ACL on Layer 3 VLAN

Th3cart3r · ‎03-13-2018

I have an ACL that I want to allow RDP from four specific IP addresses and block everything else. I still want to allow all other traffic though e.g. http, https, ssh, etc. Will I have to individually "permit" each of these services? I applied it as an access group to the SVI and the permit any any at the end of the ACL bypasses the other lines and allows for access. What am I missing?

permit tcp host 10.16.242.56 eq 3389 10.16.242.0 0.0.0.255
permit udp host 10.16.242.56 eq 3389 10.16.242.0 0.0.0.255
permit tcp host 10.16.254.47 eq 3389 10.16.242.0 0.0.0.255
permit udp host 10.16.254.47 eq 3389 10.16.242.0 0.0.0.255
permit tcp host 10.170.8.4 eq 3389 10.16.242.0 0.0.0.255
permit udp host 10.170.8.4 eq 3389 10.16.242.0 0.0.0.255
permit tcp host 10.170.0.4 eq 3389 10.16.242.0 0.0.0.255
permit udp host 10.170.0.4 eq 3389 10.16.242.0 0.0.0.255
deny tcp any eq 3389 10.16.242.0 0.0.0.255
deny udp any eq 3389 10.16.242.0 0.0.0.255
permit ip any any

Martin Carr · ‎03-13-2018

There are a several issues with the below.

Firstly RDP is TCP, so the UDP statements can be removed.

Secondly, you are trying to permit access to the same network, which will not work.

ACL's work from the top down, so ordering is important, for example if your bottom statement were to be the first entry then all others would be ineffective (as it would be a match for all traffic).

You are correct in your assumption that you would have to permit the desired traffic, there is an implicit deny at the end.

What you have at the moment will allow everything (by the last statement), so ineffective.

Finally, you will also need to permit the return traffic, as the ACL's are not stateful.

Martin

Richard Burts · ‎03-13-2018

Can you clarify whether the RDP is from those 4 hosts or is to those 4 hosts? Also clarify whether the ACL is applied in or applied out. You have written the ACL with RDP as the source port which implies that RDP is from those hosts. I wonder if that is what you really intended.

One other comment is that the permit any any is not bypassing the other lines. The ACL is executed in sequential order. Those statements are executed before the permit any any. But it would appear that they are not matching traffic in the way that you intend.

HTH

Rick

HTH

Rick

Richard Burts · ‎03-13-2018

Martin caught something that I missed. The specified source addresses are in the subnet that is identified as the destination. A very good reason why the ACL is not working as intended.

HTH

Rick

HTH

Rick

Th3cart3r · ‎03-13-2018

@Richard Burts I thought about that too in terms of them being on the same subnet. Couldn't I just leave out the "permit" statements and leave the rest of the lines in? Those hosts would be able to access it anyways given that they are on the same subnet already.

Th3cart3r · ‎03-13-2018

The RDP is from those 4 hosts to the subnet and is applied "in." After looking over it I'm thinking that this would be a better ACL for this. It would permit the 4 hosts while denying any other RDP requests and then it would match any other traffic at the end.

permit tcp host 10.16.242.56 10.16.242.0 0.0.0.255 eq 3389
permit tcp host 10.16.254.47 10.16.242.0 0.0.0.255 eq 3389
permit tcp host 10.170.8.4 10.16.242.0 0.0.0.255 eq 3389
permit tcp host 10.170.0.4 10.16.242.0 0.0.0.255 eq 3389
deny ip any any eq 3389
permit ip any any

Richard Burts · ‎03-13-2018

Yes any host that is in the subnet will be able to access RDP (and anything else) to any other host that is in the subnet. The ACL will not see any traffic from a host to any other device that is in the subnet.

This is an example of that

permit tcp host 10.16.242.56 10.16.242.0 0.0.0.255 eq 3389

so you can remove this line

This line is also problematic

deny ip any any eq 3389

you can not specify port numbers when you permit ip. you need to change it to tcp

deny tcp any any eq 3389

So you will have 3 hosts from outside of the subnet that will RDP. No other RDP from outside will be permitted. And all other traffic from outside is permitted.

HTH

Rick

HTH

Rick