Solved: ACL to handle admin & user vlans (permit/deny rdp, icmp, smb, etc.)

laus3r001 · ‎11-09-2014

Hi guys,

I have a a simple setup:

VLAN 20 = basic users (192.168.20.0/24)

VLAN 30 = admin vlan (192.168.30.0/24)

I want to use ACLs to grant/deny access to the different vlans. Basically admins are allowed to access all services in the client network, i.e. RDP, file share access (smb), ping to basic users. Vice versa basic users are not allowed to access the admin network except echo-replies and smb.

My first approach was to deny everything and just open the specific protocols & ports.

So, for the admin vlan the ACL is quite simple: permit ip any

For VLAN 20 clients I tried:

permit icmp 192.168.20.0 0.0.0.255 any echo-reply

permit tcp 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255 eq 445

permit udp 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255 range netbios-ns netbios-ss

deny ip 192.168.20.0 0.0.0.255 any

That didn't work. I only got the ICMP-replies.

My second approach was to grant everything and deny the specific ports & protocols.

permit icmp 192.168.20.0 0.0.0.255 any echo-reply

deny icmp 192.168.20.0 0.0.0.255 any echo

deny tcp 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255 eq 3389

permit ip 192.168.20.0 0.0.0.255 any

With the second approach there is everything open except the explicitly denied ports which is no really my preferred solution.

So, I'd be happy if you guys could help me out with my first approach.

cheers

John Blakley · ‎11-10-2014

Actually, try this as well. Your destination port will be 135-139,445, so change your acl around to allow for that return traffic:

ip access-list extended vlan20
 permit icmp 192.168.20.0 0.0.0.255 any echo-reply
 permit tcp 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255 eq 445
 permit udp 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255 range netbios-ns netbios-ss
 deny   ip 192.168.20.0 0.0.0.255 any

To:

ip access-list extended vlan20
 permit icmp 192.168.20.0 0.0.0.255 any echo-reply
 permit tcp 192.168.20.0 0.0.0.255 eq 445 192.168.30.0 0.0.0.255
 permit udp 192.168.20.0 0.0.0.255 range netbios-ns netbios-ss 192.168.30.0 0.0.0.255
 deny   ip 192.168.20.0 0.0.0.255 any

HTH,

John

HTH, John *** Please rate all useful posts ***

View solution in original post

John Blakley · ‎11-09-2014

Your first acl should have worked I would have thought. Did you apply it inbound on the vlan 20 SVI? When you were testing, did you have hits on the acl?

HTH, John *** Please rate all useful posts ***

laus3r001 · ‎11-09-2014

here's now the real config I used and applied to the port the basic user is connected to:

nucl3us#sh access-lists 120
Extended IP access list 120
    10 permit icmp 192.168.20.0 0.0.0.255 any echo-reply
    20 permit tcp 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255 eq 445
    30 permit udp 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255 range netbios-ns netbios-ss
    40 deny ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
nucl3us#

when I try to activate logging by adding the "log" at the end of each line, I get an error message that "switch port ACLs do not support LOG". So I tried the command

debug ip packet detail 120

but there I don't get any hits or debug messages.

The above ACL works partly i.e.:

SMB from USER to ADMIN is permitted: ok

ICMP from ADMIN to USER is permitted: ok

RDP from USER to ADMIN is denied: ok

What does not work, is the more important direction: ADMIN --> USER: I can not get an rdp-connection nor smb-connection. Only ping does work.

John Blakley · ‎11-09-2014

I'm assuming that there is a typo from your debug line. You reference acl 121, but the one that you created is 120. Can you redo the debug to see if you start seeing hits? Once you do, you should be able to see what additional ports you may need to open.

HTH, John *** Please rate all useful posts ***

laus3r001 · ‎11-09-2014

actually I was a copy & paste mistake from me. I checked it and corrected it above accordingly.

still no luck though with the debug messages

John Blakley · ‎11-09-2014

Where are you applying the ACL? Can you post the config of the interface?

