I did this in reverse so the dACL would be accepted, where the client PC is the source, then that wouldn't do what I want...
Is there anyway to do what I'm trying to do with a dACL?
Thanks in Advance,
Matt
Solved! Go to Solution.
07-02-2019 11:05 AM
07-02-2019 10:17 AM
See Solved: Inbound outbound or both with ISE dACL'... - Cisco Community
You may also consider assign a scalable group (aka TrustSec security group) and then enforce that using our segmentation solution. See Segmentation Strategy - Cisco Community
07-02-2019 11:05 AM
07-02-2019 11:28 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide