12-20-2017 10:55 AM - edited 02-21-2020 06:59 AM
Hi all,
I am trying to make an ACL on my layer 3 switches (in HSRP) that would allow a new VLAN on my network to be accessible via RDP and ICMP from all other user VLAN's. Also, the server VLAN needs to do ICMP as well as TCP and UDP 445 to this new VLAN. And the new VLAN needs to access the following on the server VLAN:
UDP Port 88 for Kerberos authentication UDP and TCP 135 for domain controllers-to-domain controller and client to domain controller operations. UDP 389 for LDAP to handle normal queries from client computers to the domain controllers. TCP and UDP Port 464 for Kerberos Password Change TCP Port 3268 and 3269 for Global Catalog from client to domain controller. TCP and UDP Port 53 for DNS from client to domain controller and domain controller to domain controller. TCP & UDP 49152-65535 the ephemeral ports are required ICMP (Echo)
The following are the VLAN id's with the co-responding names:
The following is what I have currently in my ACL but its not working properly. I am not able to RDP into my test system on the new vlan from anywhere. I am also not able to authenticate with Active directory to log into windows with the domain account.
ip access-list extended RESTRICT-VLAN184-IN
remark Allow ICMP
permit icmp any any echo-reply
remark Allow RDP
permit tcp any any eq 3389
permit udp any any eq 3389
remark Allow VLAN20
permit tcp any 10.10.20.0 0.0.3.255 eq www
permit tcp any 10.10.20.0 0.0.3.255 eq domain
permit tcp any 10.10.20.0 0.0.3.255 eq 443
permit tcp any 10.10.20.0 0.0.3.255 eq 52230
permit tcp any 10.10.20.0 0.0.3.255 eq 135
permit tcp any 10.10.20.0 0.0.3.255 eq 464
permit tcp any 10.10.20.0 0.0.3.255 range 3268 3269
permit tcp any 10.10.20.0 0.0.3.255 range 49152 65535
permit udp any 10.10.20.0 0.0.3.255 eq domain
permit udp any 10.10.20.0 0.0.3.255 eq 88
permit udp any 10.10.20.0 0.0.3.255 eq 135
permit udp any 10.10.20.0 0.0.3.255 eq 389
permit udp any 10.10.20.0 0.0.3.255 eq 464
permit udp any 10.10.20.0 0.0.3.255 range 49152 65535
remark Deny all other VLANS
deny ip any 10.10.0.0 0.0.255.255
remark Allow internet
permit ip any any
Applying the ACL inbound to the layer 3 vlan
interface vlan184
ip access-group RESTRICT-VLAN184-IN in
If anyone can help with this, it would be very much appreciated. Thanks in advance.
12-20-2017 11:35 PM
Hi,
You will need two access lists, one for each direction. The access-list applied in the "out" direction will contain the traffic that is going to your new vlan and the access-list applied in the "in"will contain traffic going to you servers.
Thanks
John
12-21-2017 09:07 AM - edited 12-21-2017 09:08 AM
Hi,
Thanks for your reply. Do I apply both ACL's to the new VLAN? And also, do you think something is missing from my ACL or does something need to be added to make it work like I want it to?
12-21-2017 10:39 AM
@johnd2310 wrote:
Hi,
You will need two access lists, one for each direction. The access-list applied in the "out" direction will contain the traffic that is going to your new vlan and the access-list applied in the "in"will contain traffic going to you servers.
Thanks
John
I just tried applying another access-list in the out direction and now I am unable to get to anywhere from the restricted network to the other vlan's, even to stuff that I have applied to the "In" access-list
12-22-2017 04:59 AM
Hi,
can you show ACL, that you applied for VLAN 20? You have to write in the ACL back rules.
Best regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide