12-12-2017 10:27 AM - edited 03-08-2019 01:05 PM
Hello all,
I have always had issues creating and applying access-list in the proper direction so wanted to run something by the community.
I am wanting to create basically a SILO Vlan. What I mean by that is that devices on the VLAN cannot access ANYTHING off the VLAN but I can have select devices off the VLAN access devices on the VLAN via say RDP.
I will be using 172.16.6.104 as my test machine off the VLAN. I created VLAN 66 with space 172.16.66.1 255.255.255.248. I then statically assigned a device 172.16.66.2 on that VLAN. I created the following access-list and applied it as an out on the interface.
access-list 166 permit tcp host 172.16.6.104 eq 3389 any
access-list 166 permit tcp any host 172.16.6.104 eq 3389
access-list 166 permit udp host 172.16.6.104 eq 3389 any
access-list 166 permit udp any host 172.16.6.104 eq 3389
access-list 166 deny ip any any log
I attempted an RDP connection from the 172.16.6.104 device above and received the following in the log ...
Dec 12 11:46:24.575 CST: %SEC-6-IPACCESSLOGP: list 166 denied tcp 172.16.6.104(1867) -> 172.16.66.2(3389), 1 packet
Dec 12 11:46:47.662 CST: %SEC-6-IPACCESSLOGDP: list 166 denied icmp 172.16.6.104 -> 172.16.66.2 (8/0), 1 packet
Dec 12 11:51:34.541 CST: %SEC-6-IPACCESSLOGP: list 166 denied tcp 172.16.6.104(1867) -> 172.16.66.2(3389), 2 packets
I am not sure where the port 1867 comes into play. Should this be an "in" on the interface instead of an "out"
Thanks in advance.
Brent
Solved! Go to Solution.
12-12-2017 02:16 PM
I now have the following. Just not sure if this is really isolating everything except RDP.
permit tcp host 172.16.6.104 any established
permit tcp any host 172.16.6.104 established
permit tcp host 172.16.6.104 any eq 3389
permit udp host 172.16.6.104 any eq 3389
deny ip any any log
If I look at the ACL hits though I am not seeing anything on those rules. It seems to only be using the established rules.
Brent
12-12-2017 11:44 AM
Hi,
Since you are coming from a host in the same vlan, the access-list needs to be "in" direction as you are entering the vlan.
HTH
12-12-2017 12:07 PM
I am coming from a host in a different VLAN. The host is 172.16.6.x where the system I am accessing is 172.16.66.x. Would I by chance need both an in ACL and an out ALC?
Brent
12-12-2017 12:13 PM
'in' should be configured on the access group.
Also, you can use one of the following configurations:
access-list 166 permit tcp any any established
access-list 166 permit tcp host 172.16.6.104 any eq 3389
access-list 166 permit udp host 172.16.6.104 any eq 3389
access-list 166 deny ip any any log
or
access-list 166 permit tcp any 172.16.66.0 0.0.0.7 established
access-list 166 permit tcp host 172.16.6.104 host 172.16.66.2 eq 3389
access-list 166 permit udp host 172.16.6.104 host 172.16.66.2 eq 3389
access-list 166 deny ip any any log
12-12-2017 02:07 PM
If I use the first one others are still able to make an RDP connection to servers on the VLAN.
Brent
12-12-2017 02:10 PM
If I use the second one it seems to block everyone but it also blocks one side of the connection.
Brent
12-12-2017 02:16 PM
I now have the following. Just not sure if this is really isolating everything except RDP.
permit tcp host 172.16.6.104 any established
permit tcp any host 172.16.6.104 established
permit tcp host 172.16.6.104 any eq 3389
permit udp host 172.16.6.104 any eq 3389
deny ip any any log
If I look at the ACL hits though I am not seeing anything on those rules. It seems to only be using the established rules.
Brent
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide