01-25-2013 09:10 AM - edited 03-07-2019 11:18 AM
Hello,
I’m working with a managed switch that has three VLANs setup on it. Recently the domain changed and the wireless VLAN can no longer access the internal website. I found access rules, in the switch that allowed the wireless VLAN to use the DNS server on the private/staff VLAN. Their DHCP scope is on the switch and DNS is set there. The Website is also on the VLAN with the DNS server. This configuration totally cuts out external DNS usage. It stopped working though. It is as if when things switched on the Domain the wireless users were denied DNS requests. The switch was not touched at that time. I’m looking at it though and it seems that I may have conflicting rules.
The version is 12.2. I believe its a Catalyst 2600~
DHCP scopes:
ip dhcp pool INSIDE
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.6 192.168.1.4
domain-name saline.lib.mi.us
ip dhcp pool WIRELESS
network 172.16.0.0 255.255.255.0
default-router 172.16.0.1
dns-server 192.168.1.6 192.168.1.4
Here is the VLAN Setup:
interface Vlan1
ip address 192.168.1.1 255.255.255.0
interface Vlan200
ip address 172.16.0.1 255.255.255.0
ip access-group WIRELESS_IN in
ip route-cache policy
Here are two access lists that should be allowing the traffic from 172.16.0.0 into the list IPs/Ports. These do no work.
ip access-list extended WIRELESS-PRINT
permit tcp 172.16.0.0 0.0.0.255 host 192.168.1.12 eq 30044
permit tcp 172.16.0.0 0.0.0.255 host 192.168.1.12 eq 21326
permit tcp 172.16.0.0 0.0.0.255 host 192.168.1.12 eq 6987
permit tcp 172.16.0.0 0.0.0.255 host 192.168.1.12 eq 7383
permit tcp 172.16.0.0 0.0.0.255 host 192.168.1.12 eq 17833
permit tcp 172.16.0.0 0.0.0.255 host 192.168.1.12 eq 4567
ip access-list extended WIRELESS_IN
permit tcp any 172.16.0.0 0.0.0.255
permit ip any 172.16.0.0 0.0.0.255
permit ip 172.16.0.0 0.0.0.255 host 192.168.1.22
permit ip 172.16.0.0 0.0.0.255 host 192.168.1.4
permit ip 172.16.0.0 0.0.0.255 host 192.168.1.12
permit tcp 172.16.0.0 0.0.0.255 host 192.168.1.12 eq 30044
permit tcp 172.16.0.0 0.0.0.255 host 192.168.1.12 eq 21326
permit tcp 172.16.0.0 0.0.0.255 host 192.168.1.12 eq 6987
permit tcp 172.16.0.0 0.0.0.255 host 192.168.1.12 eq 7383
permit tcp 172.16.0.0 0.0.0.255 host 192.168.1.12 eq 17833
permit tcp 172.16.0.0 0.0.0.255 host 192.168.1.12 eq 4567
permit tcp 172.16.0.0 0.0.0.255 host 192.168.1.10 eq www
permit tcp 172.16.0.0 0.0.0.255 host 192.168.1.10 eq 443
deny tcp 172.16.0.0 0.0.0.255 host 172.16.0.1 eq telnet
deny tcp 172.16.0.0 0.0.0.255 host 172.16.0.1 eq 22
deny ip 172.16.0.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip any any
During my testing I removed the Deny rule and everything worked.
deny ip 172.16.0.0 0.0.0.255 192.168.1.0 0.0.0.255
However, the “ permit ip any any “ rule, makes all the port rules pointless because when this rule is in place solo, I can ping and access everything on the 192.168.1.0 network.
Is there a way to deny everything, except what I permit? Because when I remove the ip any any, then they cant even get out. Perhaps theres a better way to say, the wireless users can get out but only get into the subnet over specific ports? I have a feeling it may have not be thought out entirely when initially created. However, the big mystery is that it worked before secondary domain controller failed.
Any direction, or help with this is much appreciated.
Thanks,
Mike
01-25-2013 09:29 AM
Hello Micheal,
Regards your ACL.
Change the ACL and put your most specific rules first and least specific after that.
Also note if no match occurs on any of you defined statements, then packets will be automatically dropped due to an implicit deny any at the end of the ACL,
Thats's providing you remove the permit ip any any statement you have currently.
res
Paul
Please don't forget to rate this post if it has been helpful.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide