cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3410
Views
25
Helpful
12
Replies

ACL issues with segregating VLAN

mrochac
Level 1
Level 1

I create a new vlan for our DVR system as it only needs internet access and to limit network access - the inner part of this works fine, the device has internet access, the device gets and ip address off our router and so on as it should - now, the support process for this DVR is outsourced and the company uses teamviewer to remote in (i know...) which is fine since the idea behind this is to only allow that - long story short, below is what i have for ACL; 

 

ip access-list extended DVR-ACL
100 deny ip 10.100.0.0 0.0.255.255 10.173.55.0 0.0.0.255 log
101 deny ip 10.172.0.0 0.0.255.255 10.173.55.0 0.0.0.255 log
102 deny ip 172.24.0.0 0.0.255.255 10.173.55.0 0.0.0.255 log
103 deny ip 192.168.0.0 0.0.255.255 10.173.55.0 0.0.0.255 log
104 permit tcp any any eq 5938 log
105 permit tcp any any eq www 443 log
106 permit icmp any any log
107 permit tcp any any log

 

Issue - doesnt work! if i connect to DVR with teamviewer and apply the ACL in/out i stay connected, if i disconnect and try to reconnect it doesnt work.

 

While connected with teamviewer and i apply the ACL, it works as it should, and i only have access to the internet....

 

help.

1 Accepted Solution

Accepted Solutions

Thanks for the update. Glad to know that with the addition of that permit udp for a range of ports it is now working. There are some apps that use a range of ports. I guess that team viewer is one of them.

HTH

Rick

View solution in original post

12 Replies 12

Richard Burts
Hall of Fame
Hall of Fame

It would appear that your ACL is denying something that is needed for logging into team viewer. I see that you permit tcp 5938 which seems to be the preferred port for team viewer. But the implicit deny any any at the bottom of the acl is denying something that you need. As a test I suggest that you add this line at the bottom of your acl

deny ip any any log

Apply the changed acl, attempt to access team viewer, and look in the logs for what is being denied.

HTH

Rick

Hi Richard, thanks for the assistance - i added the "deny" ACE to the running ACL - i was connected while i added the ACL back to the interface and stayed connected, i disconnected and tried to reconnect and could not - results below;

 

000396: Feb 18 10:33:39.219 EST: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 79 packets
000397: Feb 18 10:33:39.391 EST: %SEC-6-IPACCESSLOGP: list DVR-ACL denied udp 10.173.55.5(50004) -> 255.255.255.255(69), 1 packet
000398: Feb 18 10:33:40.931 EST: %SEC-6-IPACCESSLOGP: list DVR-ACL denied udp 10.173.55.5(58121) -> 8.8.8.8(53), 1 packet
000399: Feb 18 10:33:41.931 EST: %SEC-6-IPACCESSLOGP: list DVR-ACL denied udp 10.173.55.5(58121) -> 8.8.8.4(53), 1 packet
000400: Feb 18 10:33:54.403 EST: %SEC-6-IPACCESSLOGP: list DVR-ACL denied udp 10.173.55.5(58129) -> 255.255.255.255(69), 1 packet
000401: Feb 18 10:33:57.359 EST: %SEC-6-IPACCESSLOGP: list DVR-ACL denied udp 10.173.55.5(50046) -> 8.8.8.8(53), 1 packet
000402: Feb 18 10:33:58.359 EST: %SEC-6-IPACCESSLOGP: list DVR-ACL denied udp 10.173.55.5(50046) -> 8.8.8.4(53), 1 packet
000403: Feb 18 10:34:09.331 EST: %SEC-6-IPACCESSLOGP: list DVR-ACL permitted tcp 10.173.55.5(55905) -> 34.237.253.253(443), 1 packet
000404: Feb 18 10:34:11.355 EST: %SEC-6-IPACCESSLOGP: list DVR-ACL denied udp 10.173.55.5(51001) -> 255.255.255.255(51000), 1 packet
000405: Feb 18 10:34:12.387 EST: %SEC-6-IPACCESSLOGP: list DVR-ACL denied udp 10.173.55.5(62821) -> 8.8.8.4(53), 1 packet
000406: Feb 18 10:34:24.390 EST: %SEC-6-IPACCESSLOGP: list DVR-ACL denied udp 10.173.55.5(62825) -> 255.255.255.255(69), 1 packet
000407: Feb 18 10:34:27.354 EST: %SEC-6-IPACCESSLOGP: list DVR-ACL denied udp 10.173.55.5(56483) -> 8.8.8.8(53), 1 packet
000408: Feb 18 10:34:28.354 EST: %SEC-6-IPACCESSLOGP: list DVR-ACL denied udp 10.173.55.5(56483) -> 8.8.8.4(53), 1 packet
000409: Feb 18 10:34:30.946 EST: %SEC-6-IPACCESSLOGP: list DVR-ACL permitted tcp 10.173.55.5(55810) -> 52.226.139.121(443), 1 packet
000410: Feb 18 10:34:33.714 EST: %SEC-6-IPACCESSLOGP: list DVR-ACL permitted tcp 10.173.55.5(55808) -> 52.226.139.121(443), 1 packet

