04-18-2018 05:52 AM - edited 02-21-2020 07:38 AM
I have a router with two segments. Outside segment is the client and inside is the domain controller.
I need to define ACL on Outside interface to allow communication for active directory.
Router will use packet filter ACL (no state full inspection).
Asuming the firewall port requirements listed in the below URL what should be my ACL for Outside interface for both Ingress and Egress?
04-18-2018 06:47 AM
Hi,
Can you clarify something please. Is the outside the internet? In which case opening these ports is a really bad idea, not secure. Or is this a private LAN/WAN?
What other traffic is likely to ingress/egress this router? If an ACL is applied for just this DC traffic, it's likely to break something else.
Do you require NAT? If you do that, DNS won't work, it would return the private IP address of the DC and not the NATTED address.
The list you've provided looks pretty accurate, do you use LDAPS in your environment?
04-18-2018 11:24 AM
Hello
It's in a private network without any internet connectivity and NAT, LDAP/SSL, GC/SSL are not applicable.
04-18-2018 12:11 PM
Assuming there is no other traffic coming over the outside interface, try this:
ip access-list extended DC
permit udp host CLIENT-IP host DC-IP eq 135
permit tcp host CLIENT-IP host DC-IP eq 135
permit udp host CLIENT-IP host DC-IP eq 137
permit tcp host CLIENT-IP host DC-IP eq 137
permit udp host CLIENT-IP host DC-IP eq 138
permit tcp host CLIENT-IP host DC-IP eq 139
permit udp host CLIENT-IP host DC-IP eq 445
permit tcp host CLIENT-IP host DC-IP eq 445
permit udp host CLIENT-IP host DC-IP eq 389
permit tcp host CLIENT-IP host DC-IP eq 389
permit tcp host CLIENT-IP host DC-IP eq 3268
permit udp host CLIENT-IP host DC-IP eq 88
permit tcp host CLIENT-IP host DC-IP eq 88
permit udp host CLIENT-IP host DC-IP eq 53
permit tcp host CLIENT-IP host DC-IP eq 53
permit tcp host CLIENT-IP host DC-IP range 49152 65535
\\ Optional - apply log command to identify any drops. Use for testing initially to confirm everything it working, then remove.
deny ip any any log
interface GigabitEthernet X
description OUTSIDE interface
ip access-group DC in
You would obviously need to replace the CLIENT-IP and DC-IP value with the ip address for your network.
04-19-2018 01:31 AM
This ACL will allow communication from client to DC.
But how about return connections that were initiated from the DC to client?
04-19-2018 02:42 AM
10-09-2019 06:30 AM
Outbound initiated connections are allowed back in because that port is listening for the return of the request. The router identifies that as a valid communication as it is started from within the firewall. It is just like the default router you have for you home internet. Do you have to go into the router and tell it to allow a website i.e. port 443, to reply to your request? The return of information to a request is allowed through.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide