Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2758
Views
0
Helpful
9
Replies

Help with understanding ACL direction and "established"

Go to solution
ddxshp
Level 1
Level 1

‎04-24-2019 01:07 AM

Hi,

I'm pretty new with ACLs on L3 switch, if someone could help me out a bit understand why this works in my case.

So I have these two internal networks, Production (192.168.10.0/24 [Vlan100]) and Infrastructure (192.168.20.0/24 [Vlan200]).

I would like to totally isolate the two networks (no devices from one network can see the other), except this one machine in Production network (host 192.168.10.10) where it can RDP to one machine in the Infrastructure network (host 192.168.20.20), and only this direction.

 

I am wondering why this doesn't work (this is what I put first):

101 permit tcp host 192.168.10.10 host 192.168.20.20 eq 3389 established

But why this one works (out of curiosity I reversed it and it works):

101 permit tcp host 192.168.20.20 eq 3389 host 192.168.10.10 established

Because I am trying to initiate an RDP from Production (source?) to Infrastructure (destination?) and the access-group is "IN" direction.  But why only when reversing the ACL then it actually works?  I'm pretty sure is just because I don't understand some fundamental concept.  Or maybe I made a mistake somewhere

 

 

The complete ACL:

ip access-list extended Infra-Isolation
permit tcp host 192.168.20.20 eq 3389 host 192.168.10.10 established
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip any any

And access-group:

interface Vlan200
ip address 192.168.20.1 255.255.255.0
ip access-group Infra-Isolation in

 

Thanks in advance.

 

 

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎04-24-2019 01:42 AM

Hi there,
The reason the reversed ACE work is because it described the return traffic of a stream where a 'production' IP connects to a server in the 'infrastructure' subnet on TCP/3389. Since it is configured as an INBOUND rule on VLAN200 SVI the source must be the infrastructure server and not the production host.

 

cheers,
Seb.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎04-24-2019 01:42 AM

Hi there,
The reason the reversed ACE work is because it described the return traffic of a stream where a 'production' IP connects to a server in the 'infrastructure' subnet on TCP/3389. Since it is configured as an INBOUND rule on VLAN200 SVI the source must be the infrastructure server and not the production host.

 

cheers,
Seb.

0 Helpful

Go to solution
ddxshp
Level 1
Level 1
In response to Seb Rupik

‎04-24-2019 02:16 AM

Hi Seb,

 

Thanks for the explanation.  I think I'm starting to understand a bit more.  Does that mean the "ESTABLISHED" statement is useless here since there is no rules on traffic going out from Vlan(200) interface (aka traffic from production host to infrastructure server)?

 

To properly use the "ESTABLISHED" statement, should I use an outbound rule instead (and reverse all the ACLs)?

 

Also, is it necessary to block both ways, adding rules on both IN and OUT of the Vlan interface, or one is generally sufficient? 

 

Thanks again for your help

0 Helpful

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni
In response to ddxshp

‎04-24-2019 02:29 AM

Your use of 'established' is correct here, as you want PROD to be able to initiate a connection to INFRA and for these (established) connections to be able to return traffic, but probably you do not want INFRA to initiate with PROD.

 

Regarding use of IN and OUT, you should always try to filter as close to the source of traffic. For example if you have multiple subnets spread over a wide infrastructure estate trying to reach a server in a single subnet, it is administratively easier to filter OUT onto the destination subnet. Whereas if it is a single subnet to subnet stream you are trying to filter it makes sense to use an ACL in the IN direction on the source SVI.

 

cheers,
Seb.

0 Helpful

Go to solution
ddxshp
Level 1
Level 1
In response to Seb Rupik

‎04-24-2019 03:07 AM

Hi Seb,

 

Thanks for your quick replies.

 

I guess I don't fully understand the concept of "established" connections.

 

So lets switch the requirement, and with the same config I want to make INFRA server able to RDP to a host in PROD only.  Is that possible?   Or in this case do I have to apply access-group to Vlan(100) instead?  (and adjust ACL appropriately)

 

Thanks

 

0 Helpful

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni
In response to ddxshp

‎04-24-2019 03:33 AM

With the 'established' keyword the filter looks for the ACK flag in the TCP header. If that is present and the rest of the ACE matches, then the in your example the flow will be permitted.

 

If that is the only adjustment to the requirements is to allow the traffic stream to work in both directions, on VLAN200 remove the established keyword from the ACE:

 

ip access-list extended Infra-Isolation
...
  permit tcp host 192.168.20.20 eq 3389 host 192.168.10.10 
...

 Then create a corresponding ACL containing the reverse ACE and apply it INbound on VLAN100:

ip access-list extended Prod-Isolation
...
  permit tcp host 192.168.10.10 host 192.168.20.20 eq 3389
...

cheers,

Seb.

0 Helpful

Go to solution
ddxshp
Level 1
Level 1
In response to Seb Rupik

‎04-24-2019 04:17 AM

I mean if the requirement is reversed (not both direction), so only the Infra Server can RDP into the host in PROD.

I'm guessing to do that I will need to add and inbound rule to Vlan100 (reverse the whole configuration)?

I tested removing "established" and the "eq 3389" and with that the RDP works both ways. About the port number, I'm guessing RDP client uses different source port.  I don't intend to use this configuration, just for testing.

 

Thanks

0 Helpful

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni
In response to ddxshp

‎04-24-2019 04:58 AM

Ah yes, in which case remove the 'established' keyword (or the entire ACE) from the VLAN200 ACL, and create the reverse ACE with the established keyword INbound on VLAN100.

 

The eq 3389 in your case refers to TCP/3389 which is the service port on the RDP server. The client will alwas connect from a random ephemeral port which is why it is not a good idea to specify the clients port, unless you are going to use a very wide range.

 

cheers,

Seb.

0 Helpful

Go to solution
ddxshp
Level 1
Level 1
In response to Seb Rupik

‎04-24-2019 05:02 AM

That helps a lot,

 

Thanks, Seb.

 

Regards

0 Helpful

Go to solution
paul driver
VIP
VIP

‎04-24-2019 02:08 AM - edited ‎04-24-2019 02:23 AM

Hello
SVI ACL logic
IN = Traffic originated from within vlan
OUT= Traffic originated from outside towards vlan

 

"Established" keyword allows only return traffic towards the source which was initiated by the source but it wont allow the same specified return traffic from itself initiating any communication


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card