Re: Allowing inbound RDP but not any outbound

Joe22 · ‎02-22-2019

I want to create an isolated Test vlan (172.16.112.0/24):

Inbound - only allow inbound RDP to any host within the Test vlan

Outbound - deny all so that any hosts in the Test vlan can't contact production

Does the following look correct?

interface Vlan102
description Test Subnet
ip address 172.16.112.1 255.255.255.0
ip access-group FROM-TEST in
ip access-group TO-TEST out

ip access-list extended FROM-TEST
permit tcp 172.16.112.0 0.0.0.255 172.16.0.0 0.0.3.255 log
permit icmp any any log
deny ip any any

ip access-list extended TO-TEST
permit tcp 172.16.0.0 0.0.3.255 172.16.112.0 0.0.0.255 eq 3389
permit icmp any any
deny ip any any

Joseph W. Doherty · ‎02-22-2019

Close - depends how much you truly want to lock down to just RDP traffic. For example, your ACLs allow ICMP traffic. They also allow an outbound flow to start a flow, outbound, provided the return traffic comes back in with a TCP port of 3389 (which is likely RDP, but it might not be).

In other words, what you have is probably "good enough", but if you wanted to further restrict to RDP, you might see if your device supports NBAR that "knows" RDP. If not, you might see if you can use a reflexive ACL (so outbound TCP is blocked unless it's a return flow - also might be helpful for your ICMP) and if not, maybe restrict outbound TCP to have the established bit set.

Joe22 · ‎02-22-2019

Thanks for the reply.

Why is To-TEST an outbound and FROM-TEST inbound?

ip access-group FROM-TEST in
ip access-group TO-TEST out

Shouldn't this be the other way around?

ngkin2010 · ‎02-22-2019

ACL in = checking all traffic that receiving on that interface against the ACL.
ACL out = checking all traffic that leaving on that interface against the ACL.

paul driver · ‎02-22-2019

Hello

@Joe22 wrote:

I want to create an isolated Test vlan (172.16.112.0/24):

Inbound - only allow inbound RDP to any host within the Test vlan

Outbound - deny all so that any hosts in the Test vlan can't contact production

What is the production vlan subnet? - example 10.10.10.0/24

ip access-list extended test_vlan_acl
remark Isolate test vlan from production
permit tcp 10.10.10.0 0.0.0.255 any eq 3389
deny ip 10.10.10.0 0.0.0.255 any
permit ip any any

ip access-list extended test_vlan_acl_in
remark Isolate test vlan from production
permit tcp any 10.10.10.0 0.0.0.255 eq 3389
deny ip any 10.10.10.0 0.0.0.255
permit ip any any

int vlan 102
ip access-group test_vlan_acl out
ip access-group test_vlan_acl_in in

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Joe22 · ‎02-22-2019

172.16.0.0/22 is the production

Joe22 · ‎02-22-2019

Paul, why is the inbound acl, test_vlan_acl, tagged as "out"? Shouldn't that be "in"?

Jon Marshall · ‎02-23-2019

An acl applied inbound to your test vlan L3 vlan interface (SVI) controls traffic from the test vlan ie. traffic with source IPs of 172.16.112.x.

An acl applied outbound to your test vlan SVI controls traffic with destination IPs of 172.16.112.x.

Your outbound acl should be as you have it in your first post but as Joe notes you are also allowing ICMP.

Your inbound acl should be -

permit tcp 172.16.112.0 0.0.0.255 eq 3389 172.16.0.0 0.0.3.255 log

to allow the return RDP traffic ie. no need to allow all TCP traffic as you don't want that according to your original post, and you also need to allow ICMP if that is what you want.

Jon