Remote access to a site

ergamusai · ‎02-20-2015

We have small to medium size network, with a cisco WS-4500X-16 as a core switch, a Nomadix that does NAT'in, DHCP Server, and layer two switches.

The management VLAN has an access-list applied to it, to block certain traffic and allow the rest. There is no glue network, we have a /25 subnet, .1 is the ISP gateway, .2 is our core switch, and so on.

There is also another access-list that is supposed to block the outside access, unless you're coming from a certain range. This list is applied to telnet and ssh lines. So the only thing it does, its block access to the core. But you can access the Layer 2 s switches from outside.

I did a traceroute from outside, and it looks like to reach a switch, the route doesn't even hit the gateway (ISP side).

This is the configuration that I found, and I need to fix the remote access. Can I apply multiple ACLs to the VLAN interface. I'm not sure why this wasn't done before, as applying that list to the telnet and ssh interfaces won't block the access for the other switches.

Thank you in advance for all your replies.

- Ty

Roberto Kippins · ‎02-20-2015

Hi you cant apply multiple acls to a vlan interface in the same direction (in or out) , try constructing a route-map which can contain multiple acls and apply it to the interface as a policy.

ergamusai · ‎02-20-2015

After studying the access-list that is already applied, I see that the lines are there to block telnet and ssh but its not matching anything

....
310 deny tcp any 11.22.33.0 0.0.0.127 eq telnet
320 deny tcp any 11.22.33.0 0.0.0.127 eq 22
321 deny tcp any 11.22.33.0 0.0.0.255 eq 22
permit any any

The same exact scenario its working in other sites.

The direction of the access-list is IN.

Jon Marshall · ‎02-20-2015

It is not at all clear how your network is setup or why you would need multiple acls on one vlan interface ie. just combine it into one.

That is why you can't apply more than one acl to an interface in the same direction, because you don't need to.

Not sure what a "glue" network is ?

Perhaps you can describe exactly what you are trying to do ?

Jon

ergamusai · ‎02-20-2015

Glue network - the network in between the core switch and the ISP. Usually its a different /30 subnet than the management subnet in the network. Don't think it matters in this case, just wanted to give a better overview of the connection in between the core and the ISP gateway.

I have the core switch and the layer 2 switches that hang from it. Everything has public IPs. The access list is supposed to block the telnet and ssh access from outside, for the core and the rest of the switches.

In reality only blocks it for the core itself.

When I try to access the switches, it allows me from outside.

Its like the traffic is not coming through the interface facing the ISP.

Jon Marshall · ‎02-20-2015

Thanks for the explanation.

If the access switches are in the same subnet as the ISP gateway then unless you want to apply acls to every switch on it's vty lines you need to apply an acl outbound on the ISP interface connecting to your network.

However it doesn't sound like that is a Cisco device so it may not be possible.

A simpler option is to create a /30 between the core switch and the gateway and readdress your switches using private IPs.

If you did that you wouldn't need an acl because they wouldn't be accessible from outside anyway as they are not routable.

Is it just the management vlan that uses public IPs ie. do you have other internal vlans using private IPs ?

Jon

ergamusai · ‎02-20-2015

The user vlans use private IPs. The switches need public IPs so we can monitor them.

I removed the location where the access-list was applied. It was in the management VLAN SVI and I moved it to the physical interface facing the ISP.

Its working!!

Thank you for all your suggestions.

-Ty