HTH, John *** Please rate all useful posts ***

laus3r001 · ‎11-10-2014

I give you the whole config, just deleted some crypto stuff and unused interfaces.

Admin-PC is connected to Gi1/0/2, vlan 30

Client-PC is connected to Gi1/0/4, vlan 20


Current configuration : 7474 bytes
!
! Last configuration change at 09:37:32 UTC Mon Nov 10 2014
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service compress-config
!
hostname nucl3us
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-vrf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
enable secret 5 xyz
!
username xyz password 7 xyz
no aaa new-model
switch 1 provision ws-c3850-48p
ip routing
!
ip device tracking
!
!
qos wireless-default-untrust
!
!
!
diagnostic bootup level minimal
identity policy webauth-global-inactive
 inactivity-timer 3600
spanning-tree mode pvst
spanning-tree extend system-id
!
redundancy
 mode sso
!
!
!
class-map match-any non-client-nrt-class
  match non-client-nrt
!
policy-map port_child_policy
 class non-client-nrt-class
    bandwidth remaining ratio 10
!
!
!
!
interface GigabitEthernet0/0
 vrf forwarding Mgmt-vrf
 no ip address
 negotiation auto
!
interface GigabitEthernet1/0/2
 description admin-pc
 switchport access vlan 30
 switchport mode access
!
!
interface GigabitEthernet1/0/4
 description VoIP
 switchport access vlan 20
 switchport mode access
 ip access-group 120 in
!
!
!
interface Vlan1
 no ip address
 shutdown
!
!
interface Vlan20
 description clients
 ip address 192.168.20.1 255.255.255.0
!
interface Vlan30
 description management
 ip address 192.168.30.1 255.255.255.0
!
no ip http server
ip http authentication local
ip http secure-server
!
ip access-list standard admin
 permit any
!
ip access-list extended deny_admin_rdp
 deny   tcp any 192.168.30.0 0.0.0.255 eq 3389
 permit ip any 192.168.30.0 0.0.0.255
!
ip access-list extended vlan20
 permit icmp 192.168.20.0 0.0.0.255 any echo-reply
 permit tcp 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255 eq 445
 permit udp 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255 range netbios-ns netbios-ss
 deny   ip 192.168.20.0 0.0.0.255 any
!
!
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 login
line vty 5 15
 login
!
wsma agent exec
 profile httplistener
 profile httpslistener
wsma agent config
 profile httplistener
 profile httpslistener
wsma agent filesys
 profile httplistener
 profile httpslistener
wsma agent notify
 profile httplistener
 profile httpslistener
!
wsma profile listener httplistener
 transport http
!
wsma profile listener httpslistener
 transport https
ap group default-group
end

client -> admin: smb works, ping and rdp denied -> this is ok

admin -> client: ping works, but no smb or rdp -> this is not ok :-)

I would like the admin network access everything in the client network

cheers

John Blakley · ‎11-10-2014

Actually, try this as well. Your destination port will be 135-139,445, so change your acl around to allow for that return traffic:

ip access-list extended vlan20
 permit icmp 192.168.20.0 0.0.0.255 any echo-reply
 permit tcp 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255 eq 445
 permit udp 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255 range netbios-ns netbios-ss
 deny   ip 192.168.20.0 0.0.0.255 any

To:

ip access-list extended vlan20
 permit icmp 192.168.20.0 0.0.0.255 any echo-reply
 permit tcp 192.168.20.0 0.0.0.255 eq 445 192.168.30.0 0.0.0.255
 permit udp 192.168.20.0 0.0.0.255 range netbios-ns netbios-ss 192.168.30.0 0.0.0.255
 deny   ip 192.168.20.0 0.0.0.255 any

HTH,

John

HTH, John *** Please rate all useful posts ***

laus3r001 · ‎11-10-2014

man, u definitely saved my day....ah, my whole month!!! :-)

at least I wasn't so wrong at all...

thx very much. highly appreciated

cheers

John Blakley · ‎11-10-2014

Glad to hear it's working! :) Thank you for letting me know!

HTH, John *** Please rate all useful posts ***