 

thoughts? i see these UDP denies but doesnt make sense...

Perhaps a better understanding of your environment might be helpful. After you apply the acl, disconnect, and attempt to reconnect what address are you coming from? And what address are you attempting to access?

The denied traffic is coming from 10.173.55.5 what is this?

I see denied traffic to the broadcast address  using tftp, not clear what this is but doubt it is significant.

I see denied traffic that is DNS. Not sure if that might relate to the problem or not. You might try adding a permit for the DNS traffic and see if that helps.

I see denied traffic for udp port 51000. I am not clear what this is and whether it relates to the problem or not. 

 

HTH

Rick

Perhaps a better understanding of your environment might be helpful. After you apply the acl, disconnect, and attempt to reconnect what address are you coming from? And what address are you attempting to access?

# i have the teamviewer app installed on my laptop while connected over VPN

The denied traffic is coming from 10.173.55.5 what is this?

# this is the DVR machine i'm trying to access with teamviewer

I see denied traffic to the broadcast address  using tftp, not clear what this is but doubt it is significant.

# not sure what this is either

I see denied traffic that is DNS. Not sure if that might relate to the problem or not. You might try adding a permit for the DNS traffic and see if that helps.

# ok i can add the allow DNS, this subnet is actually using google for DNS as primary since this is an isolated vlan.

I see denied traffic for udp port 51000. I am not clear what this is and whether it relates to the problem or not. 

# yes i noticed the high port drops as well... i dont see anywhere from the teamviewer doc's where it uses high port number variation.

 

I will add the allow DNS and see what happens - thanks for all the help.

 

 

here is the ACL now;

 

Extended IP access list DVR-ACL
10 deny ip 10.100.0.0 0.0.255.255 10.173.55.0 0.0.0.255 log
20 deny ip 10.172.0.0 0.0.255.255 10.173.55.0 0.0.0.255 log
30 deny ip 172.24.0.0 0.0.255.255 10.173.55.0 0.0.0.255 log
40 deny ip 192.168.0.0 0.0.255.255 10.173.55.0 0.0.0.255 log
49 permit tcp any any eq domain log
50 permit tcp any any eq 5938 log
60 permit tcp any any eq www 443 log (4048 matches)
70 permit icmp any any log (8554 matches)
80 permit tcp any any log (3158 matches)
90 deny ip any any log (4771 matches)

 

i tried to connect again;

 

