Beginner ACL Help Please

Carl Johnman · ‎03-09-2017

I have two layer 2 -3750 switch stacks end users are connected to with dell wyse window clients. The 3750 stacks have a trunk port channel to Nexus 5k HSRP pair with 14 VLAN's. There is an ASA/IPS in front of Nexus but the VLAN I need to create ACL for is not permitted on any ASA networks or direct internet access. The dell wyse window clients are on 172.X.X.X network. They should only be permitted to RDP to a terminal server network. They do this for terminal services and app publishing its all they need and allowed due to audit restrictions. I created ACL below but my concern is they need DNS, DHCP possibly few others for this to work. The Nexus points this 172.X.X.X network to a windows DHCP server and need to resolve DNS. Can someone help me add any additional ACL requirements for this network to RDP to terminal servers successfully with these requirements? I have below so far..

interface Vlan End_Users1

description Dell_Wyse

ip address 172.X.X.X/24

ip access-group Authenicated_Users_Only in

ip access-group Terminal_Servers out

ip router eigrp 1

ip passive-interface eigrp 1

hsrp X

preempt

priority X

ip 172.X.X.X

ip dhcp relay address 10.X.X.10 (WINDOWS DHCP SERVER)

ip access-list Authenicated_Users_Only

statistics per-entry

10 permit tcp 172.X.X.X/24 10.X.X.X/124 eq 3389 (10.X.X.X is TERMINAL SERVER VLAN)

20 deny ip any any

30 remark Authenicate to Terminal Server or ACCESS DENIED

ip access-list Terminal_Servers

statistics per-entry

10 permit ip any any

Carl Johnman · ‎03-09-2017

Would below update do the trick?

ip access-list Authenicated_Users_Only
statistics per-entry
10 permit tcp 172.X.X.X/24 any 10.X.X.X/124 eq 3389
15 permit udp 172.X.X.X/24 eq bootpc 10.X.X.X/124 eq bootps
20 deny ip any any
30 remark Authenicate to Terminal Server or ACCESS DENIED

Carl Johnman · ‎03-09-2017

=

Julio E. Moisa · ‎03-09-2017

Hi Carl

It will a pleasure to assist you, Is the ACL for authenticate the line VTY for remote access? or other purposes?

The sintaxis of an extended ACL is:

First they should be in the range of 100 - 199 and they can be numbered or named:

Numbered:

access-list <100-199> permit/deny <protocol: ip, tcp, udp, icmp> <source IP or subnet> <wildcard/inverse of subnet mask> eq <source port> <destination IP/Subnet> <wildcard/inverse of subnet mask> eq <destination port>

Named:

ip access-list extended <NAME>
permit/deny <protocol: ip, tcp, udp, icmp> <source IP or subnet> <wildcard/inverse of subnet mask> eq <source port> <destination IP/Subnet> <wildcard/inverse of subnet mask> eq <destination port>

A good practice is create them closest to the source. Note usually the computers or hosts use dynamic protocol and the source port(s) can be omitted.

The direction IN or OUT can be seen like:

IN = ingress traffic to the device

OUT = egress traffic from the device.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Carl Johnman · ‎03-09-2017

neither users on a specific VLAN only RDP to another VLAN and all windows domain, dhcp needs to work

Carl Johnman · ‎03-09-2017

ACL is for a Nexus syntax above will not work

Julio E. Moisa · ‎03-09-2017

Hi

If the device is a Nexus, the following links could be useful.

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/CLIConfigurationGuide/sec_ipacls.html#pgfId-1058260

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/security/503_n1_1/b_Cisco_n5k_security_config_gd_rel_503_n1_1/Cisco_n5k_security_config_gd_rel_503_n1_1_chapter7.html#task_1058260

http://blog.monkeyrouter.com/2014/09/nexus-6k-access-list-counters.html

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Carl Johnman · ‎03-09-2017

=

Carl Johnman · ‎03-09-2017

=