Solved: Re: Using Access-list to create a SILO VLAN

bberry · ‎12-12-2017

Hello all,

I have always had issues creating and applying access-list in the proper direction so wanted to run something by the community.

I am wanting to create basically a SILO Vlan. What I mean by that is that devices on the VLAN cannot access ANYTHING off the VLAN but I can have select devices off the VLAN access devices on the VLAN via say RDP.

I will be using 172.16.6.104 as my test machine off the VLAN. I created VLAN 66 with space 172.16.66.1 255.255.255.248. I then statically assigned a device 172.16.66.2 on that VLAN. I created the following access-list and applied it as an out on the interface.

access-list 166 permit tcp host 172.16.6.104 eq 3389 any
access-list 166 permit tcp any host 172.16.6.104 eq 3389
access-list 166 permit udp host 172.16.6.104 eq 3389 any
access-list 166 permit udp any host 172.16.6.104 eq 3389
access-list 166 deny ip any any log

I attempted an RDP connection from the 172.16.6.104 device above and received the following in the log ...

Dec 12 11:46:24.575 CST: %SEC-6-IPACCESSLOGP: list 166 denied tcp 172.16.6.104(1867) -> 172.16.66.2(3389), 1 packet
Dec 12 11:46:47.662 CST: %SEC-6-IPACCESSLOGDP: list 166 denied icmp 172.16.6.104 -> 172.16.66.2 (8/0), 1 packet
Dec 12 11:51:34.541 CST: %SEC-6-IPACCESSLOGP: list 166 denied tcp 172.16.6.104(1867) -> 172.16.66.2(3389), 2 packets

I am not sure where the port 1867 comes into play. Should this be an "in" on the interface instead of an "out"

Thanks in advance.

Brent

bberry · ‎12-12-2017

I now have the following. Just not sure if this is really isolating everything except RDP.

permit tcp host 172.16.6.104 any established

permit tcp any host 172.16.6.104 established

permit tcp host 172.16.6.104 any eq 3389

permit udp host 172.16.6.104 any eq 3389

deny ip any any log

If I look at the ACL hits though I am not seeing anything on those rules. It seems to only be using the established rules.

Brent

View solution in original post

Reza Sharifi · ‎12-12-2017

Hi,

Since you are coming from a host in the same vlan, the access-list needs to be "in" direction as you are entering the vlan.

HTH

bberry · ‎12-12-2017

I am coming from a host in a different VLAN. The host is 172.16.6.x where the system I am accessing is 172.16.66.x. Would I by chance need both an in ACL and an out ALC?

Brent

Yachay · ‎12-12-2017

'in' should be configured on the access group.

Also, you can use one of the following configurations:

access-list 166 permit tcp any any established

access-list 166 permit tcp host 172.16.6.104 any eq 3389
access-list 166 permit udp host 172.16.6.104 any eq 3389
access-list 166 deny ip any any log

or

access-list 166 permit tcp any 172.16.66.0 0.0.0.7 established

access-list 166 permit tcp host 172.16.6.104 host 172.16.66.2 eq 3389
access-list 166 permit udp host 172.16.6.104 host 172.16.66.2 eq 3389
access-list 166 deny ip any any log

bberry · ‎12-12-2017

If I use the first one others are still able to make an RDP connection to servers on the VLAN.

Brent

bberry · ‎12-12-2017

If I use the second one it seems to block everyone but it also blocks one side of the connection.

Brent

bberry · ‎12-12-2017

I now have the following. Just not sure if this is really isolating everything except RDP.

permit tcp host 172.16.6.104 any established

permit tcp any host 172.16.6.104 established

permit tcp host 172.16.6.104 any eq 3389

permit udp host 172.16.6.104 any eq 3389

deny ip any any log

If I look at the ACL hits though I am not seeing anything on those rules. It seems to only be using the established rules.

Brent