001312: Feb 18 11:44:39.196 EST: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 18 packets
001313: Feb 18 11:44:39.196 EST: %SEC-6-IPACCESSLOGP: list DVR-ACL denied udp 10.173.55.5(51001) -> 255.255.255.255(51000), 4 packets
001314: Feb 18 11:44:39.196 EST: %SEC-6-IPACCESSLOGP: list DVR-ACL denied udp 10.173.55.5(43282) -> 255.255.255.255(43282), 16 packets
001315: Feb 18 11:44:40.200 EST: %SEC-6-IPACCESSLOGP: list DVR-ACL denied udp 10.173.55.5(50999) -> 255.255.255.255(5048), 1 packet
001316: Feb 18 11:44:41.444 EST: %SEC-6-IPACCESSLOGP: list DVR-ACL denied udp 10.173.55.5(51938) -> 8.8.8.8(53), 1 packet
001317: Feb 18 11:44:42.448 EST: %SEC-6-IPACCESSLOGP: list DVR-ACL denied udp 10.173.55.5(51938) -> 8.8.8.4(53), 1 packet
001318: Feb 18 11:44:44.808 EST: %SEC-6-IPACCESSLOGP: list DVR-ACL permitted tcp 10.173.55.5(55808) -> 52.226.139.121(443), 1 packet
001319: Feb 18 11:44:54.268 EST: %SEC-6-IPACCESSLOGP: list DVR-ACL denied udp 10.173.55.5(51942) -> 255.255.255.255(69), 1 packet
001320: Feb 18 11:44:57.296 EST: %SEC-6-IPACCESSLOGP: list DVR-ACL denied udp 10.173.55.5(59989) -> 8.8.8.8(53), 1 packet
001321: Feb 18 11:45:09.268 EST: %SEC-6-IPACCESSLOGP: list DVR-ACL denied udp 10.173.55.5(59992) -> 255.255.255.255(69), 1 packet
001322: Feb 18 11:45:11.444 EST: %SEC-6-IPACCESSLOGP: list DVR-ACL denied udp 10.173.55.5(62943) -> 8.8.8.8(53), 1 packet
001323: Feb 18 11:45:24.268 EST: %SEC-6-IPACCESSLOGP: list DVR-ACL denied udp 10.173.55.5(62949) -> 255.255.255.255(69), 1 packet
001324: Feb 18 11:45:27.296 EST: %SEC-6-IPACCESSLOGP: list DVR-ACL denied udp 10.173.55.5(63662) -> 8.8.8.8(53), 1 packet
001325: Feb 18 11:45:28.620 EST: %SEC-6-IPACCESSLOGP: list DVR-ACL permitted tcp 10.173.55.5(55854) -> 131.100.0.197(443), 1 packet
001326: Feb 18 11:45:39.196 EST: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 58 packets
001327: Feb 18 11:45:39.268 EST: %SEC-6-IPACCESSLOGP: list DVR-ACL denied udp 10.173.55.5(63665) -> 255.255.255.255(69), 1 packet
001328: Feb 18 11:45:41.448 EST: %SEC-6-IPACCESSLOGP: list DVR-ACL denied udp 10.173.55.5(55752) -> 8.8.8.8(53), 1 packet

Richard, interesting enough - if i open up UDP to any any TeamViewer works fine as it should! so now is a guessing game as to what ports to allow...

I believe that we are making progress. I see in the revised acl that you are permitting tcp for dns but not udp for dns. I suggest adding a permit for udp dns and see if that helps.

HTH

Rick

Richard - apologies for long delay in getting back to you, been off with covid - back to normal now, anyways - i added the tcp and udp dns permit and removed the udp any any i added - since i removed the upd any any i cant connect, starting to think there are others udp ports in use that i dont know...

 

 

 

Sorry to hear that you were off with covid. Glad that you are back. Interesting that adding the permit for udp dns did not solve the issue. If you remove the permit udp any any and then can not connect it sure does sounds like there is some other udp port being used.

If you are going to continue to troubleshoot this I might suggest making a copy of the acl to use for testing. The testing version of the acl would have the deny ip any any log and the original version would not. Then as you find ports that you need to add you can simply add them to the original acl. If you are going to test again please send me the current content of the acl and the output of the log messages.

HTH

Rick

Here is what i have and it's working properly; key ACE is line 48, for what ever reason without line 48 in place TeamViewer would not let me connect, so far no issues...

 

10 deny ip 10.100.0.0 0.0.255.255 10.173.55.0 0.0.0.255 log (10 matches)
20 deny ip 10.172.0.0 0.0.255.255 10.173.55.0 0.0.0.255 log (8 matches)
30 deny ip 172.24.0.0 0.0.255.255 10.173.55.0 0.0.0.255 log (4 matches)
40 deny ip 192.168.0.0 0.0.255.255 10.173.55.0 0.0.0.255 log (4 matches)
48 permit udp any any range 41000 65535 log (77462 matches)
49 permit udp any any eq domain (4417 matches)
50 permit tcp any any eq 5938 log (8 matches)
60 permit tcp any any eq www 443 log (1225365 matches)
62 permit tcp any any eq 37 (98334 matches)
70 permit icmp any any log (14001 matches)
79 permit tcp any any range 51000 65535 (442826 matches)
90 deny ip any any log (90366 matches)

Thanks for the update. Glad to know that with the addition of that permit udp for a range of ports it is now working. There are some apps that use a range of ports. I guess that team viewer is one of them.

HTH

Rick

This has been an interesting discussion. I am glad that my suggestions have been helpful and that you found a solution that does work. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick