Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1348
Views
0
Helpful
1
Replies

Accessing servers/ports from one VLAN from another.

Michael Vela
Level 1
Level 1

‎01-25-2013 09:10 AM - edited ‎03-07-2019 11:18 AM

Hello,

I’m working with a managed switch that has three VLANs setup on it.  Recently the domain changed and the wireless VLAN can no longer access the internal website.  I found access rules, in the switch that allowed the wireless VLAN to use the DNS server on the private/staff VLAN.   Their DHCP scope is on the switch and DNS is set there.  The Website is also on the VLAN with the DNS server.  This configuration totally cuts out external DNS usage.  It stopped working though.  It is as if when things switched on the Domain the wireless users were denied DNS requests.  The switch was not touched at that time.  I’m looking at it though and it seems that I may have conflicting rules.

The version is 12.2.  I believe its a Catalyst 2600~

DHCP scopes:

ip dhcp pool INSIDE

   network 192.168.1.0 255.255.255.0
    default-router 192.168.1.1
    dns-server 192.168.1.6 192.168.1.4
    domain-name saline.lib.mi.us

ip dhcp pool WIRELESS

   network 172.16.0.0 255.255.255.0
    default-router 172.16.0.1
    dns-server 192.168.1.6 192.168.1.4

Here is the VLAN Setup:

interface Vlan1

ip address 192.168.1.1 255.255.255.0

interface Vlan200

ip address 172.16.0.1 255.255.255.0

ip access-group WIRELESS_IN in

ip route-cache policy

Here are two access lists that should be allowing the traffic from 172.16.0.0 into the list IPs/Ports.  These do no work.

ip access-list extended WIRELESS-PRINT

permit tcp 172.16.0.0 0.0.0.255 host 192.168.1.12 eq 30044

permit tcp 172.16.0.0 0.0.0.255 host 192.168.1.12 eq 21326

permit tcp 172.16.0.0 0.0.0.255 host 192.168.1.12 eq 6987

permit tcp 172.16.0.0 0.0.0.255 host 192.168.1.12 eq 7383

permit tcp 172.16.0.0 0.0.0.255 host 192.168.1.12 eq 17833

permit tcp 172.16.0.0 0.0.0.255 host 192.168.1.12 eq 4567

ip access-list extended WIRELESS_IN

permit tcp any 172.16.0.0 0.0.0.255

permit ip any 172.16.0.0 0.0.0.255

permit ip 172.16.0.0 0.0.0.255 host 192.168.1.22

permit ip 172.16.0.0 0.0.0.255 host 192.168.1.4

permit ip 172.16.0.0 0.0.0.255 host 192.168.1.12

permit tcp 172.16.0.0 0.0.0.255 host 192.168.1.12 eq 30044

permit tcp 172.16.0.0 0.0.0.255 host 192.168.1.12 eq 21326

permit tcp 172.16.0.0 0.0.0.255 host 192.168.1.12 eq 6987

permit tcp 172.16.0.0 0.0.0.255 host 192.168.1.12 eq 7383

permit tcp 172.16.0.0 0.0.0.255 host 192.168.1.12 eq 17833

permit tcp 172.16.0.0 0.0.0.255 host 192.168.1.12 eq 4567

permit tcp 172.16.0.0 0.0.0.255 host 192.168.1.10 eq www

permit tcp 172.16.0.0 0.0.0.255 host 192.168.1.10 eq 443

deny   tcp 172.16.0.0 0.0.0.255 host 172.16.0.1 eq telnet

deny   tcp 172.16.0.0 0.0.0.255 host 172.16.0.1 eq 22

deny   ip 172.16.0.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip any any

During my testing I removed the Deny rule and everything worked.

deny   ip 172.16.0.0 0.0.0.255 192.168.1.0 0.0.0.255

However, the  “   permit ip any any   “ rule, makes all the port rules pointless because when this rule is in place solo, I can ping and access everything on the 192.168.1.0 network.

Is there a way to deny everything, except what I permit?  Because when I remove the ip any any, then they cant even get out.  Perhaps theres a better way to say, the wireless users can get out but only get into the subnet over specific ports?  I have a feeling it may have not be thought out entirely when initially created.  However, the big mystery is that it worked before secondary domain controller failed.

Any direction, or help with this is much appreciated.

Thanks,
Mike

Labels:
0 Helpful
1 Reply 1

paul driver
VIP
VIP

‎01-25-2013 09:29 AM

Hello  Micheal,

Regards your ACL.

Change the ACL and put your most specific rules first and least specific after that.

Also note if no match occurs on any of you defined statements, then packets will be automatically dropped due to an implicit deny any at the end of the ACL,

Thats's providing you remove the permit ip any any statement you have currently.

res

Paul

 

Please don't forget to rate this post if it has been helpful.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card