Solved: Re: Prevent clients on one VLAN from establish connections to other VLAN's.

Tom · ‎01-04-2020

Hello All,

I would like to allow clients on VLAN 1,2,3,4 below to access VLAN 5 ( 10.3.0.X ) however I want to prevent clients on VLAN 5 from establishing any connections to VLAN 1,2,3,4 or access VLAN 1,2,3,4. However, all of my routers and switches are on VLAN 1 ( 192.168.0.X ). What I have so far is below:

conf t

access-list 101 permit ip 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 101 permit ip 10.0.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 101 permit ip 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 101 permit ip 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255

access-list 101 permit tcp 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 101 permit tcp 10.0.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 101 permit tcp 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 101 permit tcp 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255

access-list 101 permit udp 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 101 permit udp 10.0.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 101 permit udp 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 101 permit udp 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255

access-list 101 permit icmp 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 101 permit icmp 10.0.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 101 permit icmp 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 101 permit icmp 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255

access-list 101 permit ospf 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 101 permit ospf 10.0.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 101 permit ospf 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 101 permit ospf 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255


access-list 101 permit ip 10.3.0.0 0.0.0.255 192.168.0.1 0.0.0.0
access-list 101 permit tcp 10.3.0.0 0.0.0.255 192.168.0.1 0.0.0.0
access-list 101 permit udp 10.3.0.0 0.0.0.255 192.168.0.1 0.0.0.0
access-list 101 permit icmp 10.3.0.0 0.0.0.255 192.168.0.1 0.0.0.0
access-list 101 permit ospf 10.3.0.0 0.0.0.255 192.168.0.1 0.0.0.0

access-list 101 permit ip 10.3.0.0 0.0.0.255 192.168.0.2 0.0.0.0
access-list 101 permit tcp 10.3.0.0 0.0.0.255 192.168.0.2 0.0.0.0
access-list 101 permit udp 10.3.0.0 0.0.0.255 192.168.0.2 0.0.0.0
access-list 101 permit icmp 10.3.0.0 0.0.0.255 192.168.0.2 0.0.0.0
access-list 101 permit ospf 10.3.0.0 0.0.0.255 192.168.0.2 0.0.0.0

access-list 101 permit ip 10.3.0.0 0.0.0.255 192.168.0.3 0.0.0.0
access-list 101 permit tcp 10.3.0.0 0.0.0.255 192.168.0.3 0.0.0.0
access-list 101 permit udp 10.3.0.0 0.0.0.255 192.168.0.3 0.0.0.0
access-list 101 permit icmp 10.3.0.0 0.0.0.255 192.168.0.3 0.0.0.0
access-list 101 permit ospf 10.3.0.0 0.0.0.255 192.168.0.3 0.0.0.0

access-list 101 permit ip 10.3.0.0 0.0.0.255 192.168.0.4 0.0.0.0
access-list 101 permit tcp 10.3.0.0 0.0.0.255 192.168.0.4 0.0.0.0
access-list 101 permit udp 10.3.0.0 0.0.0.255 192.168.0.4 0.0.0.0
access-list 101 permit icmp 10.3.0.0 0.0.0.255 192.168.0.4 0.0.0.0
access-list 101 permit ospf 10.3.0.0 0.0.0.255 192.168.0.4 0.0.0.0

access-list 101 permit ip 10.3.0.0 0.0.0.255 192.168.0.5 0.0.0.0
access-list 101 permit tcp 10.3.0.0 0.0.0.255 192.168.0.5 0.0.0.0
access-list 101 permit udp 10.3.0.0 0.0.0.255 192.168.0.5 0.0.0.0
access-list 101 permit icmp 10.3.0.0 0.0.0.255 192.168.0.5 0.0.0.0
access-list 101 permit ospf 10.3.0.0 0.0.0.255 192.168.0.5 0.0.0.0

access-list 101 permit ip 10.3.0.0 0.0.0.255 192.168.0.6 0.0.0.0
access-list 101 permit tcp 10.3.0.0 0.0.0.255 192.168.0.6 0.0.0.0
access-list 101 permit udp 10.3.0.0 0.0.0.255 192.168.0.6 0.0.0.0
access-list 101 permit icmp 10.3.0.0 0.0.0.255 192.168.0.6 0.0.0.0
access-list 101 permit ospf 10.3.0.0 0.0.0.255 192.168.0.6 0.0.0.0

access-list 101 permit ip 10.3.0.0 0.0.0.255 192.168.0.7 0.0.0.0
access-list 101 permit tcp 10.3.0.0 0.0.0.255 192.168.0.7 0.0.0.0
access-list 101 permit udp 10.3.0.0 0.0.0.255 192.168.0.7 0.0.0.0
access-list 101 permit icmp 10.3.0.0 0.0.0.255 192.168.0.7 0.0.0.0
access-list 101 permit ospf 10.3.0.0 0.0.0.255 192.168.0.7 0.0.0.0

access-list 101 permit ip 10.3.0.0 0.0.0.255 192.168.0.8 0.0.0.0
access-list 101 permit tcp 10.3.0.0 0.0.0.255 192.168.0.8 0.0.0.0
access-list 101 permit udp 10.3.0.0 0.0.0.255 192.168.0.8 0.0.0.0
access-list 101 permit icmp 10.3.0.0 0.0.0.255 192.168.0.8 0.0.0.0
access-list 101 permit ospf 10.3.0.0 0.0.0.255 192.168.0.8 0.0.0.0




access-list 101 deny ip 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 deny ip 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 deny ip 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 101 deny ip 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255

access-list 101 deny tcp 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 deny tcp 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 deny tcp 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 101 deny tcp 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255

access-list 101 deny udp 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 deny udp 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 deny udp 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 101 deny udp 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255

access-list 101 deny icmp 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 deny icmp 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 deny icmp 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 101 deny icmp 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255

access-list 101 permit ip any any
access-list 101 permit tcp any any
access-list 101 permit udp any any
access-list 101 permit icmp any any
access-list 101 permit ospf any any


int vlan 5
ip access-group 101 in
ip access-group 101 out

int vlan 4
ip access-group 101 in
ip access-group 101 out

int vlan 3
ip access-group 101 in
ip access-group 101 out

int vlan 2
ip access-group 101 in
ip access-group 101 out

int vlan 1
ip access-group 101 in
ip access-group 101 out

The VLAN's are:

VLAN 1: 192.168.0.X
VLAN 2: 10.0.0.X
VLAN 3: 10.1.0.X
VLAN 4: 10.2.0.X
VLAN 5: 10.3.0.X

The above works but prevents access from VLAN 1,2,3,4 to VLAN 5, which is not what I want. How do I allow VLAN 1,2,3,4 to access VLAN 5 while preventing VLAN 5 from establishing connections to VLAN 1,2,3,4?

The switch is a Cisco 3750G. Since all traffic is always two way, I think I need to block just the initiating traffic to VLAN 1,2,3,4 from VLAN 5 I believe. I'm not sure how.

Cheers,
TK

rais · ‎01-04-2020

In your ACL you have to allow return tcp traffic using 'tcp established' from VLAN5 back to other vlans not all tcp.

HTH

View solution in original post

rais · ‎01-04-2020

In your ACL you have to allow return tcp traffic using 'tcp established' from VLAN5 back to other vlans not all tcp.

HTH

Tom · ‎01-04-2020

Thank you. So I suppose I can shorten the rules in this manner I think but these still didn't work:

conf t

access-list 101 permit ip 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 101 permit ip 10.0.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 101 permit ip 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 101 permit ip 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255

access-list 101 permit tcp 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255 established 
access-list 101 permit tcp 10.0.0.0 0.0.0.255 10.3.0.0 0.0.0.255 established 
access-list 101 permit tcp 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255 established 
access-list 101 permit tcp 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255 established 

access-list 101 permit udp 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255 
access-list 101 permit udp 10.0.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 101 permit udp 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 101 permit udp 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255

access-list 101 permit icmp 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255 echo-reply 
access-list 101 permit icmp 10.0.0.0 0.0.0.255 10.3.0.0 0.0.0.255 echo-reply 
access-list 101 permit icmp 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255 echo-reply 
access-list 101 permit icmp 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255 echo-reply 

access-list 101 permit icmp 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255 net-unreachable
access-list 101 permit icmp 10.0.0.0 0.0.0.255 10.3.0.0 0.0.0.255 net-unreachable
access-list 101 permit icmp 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255 net-unreachable
access-list 101 permit icmp 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255 net-unreachable 

access-list 101 permit icmp 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255 host-unreachable
access-list 101 permit icmp 10.0.0.0 0.0.0.255 10.3.0.0 0.0.0.255 host-unreachable
access-list 101 permit icmp 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255 host-unreachable
access-list 101 permit icmp 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255 host-unreachable

access-list 101 permit icmp 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255 port-unreachable
access-list 101 permit icmp 10.0.0.0 0.0.0.255 10.3.0.0 0.0.0.255 port-unreachable
access-list 101 permit icmp 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255 port-unreachable
access-list 101 permit icmp 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255 port-unreachable


access-list 101 permit ospf 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 101 permit ospf 10.0.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 101 permit ospf 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 101 permit ospf 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255



access-list 101 deny ip 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 deny ip 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 deny ip 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 101 deny ip 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255

access-list 101 deny tcp 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 deny tcp 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 deny tcp 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 101 deny tcp 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255

access-list 101 deny udp 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 deny udp 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 deny udp 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 101 deny udp 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255

access-list 101 deny icmp 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 deny icmp 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 deny icmp 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 101 deny icmp 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255

access-list 101 permit ip any any
access-list 101 permit tcp any any
access-list 101 permit udp any any
access-list 101 permit icmp any any
access-list 101 permit ospf any any


int vlan 5
ip access-group 101 in
ip access-group 101 out

int vlan 4
ip access-group 101 in
ip access-group 101 out

int vlan 3
ip access-group 101 in
ip access-group 101 out

int vlan 2
ip access-group 101 in
ip access-group 101 out

int vlan 1
ip access-group 101 in
ip access-group 101 out

2) I tried to create rules similarly for ICMP above but pingbacks still didn't work,

3) What about the other protocols that you could recommend? I want to be able to detect devices on VLAN 5 as well as logging into those devices, just don't want VLAN 5 to be able to initiate any connections to devices on VLAN 1,2,3,4 .

Cheers,
TK

Tom · ‎01-04-2020

Enabled some logging:

3w4d: %SEC-6-IPACCESSLOGP: list 101 denied tcp 10.3.0.100(22) (Vlan5 0050.5686.4105) -> 192.168.0.100(37784), 1 packet
3w4d: %SEC-6-IPACCESSLOGDP: list 101 denied icmp 10.3.0.100 (Vlan5 0050.5686.4105) -> 192.168.0.100 (0/0), 1 packet

access-list 101 deny   ip 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255 log-input

370 deny ip 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255 log-input (402 matches)

Just not clear what type though. But maybe I'm not seeing the forest through the trees.

Cheers,
TK

rais · ‎01-04-2020

One way of doing this would be to have ACL on SVI for VLAN1,2,3,4 which:

allows tcp established traffic from 10.3.x.x

then denies any other traffic from 10.3.x.x

then allows all traffic coming in.

Regards.

Tom · ‎01-04-2020

Definitely! I'm looking to make this a little cleaner as well. However, just working off a known set to help me understand each change for now. Now I have ICMP working (though I haven't tested it the other way yet till I get my ssh working as well).

conf t

access-list 101 permit ip 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 101 permit ip 10.0.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 101 permit ip 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 101 permit ip 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255

access-list 101 permit tcp 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255 established 
access-list 101 permit tcp 10.0.0.0 0.0.0.255 10.3.0.0 0.0.0.255 established 
access-list 101 permit tcp 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255 established 
access-list 101 permit tcp 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255 established 

access-list 101 permit udp 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255 
access-list 101 permit udp 10.0.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 101 permit udp 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 101 permit udp 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255

access-list 101 permit icmp 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 101 permit icmp 10.0.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 101 permit icmp 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 101 permit icmp 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255


access-list 101 permit ospf 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 101 permit ospf 10.0.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 101 permit ospf 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 101 permit ospf 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255

access-list 101 permit icmp 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255 echo-reply 
access-list 101 permit icmp 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255 echo-reply 
access-list 101 permit icmp 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255 echo-reply 
access-list 101 permit icmp 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255 echo-reply 

access-list 101 permit icmp 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255 net-unreachable
access-list 101 permit icmp 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255 net-unreachable
access-list 101 permit icmp 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255 net-unreachable
access-list 101 permit icmp 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255 net-unreachable 

access-list 101 permit icmp 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255 host-unreachable
access-list 101 permit icmp 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255 host-unreachable
access-list 101 permit icmp 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255 host-unreachable
access-list 101 permit icmp 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255 host-unreachable

access-list 101 permit icmp 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255 port-unreachable
access-list 101 permit icmp 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255 port-unreachable
access-list 101 permit icmp 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255 port-unreachable
access-list 101 permit icmp 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255 port-unreachable







access-list 101 deny tcp 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 deny tcp 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 deny tcp 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 101 deny tcp 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255

access-list 101 deny udp 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 deny udp 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 deny udp 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 101 deny udp 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255

access-list 101 deny icmp 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 deny icmp 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 deny icmp 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 101 deny icmp 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255

access-list 101 deny ip 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255 log-input 
access-list 101 deny ip 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 deny ip 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 101 deny ip 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255




access-list 101 permit ip any any
access-list 101 permit tcp any any
access-list 101 permit udp any any
access-list 101 permit icmp any any
access-list 101 permit ospf any any

However, TCP for SSH isn't quite there yet. Despite the rules above, returning traffic from an establishing connection is still blocked:

3w4d: %SEC-6-IPACCESSLOGP: list 101 denied tcp 10.3.0.100(22) (Vlan5 0050.5686.4105) -> 192.168.0.100(37792), 1 packet

And it's logged here:

370 deny tcp 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255 (6 matches)

Trying to wrap my head around why it still hits the deny rule despite having established on the permit line earlier:

50 permit tcp 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255 established

Thought that should handle round traffic. Unless perhaps I need to add another type from this list:

cisco01(config)#access-list 101 permit tcp 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255 established ?
  dscp        Match packets with given dscp value
  eq          Match only packets on a given port number
  fin         Match on the FIN bit
  gt          Match only packets with a greater port number
  log         Log matches against this entry
  log-input   Log matches against this entry, including input interface
  lt          Match only packets with a lower port number
  neq         Match only packets not on a given port number
  precedence  Match packets with given precedence value
  psh         Match on the PSH bit
  range       Match only packets in the range of port numbers
  syn         Match on the SYN bit
  time-range  Specify a time-range
  tos         Match packets with given TOS value
  urg         Match on the URG bit
  <cr>

cisco01(config)#

Just 100% sure what yet. Looks like I need to match on specific like PSH and FIN flags:

https://amits-notes.readthedocs.io/en/latest/networking/tcpdump.html

Cheers,
TK

Tom · ‎01-04-2020

So after doing some packet analysis using tcpdump off my Asus router, I was able to identify what's missing and allow it. Truth be told I should really block SYN not ALL packets from VLAN 5 but this helps me to learn all the communication packets I need to get things to work.

The working set of rules:

conf t

access-list 101 permit ip 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 101 permit ip 10.0.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 101 permit ip 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 101 permit ip 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255

access-list 101 permit tcp 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255 established 
access-list 101 permit tcp 10.0.0.0 0.0.0.255 10.3.0.0 0.0.0.255 established 
access-list 101 permit tcp 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255 established 
access-list 101 permit tcp 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255 established 

access-list 101 permit udp 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255 
access-list 101 permit udp 10.0.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 101 permit udp 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 101 permit udp 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255

access-list 101 permit icmp 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 101 permit icmp 10.0.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 101 permit icmp 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 101 permit icmp 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255


access-list 101 permit ospf 192.168.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 101 permit ospf 10.0.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 101 permit ospf 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 101 permit ospf 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255

access-list 101 permit icmp 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255 echo-reply 
access-list 101 permit icmp 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255 echo-reply 
access-list 101 permit icmp 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255 echo-reply 
access-list 101 permit icmp 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255 echo-reply 

access-list 101 permit icmp 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255 net-unreachable
access-list 101 permit icmp 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255 net-unreachable
access-list 101 permit icmp 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255 net-unreachable
access-list 101 permit icmp 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255 net-unreachable 

access-list 101 permit icmp 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255 host-unreachable
access-list 101 permit icmp 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255 host-unreachable
access-list 101 permit icmp 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255 host-unreachable
access-list 101 permit icmp 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255 host-unreachable

access-list 101 permit icmp 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255 port-unreachable
access-list 101 permit icmp 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255 port-unreachable
access-list 101 permit icmp 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255 port-unreachable
access-list 101 permit icmp 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255 port-unreachable


access-list 101 permit tcp 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255 ack fin psh rst urg
access-list 101 permit tcp 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255 ack fin psh rst urg
access-list 101 permit tcp 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255 ack fin psh rst urg
access-list 101 permit tcp 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255 ack fin psh rst urg




access-list 101 deny tcp 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 deny tcp 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 deny tcp 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 101 deny tcp 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255

access-list 101 deny udp 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 deny udp 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 deny udp 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 101 deny udp 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255

access-list 101 deny icmp 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 deny icmp 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 deny icmp 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 101 deny icmp 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255

access-list 101 deny ip 10.3.0.0 0.0.0.255 192.168.0.0 0.0.0.255 log-input 
access-list 101 deny ip 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 deny ip 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 101 deny ip 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255




access-list 101 permit ip any any
access-list 101 permit tcp any any
access-list 101 permit udp any any
access-list 101 permit icmp any any
access-list 101 permit ospf any any




int vlan 5
ip access-group 101 in
ip access-group 101 out

I did not need to add the config to the rest of the setup. Just for VLAN 5.

My next task would be to simplify this set of rules as you also pointed out @rais .

Cheers,
TK