Solved: ACL to Block Internet but allow DHCP

emcclend · ‎06-04-2019

I am trying to write an ACL that will block all outside traffic on a certain VLAN (VLAN10). However I want traffic on this VLAN10 to be able obtain a DHCP address and access a server on another VLAN (VLAN20). Below is what I have, but when testing, it is too restrictive. I am not able to obtain an IP and some HTTPS sites still come trough. I think my deny any any is what is causing the problem and I may have to be more specific by denying ports HTTP, HTTPS, FTP, etc, but I am not sure.

!
ip access-list extended VL10_NO_INTERNET
remark ---------------------------------------
remark Access VLAN 20 SERVER
remark ---------------------------------------
permit ip any host x.x.x.x
remark ---------------------------------------
remark Access from VL10 to host for DHCP Server
remark ---------------------------------------
permit ip any host y.y.y.y
remark ---------------------------------------
remark Deny access to Private IPs
remark ---------------------------------------
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
remark ---------------------------------------
remark Deny traffic from VL10 to all other internet resources
remark ---------------------------------------
deny ip any any

balaji.bandi · ‎06-05-2019

Quick note, when you deny any any in the end, deny specific service not required.

since you are permitting explicit allow and deny rest should be good.

below line good enough in the last

deny icmp any any
deny ip any any

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Edwin Portillo · ‎06-05-2019

Friend @emcclend,
How good that you have served the previous post, as advice allows the protocols that your infrastructure needs and to deny everything else that is not allowed is enough:

deny ip any any

you can skip it:

deny tcp any any eq 80
deny tcp any any eq 443
deny tcp any any eq 20
deny tcp any any eq 21
deny tcp any any eq 22
deny tcp any any eq 23

since it is implicit in: deny ip any any

NOTE: What exactly is left at the end of the ACL because it meets the traffic with all the above what it does is deny it

-----------Do not forget to give your rating to the post if you do I will be very grateful. Come on, you can keep trying!----

View solution in original post

balaji.bandi · ‎06-04-2019

You can do 2 ways, Allow VLAN 10 to VLAN 20 communicating each other VLAN ACL

or Remove VLAN 10 IP range from NAT, so VLAN 10 IP range not Natted, so can not reach to internet.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Edwin Portillo · ‎06-04-2019

Hi @emcclend,

With an extended ACL the packet filtering of the router can be more specific. Check the following example can help you:

ip access-list extended VL10_NO_INTERNET
permit udp any any 67
permit udp any any 68
permit tcp SourceAddress SourceWildcardBits DestinationAddress DestinationWildcardBits eq 80
permit tcp SourceAddress SourceWildcardBits DestinationAddress DestinationWildcardBits eq 20
permit tcp SourceAddress SourceWildcardBits DestinationAddress DestinationWildcardBits eq 21
permit icmp any any
deny ip any any

Port 67 ----- Server DHCP
Port 68 ----- Client DHCP
Port 80 ----- HTTP
Port 20 ----- Servet FTP
Port 21 ----- Client FTP
ICMP ------- echo and echo-reply

These are the ports registered by the IANA: https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml

emcclend · ‎06-05-2019

Thanks @Edwin Portillo,

Below is what I think I'll go with. I setup a small example in Packet Tracer and it seems to work as intended.

!
ip access-list extended VL10_NO_INTERNET
remark ---------------------------------------
remark Access VLAN 20 SERVER
remark ---------------------------------------
permit ip any host 204.46.24.26
remark ---------------------------------------
remark Access from VL10 to host for DHCP Server
remark ---------------------------------------
permit ip any host 204.46.24.12
permit udp any any eq 67
permit udp any any eq 68
remark ---------------------------------------
remark Deny access to Private IPs
remark ---------------------------------------
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
remark ---------------------------------------
remark Deny traffic from VL10 to all other internet resources
remark ---------------------------------------
deny tcp any any eq 80
deny tcp any any eq 443
deny tcp any any eq 20
deny tcp any any eq 21
deny tcp any any eq 22
deny tcp any any eq 23
deny icmp any any
deny ip any any

balaji.bandi · ‎06-05-2019

Quick note, when you deny any any in the end, deny specific service not required.

since you are permitting explicit allow and deny rest should be good.

below line good enough in the last

deny icmp any any
deny ip any any

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Edwin Portillo · ‎06-05-2019

Friend @emcclend,
How good that you have served the previous post, as advice allows the protocols that your infrastructure needs and to deny everything else that is not allowed is enough:

deny ip any any

you can skip it:

deny tcp any any eq 80
deny tcp any any eq 443
deny tcp any any eq 20
deny tcp any any eq 21
deny tcp any any eq 22
deny tcp any any eq 23

since it is implicit in: deny ip any any

NOTE: What exactly is left at the end of the ACL because it meets the traffic with all the above what it does is deny it

-----------Do not forget to give your rating to the post if you do I will be very grateful. Come on, you can keep trying!----

emcclend · ‎06-05-2019

Thanks to both of you. I kept the specific ports to get a visual of what type of traffic was actually being blocked. Once I see which traffic is blocked the most, I agree, I will remove the specified ports as the last deny covers them all.

Edwin Portillo · ‎06-05-2019

Friend, you're on the right track, this ACL is a very entertaining world that you already know. It was a pleasure to collaborate in your doubt.

emcclend · ‎06-06-2019

So I applied the ACL to our VLAN using IN however HTTPS sites like google, yahoo, amazon, cnn, and microsoft still come through. I cleared my cache and tried different browsers, but so far not luck. Everything else seems to be working as intended.

interface Vlan10
description VLAN 10
ip address x.x.x.1 255.255.255.0
ip access-group VL10_NO_INTERNET in
ip helper-address x.x.x.x
ip helper-address x.x.x.x
ip helper-address x.x.x.x
no ip redirects
no ip proxy-arp
ip pim sparse-mode
ipv6 address y:y::y link-local
ipv6 address y:y:y:y::y/64
ipv6 nd prefix y:y:y:y::/64 no-advertise
ipv6 nd managed-config-flag
ipv6 nd other-config-flag
no ipv6 redirects
no ipv6 unreachables
ipv6 eigrp 10
ipv6 dhcp relay destination y:y:y:y::y
ipv6 dhcp relay destination y:y:y:y::y

Edwin Portillo · ‎06-06-2019

You could create another ACL that analyzes the traffic of your edge router because it has a reason to arrive because you have placed it as IN.

IN

Out

emcclend · ‎06-06-2019

I got it working now. It was IPv6. I ran a WireShark trace to Google.com and notice that the source and destination where all IPv6. Our machines are dual stacked, but IPv6 is always an after thought. When I turned off IPv6 everything was allowed and denied as expected.

Edwin Portillo · ‎06-06-2019

Excellente @emcclend,
You can also start creating ACLs for IPv6 like this:

ip access-list VL10_NO_INTERNET
permit tcp ipv6address/mask eq 80
deny ipv6 any any

emcclend · ‎06-06-2019

Thanks. I did end up creating and IPv6 ACL.