Solved: ACL only allowing access to the internet and DHCP server for a specific VLAN

timstumbo · ‎05-31-2017

We recently brought a couple computers onto our network to provide them with internet access (We are a Municipality and they're the local Theatre). We built out a separate VLAN for them and they're getting their addresses from our DHCP server. Their computers are not on our domain so I want to lock down the VLAN and restrict as much access as possible for obvious security reasons.

All they need access to is the internet and the DHCP server (Also possibly DNS so I don't have to use external DNS servers). However, I would like one other VLAN to be able to access them for management purposes.

Their VLAN is 428 and the subnet is 10.42.56.0

VLAN needing to access them is 115 and the subnet is 10.15.56.0

The DHCP & DNS Servers are 172.17.1.1 and 172.17.2.1

Thanks for the help!

Jon Marshall · ‎06-05-2017

You need to add this line before the deny line at the end -

"permit tcp 10.42.56.0 0.0.0.255 eq 5900 any"

Jon

View solution in original post

Julio E. Moisa · ‎05-31-2017

Hi

You could have

vlan 428

ip access-list extended OUTBOUND
permit udp any any eq 67 <-- initially the PCs dont have IP, so they will use broadcast to find a DHCP server
permit udp any any eq 68 <-- initially the PCs dont have IP, so they will use broadcast to find a DHCP server
permit udp 10.42.56.0 0.0.0.255 host 172.17.1.1 range 67 68
permit udp 10.42.56.0 0.0.0.255 host 172.17.2.1 range 67 68
permit tcp 10.42.56.0 0.0.0.255 host 172.17.1.1 eq 53
permit udp 10.42.56.0 0.0.0.255 host 172.17.2.1 eq 53
permit tcp 10.42.56.0 0.0.0.255 any eq 80
permit tcp 10.42.56.0 0.0.0.255 any eq 443
deny ip any any

interface vlan 428
ip access-group OUTBOUND out

I think the vlan 115 is your VLAN, can this vlan reach the subnet associated to vlan 428?

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

timstumbo · ‎06-01-2017

Correct, all the VLANs can talk to each other.

I setup the above ACL and applied it to the VLAN 428 interface, once I did that I couldn't reach those computers anymore.

I'm assuming now I need a inbound ACL on that VLAN interface for me to regain access to those computers?

Thanks

Julio E. Moisa · ‎06-01-2017

Hi,

Yes exactly, an inbound ACL should be configured.

ip access-list extended OUTBOUND
permit icmp any any echo
permit icmp any any echo-reply

ip access-list extended INBOUND
permit icmp any any echo
permit icmp any any echo-reply
permit udp any eq 67 any
permit udp any eq 68 any
permit udp host 172.17.1.1 range 67 68 10.42.56.0 0.0.0.255
permit udp host 172.17.2.1 range 67 68 10.42.56.0 0.0.0.255
permit tcp host 172.17.1.1 eq 53 10.42.56.0 0.0.0.255
permit udp host 172.17.2.1 eq 53 10.42.56.0 0.0.0.255
permit tcp any eq 80 10.42.56.0 0.0.0.255
permit tcp any eq 443 10.42.56.0 0.0.0.255
permit ip 10.15.56.0 0.0.0.255 10.42.56.0 0.0.0.255
deny ip any any

interface vlan 428
ip access-group INBOUND in

* You could include ICMP

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

timstumbo · ‎06-01-2017

What would I need to add to allow VNC through? I need to add TCP-5900 so I can remotely access those computers.

Thanks again for all the help!

Julio E. Moisa · ‎06-01-2017

Yes you can do that,

Now you can set up the sequence of the ACLs entries, by the fault if you add a new entry it will be included at the bottom.

So you can see the sequence through show access-list

then you can configure the sequence:

ip access-list extended INBOUND
11 permit ......

ip access-list extended INBOUND
permit icmp any any echo
permit icmp any any echo-reply
permit udp any eq 67 any
permit udp any eq 68 any
permit udp host 172.17.1.1 range 67 68 10.42.56.0 0.0.0.255
permit udp host 172.17.2.1 range 67 68 10.42.56.0 0.0.0.255
permit tcp host 172.17.1.1 eq 53 10.42.56.0 0.0.0.255
permit udp host 172.17.2.1 eq 53 10.42.56.0 0.0.0.255
permit tcp any eq 80 10.42.56.0 0.0.0.255
permit tcp any eq 443 10.42.56.0 0.0.0.255
permit tcp 10.15.56.0 0.0.0.255 10.42.56.0 0.0.0.255 eq 5900
deny ip any any

Hope it is useful.

