Need help with an ACL

thegreatone · ‎12-20-2017

Hi all,

I am trying to make an ACL on my layer 3 switches (in HSRP) that would allow a new VLAN on my network to be accessible via RDP and ICMP from all other user VLAN's. Also, the server VLAN needs to do ICMP as well as TCP and UDP 445 to this new VLAN. And the new VLAN needs to access the following on the server VLAN:

UDP Port 88 for Kerberos authentication UDP and TCP 135 for domain controllers-to-domain controller and client to domain controller operations. UDP 389 for LDAP to handle normal queries from client computers to the domain controllers. TCP and UDP Port 464 for Kerberos Password Change TCP Port 3268 and 3269 for Global Catalog from client to domain controller. TCP and UDP Port 53 for DNS from client to domain controller and domain controller to domain controller. TCP & UDP 49152-65535 the ephemeral ports are required ICMP (Echo)

The following are the VLAN id's with the co-responding names:

vlan 20 - Servers - 10.10.20.0/22
vlan 30 - User 1 - 10.10.30.0/24
vlan 31 - User 2 - 10.10.31.0/24
vlan 32 - User 3 - 10.10.32.0/24
vlan 33 - User 4 - 10.10.33.0/24
vlan 34 - User 5 - 10.10.34.0/24
vlan 35 - User 6 - 10.10.35.0/24
vlan 36 - User 7 - 10.10.36.0/24
vlan 37 - User 8 - 10.10.30.0/24
vlan 38 - User 9 - 10.10.30.0/24
vlan 39 - User 10 - 10.10.30.0/24
vlan 40 - User 11 - 10.10.40.0/24
vlan 184 - Restricted user - 10.10.184.0/25

The following is what I have currently in my ACL but its not working properly. I am not able to RDP into my test system on the new vlan from anywhere. I am also not able to authenticate with Active directory to log into windows with the domain account.

ip access-list extended RESTRICT-VLAN184-IN
remark Allow ICMP
permit icmp any any echo-reply
remark Allow RDP
permit tcp any any eq 3389
permit udp any any eq 3389
remark Allow VLAN20
permit tcp any 10.10.20.0 0.0.3.255 eq www
permit tcp any 10.10.20.0 0.0.3.255 eq domain
permit tcp any 10.10.20.0 0.0.3.255 eq 443
permit tcp any 10.10.20.0 0.0.3.255 eq 52230
permit tcp any 10.10.20.0 0.0.3.255 eq 135
permit tcp any 10.10.20.0 0.0.3.255 eq 464
permit tcp any 10.10.20.0 0.0.3.255 range 3268 3269
permit tcp any 10.10.20.0 0.0.3.255 range 49152 65535
permit udp any 10.10.20.0 0.0.3.255 eq domain
permit udp any 10.10.20.0 0.0.3.255 eq 88
permit udp any 10.10.20.0 0.0.3.255 eq 135
permit udp any 10.10.20.0 0.0.3.255 eq 389
permit udp any 10.10.20.0 0.0.3.255 eq 464
permit udp any 10.10.20.0 0.0.3.255 range 49152 65535
remark Deny all other VLANS
deny   ip any 10.10.0.0 0.0.255.255
remark Allow internet
permit ip any any

Applying the ACL inbound to the layer 3 vlan

interface vlan184
ip access-group RESTRICT-VLAN184-IN in

If anyone can help with this, it would be very much appreciated. Thanks in advance.

johnd2310 · ‎12-20-2017

Hi,

You will need two access lists, one for each direction. The access-list applied in the "out" direction will contain the traffic that is going to your new vlan and the access-list applied in the "in"will contain traffic going to you servers.

Thanks

John

**Please rate posts you find helpful**

thegreatone · ‎12-21-2017

Hi,

Thanks for your reply. Do I apply both ACL's to the new VLAN? And also, do you think something is missing from my ACL or does something need to be added to make it work like I want it to?

thegreatone · ‎12-21-2017

@johnd2310 wrote:

Hi,

You will need two access lists, one for each direction. The access-list applied in the "out" direction will contain the traffic that is going to your new vlan and the access-list applied in the "in"will contain traffic going to you servers.

Thanks

John

I just tried applying another access-list in the out direction and now I am unable to get to anywhere from the restricted network to the other vlan's, even to stuff that I have applied to the "In" access-list

Jewgeni Uschegow · ‎12-22-2017

Hi,

can you show ACL, that you applied for VLAN 20? You have to write in the ACL back rules.

Best regards