Solved: ACL only allowing access to the internet and DHCP server for a specific VLAN - Page 2

timstumbo · ‎05-31-2017

We recently brought a couple computers onto our network to provide them with internet access (We are a Municipality and they're the local Theatre). We built out a separate VLAN for them and they're getting their addresses from our DHCP server. Their computers are not on our domain so I want to lock down the VLAN and restrict as much access as possible for obvious security reasons.

All they need access to is the internet and the DHCP server (Also possibly DNS so I don't have to use external DNS servers). However, I would like one other VLAN to be able to access them for management purposes.

Their VLAN is 428 and the subnet is 10.42.56.0

VLAN needing to access them is 115 and the subnet is 10.15.56.0

The DHCP & DNS Servers are 172.17.1.1 and 172.17.2.1

Thanks for the help!

timstumbo · ‎06-05-2017

Ok, I corrected the direction of the ACL's but I can't ping or VNC to a host on VLAN 428. Here's what I'm seeing in the log.

*Jun 5 10:20:37.918: %SEC-6-IPACCESSLOGDP: list INBOUND-Theatre denied icmp 10.15.56.100 -> 10.42.56.53 (8/0), 1 packet

*Jun 5 10:21:15.320: %SEC-6-IPACCESSLOGP: list OUTBOUND-Theatre denied tcp 10.42.56.53(5900) -> 10.15.56.100(54229), 1 packet

Everything else seems to be working as far as Internet Access, DHCP, and DNS.

Julio E. Moisa · ‎06-05-2017

Hi please include the following and try again.

ip access-list extended INBOUND
1 permit icmp any any

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Jon Marshall · ‎06-05-2017

I am not sure why you are using acls in both directions.

The intention as far as I understand it is to restrict access from the 10.42.56.0/24 subnet to the rest of your network which is done by using an inbound acl on the SVI for vlan 428.

Are you also wanting to restrict access from the rest of your network to that subnet ?

If so then yes you need acls both ways but from the sound of your original description I'm not sure you do.

Can you clarify.

Jon

timstumbo · ‎06-05-2017

You are correct, I'm only worried about restricting traffic from 10.42.56.0/24 to everything else.

Jon Marshall · ‎06-05-2017

Then you only need the OUTBOUND acl Julio provided although I would call it INBOUND to avoid confusion because you need to apply it inbound to the SVI.

And you need to add this line before the deny line at the end -

"permit tcp 10.42.56.0 0.0.0.255 eq 5900 any"

Jon

timstumbo · ‎06-05-2017

Ok, I got rid of the outbound ACL and just setup an inbound.

ip access-list extended INBOUND-Theatre
permit icmp any any
permit udp any eq 67 any
permit udp any eq 68 any
permit udp host 172.17.1.1 range 67 68 10.42.56.0 0.0.0.255
permit udp host 172.17.2.1 range 67 68 10.42.56.0 0.0.0.255
permit tcp host 172.17.1.1 eq 53 10.42.56.0 0.0.0.255
permit udp host 172.17.2.1 eq 53 10.42.56.0 0.0.0.255
permit tcp any eq 80 10.42.56.0 0.0.0.255
permit tcp any eq 443 10.42.56.0 0.0.0.255
permit tcp 10.15.56.0 0.0.0.255 10.42.56.0 0.0.0.255 eq 5900
permit tcp 10.15.67.0 0.0.0.255 10.42.56.0 0.0.0.255 eq 5900
deny ip any any log

I applied the ACL inbound on VLAN 428 using
ip access-group INBOUND-Theatre in

Now I can't get out to the internet from the 428 VLAN.

I can ping a workstation on VLAN 428

VNC traffic is still being blocked, I'm seeing this in the log:
*Jun 5 11:00:30.661: %SEC-6-IPACCESSLOGP: list INBOUND-Theatre denied tcp 10.42.56.53(5900) -> 10.15.56.100 (55225), 1 packet

Jon Marshall · ‎06-05-2017

Sorry my fault for not explaining clearly enough.