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

timstumbo · ‎06-01-2017

What do I need to do to turn on logging for these ACL's so I can see details on what's being blocked.

I thought I had everything working but the computers on the 428 VLAN can't get to the internet and I still can't reach them using VNC.

Thanks

Julio E. Moisa · ‎06-01-2017

Hi

If you want to register the events you can add the log word:

ip access-list extended INBOUND
permit icmp any any echo
permit icmp any any echo-reply
permit udp any eq 67 any
permit udp any eq 68 any
permit udp host 172.17.1.1 range 67 68 10.42.56.0 0.0.0.255
permit udp host 172.17.2.1 range 67 68 10.42.56.0 0.0.0.255
permit tcp host 172.17.1.1 eq 53 10.42.56.0 0.0.0.255
permit udp host 172.17.2.1 eq 53 10.42.56.0 0.0.0.255
permit tcp any eq 80 10.42.56.0 0.0.0.255
permit tcp any eq 443 10.42.56.0 0.0.0.255
permit tcp 10.15.56.0 0.0.0.255 10.42.56.0 0.0.0.255 eq 5900
deny ip any any log

Ok, did the computers obtain IP address? Have you verified the default gateway and DNS server obtained?

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Jon Marshall · ‎06-01-2017

Julio

I may be misunderstanding but as far as I can see you are applying the acls in the wrong direction.

Jon

Julio E. Moisa · ‎06-01-2017

Hi Jon

No worries, Thank you, it is the ACL for the inbound traffic, the ACL for outbound traffic is at the top of the discussion.

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Jon Marshall · ‎06-01-2017

Yes I know.

The acl in the outbound direction should be inbound.

Inbound means traffic coming from clients in that vlan to the SVI and that is what your acl is doing ie. the source IPs are from that vlan.

Jon

Julio E. Moisa · ‎06-01-2017

oh I got it, my interpretation is different hehehe I always use Inbound for the traffic coming to my network and outbound for the traffic to reach a destination.

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Jon Marshall · ‎06-01-2017

Yes, I have seen others use that as well but in terms of the configuration your acl in the first post has to be applied inbound because it can't work otherwise.

Jon

Julio E. Moisa · ‎06-01-2017

Hi Jon, Yes you are right, thanks, I was interpreting it as physical interface.

ip access-list extended OUTBOUND
permit icmp any any
permit udp any any eq 67
permit udp any any eq 68
permit udp 10.42.56.0 0.0.0.255 host 172.17.1.1 range 67 68
permit udp 10.42.56.0 0.0.0.255 host 172.17.2.1 range 67 68
permit tcp 10.42.56.0 0.0.0.255 host 172.17.1.1 eq 53
permit udp 10.42.56.0 0.0.0.255 host 172.17.2.1 eq 53
permit tcp 10.42.56.0 0.0.0.255 any eq 80
permit tcp 10.42.56.0 0.0.0.255 any eq 443
deny ip any any log

ip access-list extended INBOUND
permit udp any eq 67 any
permit udp any eq 68 any
permit udp host 172.17.1.1 range 67 68 10.42.56.0 0.0.0.255
permit udp host 172.17.2.1 range 67 68 10.42.56.0 0.0.0.255
permit tcp host 172.17.1.1 eq 53 10.42.56.0 0.0.0.255
permit udp host 172.17.2.1 eq 53 10.42.56.0 0.0.0.255
permit tcp any eq 80 10.42.56.0 0.0.0.255
permit tcp any eq 443 10.42.56.0 0.0.0.255
permit tcp 10.15.56.0 0.0.0.255 10.42.56.0 0.0.0.255 eq 5900
deny ip any any log

interface vlan 428
ip access-group INBOUND out
ip access-group OUTBOUND in

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

timstumbo · ‎06-01-2017

I got tied up on something else but I'll give that a go!

Thanks