You are using the wrong acl. I said you should use the OUTBOUND acl Julio provided but rename it to INBOUND because that is the direction it is applied in.

Jon

timstumbo · ‎06-05-2017

No problem, everything seems to be working with this config besides VNC.

ip access-list extended Inbound-Theatre
permit icmp any any
permit udp any any eq 67
permit udp any any eq 68
permit udp 10.42.56.0 0.0.0.255 host 172.17.1.1 range 67 68
permit udp 10.42.56.0 0.0.0.255 host 172.17.2.1 range 67 68
permit tcp 10.42.56.0 0.0.0.255 host 172.17.1.1 eq 53
permit udp 10.42.56.0 0.0.0.255 host 172.17.2.1 eq 53
permit tcp 10.42.56.0 0.0.0.255 any eq 80
permit tcp 10.42.56.0 0.0.0.255 any eq 443
deny ip any any log

int vlan 428
ip access-group Inbound-Theatre in

I'm still getting this in the log:

*Jun 5 11:23:28.447: %SEC-6-IPACCESSLOGP: list Inbound-Theatre denied tcp 10.42.56.53(5900) -> 10.15.56.100(55758), 1 packet

*Jun 5 11:26:43.680: %SEC-6-IPACCESSLOGP: list Inbound-Theatre denied tcp 10.42.56.53(5900) -> 10.15.56.100(55815), 1 packet

*Jun 5 11:29:23.345: %SEC-6-IPACCESSLOGP: list Inbound-Theatre denied tcp 10.42.56.53(5900) -> 10.15.56.100(55903), 1 packet

Jon Marshall · ‎06-05-2017

You need to add this line before the deny line at the end -

"permit tcp 10.42.56.0 0.0.0.255 eq 5900 any"

Jon

timstumbo · ‎06-05-2017

That worked! Thanks!

Here's the final config for anyone needing help with this!

ip access-list extended Inbound-Theatre
permit icmp any any
permit udp any any eq 67
permit udp any any eq 68
permit udp 10.42.56.0 0.0.0.255 host 172.17.1.1 range 67 68
permit udp 10.42.56.0 0.0.0.255 host 172.17.2.1 range 67 68
permit tcp 10.42.56.0 0.0.0.255 host 172.17.1.1 eq 53
permit udp 10.42.56.0 0.0.0.255 host 172.17.2.1 eq 53
permit tcp 10.42.56.0 0.0.0.255 any eq 80
permit tcp 10.42.56.0 0.0.0.255 any eq 443
permit tcp 10.42.56.0 0.0.0.255 eq 5900 any
deny ip any any log

int vlan 428
ip access-group Inbound-Theatre in

Jon Marshall · ‎06-05-2017

Glad to hear it's working.

Just one last point about the acl.

The two lines that allow ports 80 and 443 for internet also allow those ports to any of your internal machines ie. if you have a web server internally this acl would allow access to it.

I usually write these sort of acls in the form of -

allow whatever you need to other internal subnets
deny everything else to other internal subnets
permit everything else ie. internet

note that if you can summarise your internal subnets it can make the acl a lot shorter.

However if current acl does what you want then no need to change it.

Jon

davehouser1 · ‎01-19-2022

@Julio E. Moisa Thank you so much for this post. Everything I tried failed, your post was the only thing that worked with my requirements 1) Support DHCP with acl 2) access-group must be applied on internal interface as "in". (Cant use "out) The challenge I had said I needed t use bootps. When applying only a udp bootps any any rule, client DHCP arp broadcasts were dropped at the router. It seems allowing port 67 and 68 were the only thing that worked. Thanks again!

Julio E. Moisa · ‎01-20-2022

Hi Dave

It was a pleasure, happy to know it is working now, thank you for keeping me posted.

Have a great day!

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<